PrintNightmare

Small standalone Visual Studio C# exploit project for CVE-2021-1675 targeting Microsoft Windows Print Spooler. Repository structure is minimal: solution/project files, App.config, assembly metadata, a single main source file (Program.cs), and a README. The exploit logic is entirely in Program.cs. It P/Invokes AddPrinterDriverEx from winspool.drv, builds a DRIVER_INFO_2 structure, and sets pDataFile and pConfigFile to an attacker-supplied DLL while using a supplied legitimate driver path for pDriverPath. It first calls AddPrinterDriverEx once, then loops through 10 possible spooler backup subdirectories under C:\Windows\System32\spool\drivers\x64\3\Old\<n>\ to retry loading the copied DLL by filename. This indicates the exploit’s purpose is to abuse printer driver installation semantics to get the spooler service to load a malicious DLL, yielding local privilege escalation/arbitrary code execution on vulnerable systems. No network communication or C2 is present; this is a local exploit requiring operator-supplied paths and a prepared DLL payload.

This repository provides a local privilege escalation (LPE) exploit for CVE-2021-1675 and CVE-2021-34527 (PrintNightmare) on Windows systems. The exploit is implemented in C/C++ and includes both a standard executable and a Reflective DLL version for use with Cobalt Strike. The main exploit logic is in 'src/main.cpp' and 'src/CVE-2021-1675-LPE-RDLL/main.cpp'. The exploit works by abusing the AddPrinterDriverExW API to install a malicious DLL as a printer driver, which is then executed with SYSTEM privileges. The attacker must supply a path to their payload DLL. The repository also includes a Cobalt Strike Aggressor script ('lpe_cve_2021_1675.cna') for integration with Cobalt Strike. The exploit is operational and has been tested on Windows Server 2019 Standard. The README provides usage instructions, mitigation advice, and references. No network endpoints are hardcoded; the attack is local and targets the Windows Print Spooler service and related file paths.

This repository provides multiple implementations (Python and C#) of the PrintNightmare exploit (CVE-2021-1675 / CVE-2021-34527), targeting a critical vulnerability in the Windows Print Spooler service. The exploit enables remote code execution (RCE) or local privilege escalation (LPE) by uploading and executing a malicious DLL on a vulnerable Windows system. The main Python exploit (CVE-2021-1675.py) uses Impacket to interact with the MS-RPRN protocol, while the C# implementation (SharpPrintNightmare) provides similar functionality for both local and remote exploitation. The exploit requires valid credentials and a network-accessible SMB share hosting the attacker's DLL payload. The repository includes detailed usage instructions, example commands, and information on required system configuration and registry settings. The code is operational and can be used to achieve SYSTEM-level code execution on unpatched or misconfigured Windows systems.

This repository provides a Cobalt Strike Aggressor Script (.cna) plugin for exploiting the PrintNightmare vulnerability (CVE-2021-1675) to achieve local privilege escalation (LPE) on Windows systems. The main file, PrintNightMareLpe.cna, registers an exploit module ('PrintNightMare-1675') that uploads a custom DLL (either LPE_Reflect_Elevate.x64.dll or CVE-2021-1675.x64.dll) to a randomized filename in C:\Windows\Temp, then executes it to escalate privileges to SYSTEM. The exploit is designed for use within Cobalt Strike's Beacon, and only supports 64-bit Windows targets. The README provides usage instructions and notes that the exploit attempts to bypass Defender/EDR by obfuscating the DLL name. The repository contains three files: the main exploit script, a README, and a .gitattributes file. No network endpoints are hardcoded; the only fingerprintable endpoint is the temporary DLL path on the target system.

This repository contains a Python exploit for the PrintNightmare vulnerability (CVE-2021-34527) affecting Microsoft Windows systems. The main file, CVE-2021-34527.py, is a fully operational exploit that leverages the Windows Print Spooler service to achieve remote code execution as SYSTEM by uploading and executing a malicious DLL. The exploit supports targeting multiple hosts, includes a built-in SMB server for payload delivery (removing the need for external file shares), and allows the attacker to specify authentication credentials or NTLM hashes. It supports both the MS-RPRN and MS-PAR protocols and implements a UNC path bypass technique. The README provides detailed usage instructions, remediation advice, and references to the original research. The code is written in Python and relies on the impacket library for network and protocol operations. The repository is structured with a single exploit script, a README, and a .gitignore file. No detection scripts or fake code are present; this is a real, operational exploit.

This repository provides an operational exploit for CVE-2021-1675 (PrintNightmare), specifically targeting local privilege escalation on Windows systems. The main exploit is a PowerShell script (not included in the provided files) that leverages a custom DLL payload, which is built from the C++ source code in 'nightmare-dll/nightmare/dllmain.cpp'. The DLL, when loaded by the Print Spooler service, creates a new local user ('adm1n' with password 'P@ssw0rd') and adds it to the Administrators group, effectively granting SYSTEM-level privileges. The DLL can be replaced with a user-supplied payload for arbitrary code execution. The repository includes Visual Studio project files for building the DLL, and the exploit is intended for use on Windows Server 2016 and 2019. The attack vector is local, requiring the attacker to execute code on the target system. The only fingerprintable endpoint is the file path for a custom DLL payload. The structure is typical for a C++ DLL project, with source, header, and project configuration files.

This repository contains a weaponized local privilege escalation (LPE) exploit for CVE-2021-34527, also known as PrintNightmare. The exploit is implemented in C++ as a Visual Studio project and targets unpatched Microsoft Windows systems (Desktop 7, 8, 8.1, 10, 11 and Server 2008, 2012, 2016, 2019). The main exploit logic is in 'CVE-2021-34527.cpp', which leverages the AddPrinterDriverEx() Win32 API to load an attacker-supplied DLL into the Print Spooler service (spoolsv.exe), resulting in SYSTEM-level code execution. The exploit requires the user to provide a path to a thread-safe DLL payload, which is then copied to the printer driver directory and executed as SYSTEM. The code also attempts to clean up by removing the malicious printer driver after exploitation. The repository includes project files for building x86 and x64 binaries, resource files, and a README describing the exploit's purpose and affected systems. No network endpoints are hardcoded; the attack vector is local, requiring code execution on the target system.

This repository contains multiple operational exploits for the PrintNightmare vulnerability (CVE-2021-34527, CVE-2021-1675) affecting the Windows Print Spooler service. The exploit allows authenticated users to achieve remote code execution as SYSTEM by abusing the RpcAddPrinterDriverEx API to install a printer driver with a malicious DLL from a remote SMB share. The repository includes three main exploit implementations: a Python script (CVE-2021-34527.py) using Impacket, a C++ proof-of-concept (EXP/POC/POC.cpp), and a C# implementation (SharpPrintNightmare/SharpPrintNightmare/Program.cs). Each exploit automates the process of connecting to the target's Print Spooler service over RPC, providing a path to a malicious DLL, and triggering the service to load and execute the DLL with SYSTEM privileges. The exploits require valid credentials and network access to the target. The repository also provides detailed setup instructions for hosting the payload DLL via SMB and for configuring the environment for successful exploitation. The code is mature and operational, capable of providing full SYSTEM-level code execution on vulnerable Windows systems.

This repository provides an operational exploit for CVE-2021-34527 (PrintNightmare), a critical Windows Print Spooler vulnerability. The exploit is implemented as a PowerShell script (not included in the provided files) that leverages a custom DLL payload, whose source code is provided in C++ under 'nightmare-dll/nightmare/dllmain.cpp'. The DLL, when loaded by the Print Spooler service, creates a new local user (default: adm1n/P@ssw0rd) and adds it to the Administrators group, achieving local privilege escalation. The DLL can be customized to perform arbitrary actions, allowing for further exploitation. The repository includes Visual Studio project files for building the DLL. The exploit targets unpatched Windows Server 2016 and 2019 systems with the Print Spooler service enabled. No network endpoints are hardcoded; the attack is local and leverages Windows API calls to manipulate user accounts and groups.

This repository contains a local privilege escalation (LPE) exploit for CVE-2021-1675 (PrintNightmare) targeting Microsoft Windows systems. The main code file, CVE-2021-1675-LPE.cpp, is a C++ program that leverages the AddPrinterDriverEx API to load an attacker-supplied DLL as a printer driver, resulting in code execution as SYSTEM. The exploit dynamically discovers the appropriate printer driver path using EnumPrinterDriversW, reducing the need for hardcoded paths except on Windows Server 2008, where manual adjustment may be required. The README provides usage instructions and notes on compatibility, listing successful tests on Windows 10, Windows Server 2012 R2, and Windows Server 2008 R2. The exploit requires local access and a malicious DLL payload, which can perform arbitrary actions as SYSTEM (the example DLL creates a file as proof). The repository includes Visual Studio project files for building the exploit. No network endpoints are involved; the attack vector is local privilege escalation via the Windows Print Spooler service.

This repository contains a Python implementation of the PrintNightmare exploit (targeting CVE-2021-1675 and CVE-2021-34527) using the Impacket library. The main file, printnightmare.py, is a standalone exploit script that allows an attacker to check for vulnerability, list printer drivers, delete drivers, and most importantly, exploit the Print Spooler service on vulnerable Windows systems by uploading and loading a malicious DLL. The exploit can use both local and remote (UNC/SMB) paths for the DLL payload, enabling remote code execution with SYSTEM privileges. The README.md provides detailed usage instructions, example commands, and guidance on setting up an SMB share to host the malicious DLL. The repository is operational and ready for use, requiring only a valid DLL payload and credentials for the target system. The attack vector is network-based, exploiting the MS-RPRN (Remote Procedure Call) interface of the Windows Print Spooler service. Multiple fingerprintable file paths and UNC paths are present, both as targets for the DLL payload and as part of the exploitation process.