@ -8,6 +8,16 @@ Execute malicious DLL's remote or locally
### Patch update
Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable
```
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
```
### Installation
Before running the exploit you need to install my version of Impacket and after that you're gucci
@ -89,8 +99,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
```bash
rpcdump.py @192 .168.1.10 | grep MS-RPRN
rpcdump.py @192 .168.1.10 | e grep ' MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
```
@ -103,9 +114,5 @@ Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
```
Or Uninstall Print-Services
```powershell
Uninstall-WindowsFeature Print-Services
```
cube0x0
3 years ago
committed by
GitHub