@ -8,6 +8,16 @@ Execute malicious DLL's remote or locally
![](Images/poc2.png)
![](Images/poc2.png)
### Patch update
Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable
```
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
```
### Installation
### Installation
Before running the exploit you need to install my version of Impacket and after that you're gucci
Before running the exploit you need to install my version of Impacket and after that you're gucci
@ -89,8 +99,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
```bash
```bash
rpcdump.py @192 .168.1.10 | grep MS-RPRN
rpcdump.py @192 .168.1.10 | e grep ' MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
```
```
@ -103,9 +114,5 @@ Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
```
```
Or Uninstall Print-Services
```powershell
Uninstall-WindowsFeature Print-Services
```