PrintNightmare / Windows Print Spooler RCE in CVE-2021-1675 context

This repository contains multiple implementations (Python and C#) of the PrintNightmare exploit (CVE-2021-1675 / CVE-2021-34527), targeting the Windows Print Spooler service. The main files are 'CVE-2021-1675.py' (Python) and 'SharpPrintNightmare/SharpPrintNightmare/Program.cs' (C#), both of which exploit the vulnerability by uploading and executing a malicious DLL on a vulnerable Windows system. The exploit works by abusing the printer driver installation process via RPC calls to the Print Spooler service, allowing an attacker with valid credentials to achieve remote code execution or local privilege escalation. The repository also includes documentation on usage, required SMB/registry configuration, and mitigation steps. The exploit is operational and requires the attacker to provide a DLL payload, which is then executed with SYSTEM privileges on the target. The code supports both local and remote exploitation scenarios, and includes logic to enumerate driver paths and handle authentication. The repository is well-structured, with clear separation between Python and C# implementations, and includes supporting files for building the C# project.

This repository contains a Python proof-of-concept exploit for the PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) affecting the Windows Print Spooler service. The main file, CVE-2021-1675.py, leverages the MS-RPRN protocol via Impacket to remotely coerce a vulnerable Windows system into loading a malicious DLL (typically a reverse shell) from an attacker-controlled SMB share. The exploit requires valid credentials and network access to the target's print spooler service. The README.md provides detailed background, setup, and usage instructions, including how to generate a malicious DLL payload (e.g., with msfvenom), host it via SMB, and receive a shell using Metasploit. The exploit is operational and demonstrates remote code execution as SYSTEM on vulnerable Windows systems. Key fingerprintable endpoints include UNC paths to the malicious DLL, specific Windows system file paths, and the use of the print spooler named pipe (\\PIPE\\spoolss). The repository is structured with a single exploit script and a comprehensive README for exploitation guidance.

This repository provides a local privilege escalation (LPE) exploit for CVE-2021-1675 and CVE-2021-34527 (PrintNightmare) on Windows systems. The exploit is implemented in C/C++ and includes both a standard executable and a Reflective DLL version for use with Cobalt Strike. The main exploit logic is in 'src/main.cpp' and 'src/CVE-2021-1675-LPE-RDLL/main.cpp'. The exploit works by abusing the AddPrinterDriverExW API to install a malicious DLL as a printer driver, which is then executed with SYSTEM privileges. The attacker must supply a path to their payload DLL. The repository also includes a Cobalt Strike Aggressor script ('lpe_cve_2021_1675.cna') for integration with Cobalt Strike. The exploit is operational and has been tested on Windows Server 2019 Standard. The README provides usage instructions, mitigation advice, and references. No network endpoints are hardcoded; the attack is local and targets the Windows Print Spooler service and related file paths.

This repository provides a batch script (run.bat) and a README for exploiting the PrintNightmare vulnerability on Windows 10 20H2 systems. The README instructs users to download and extract a ZIP archive containing the actual exploit payloads (DLLs and an EXE), which are not included in the repository. The batch script automates extraction, file copying, and prompts the user to execute the main payload DLL (PNLPE.dll). The exploit is local and targets privilege escalation via the Print Spooler service. The repository does not contain the actual exploit code (DLLs/EXE), only the script to stage and launch them. The main fingerprintable endpoints are the file paths used for staging and execution. The exploit is a proof-of-concept and requires manual user interaction to execute the payload.

This repository provides multiple implementations (Python and C#) of the PrintNightmare exploit (CVE-2021-1675 / CVE-2021-34527), targeting a critical vulnerability in the Windows Print Spooler service. The exploit enables remote code execution (RCE) or local privilege escalation (LPE) by uploading and executing a malicious DLL on a vulnerable Windows system. The main Python exploit (CVE-2021-1675.py) uses Impacket to interact with the MS-RPRN protocol, while the C# implementation (SharpPrintNightmare) provides similar functionality for both local and remote exploitation. The exploit requires valid credentials and a network-accessible SMB share hosting the attacker's DLL payload. The repository includes detailed usage instructions, example commands, and information on required system configuration and registry settings. The code is operational and can be used to achieve SYSTEM-level code execution on unpatched or misconfigured Windows systems.

This repository provides a Cobalt Strike Aggressor Script (.cna) plugin for exploiting the PrintNightmare vulnerability (CVE-2021-1675) to achieve local privilege escalation (LPE) on Windows systems. The main file, PrintNightMareLpe.cna, registers an exploit module ('PrintNightMare-1675') that uploads a custom DLL (either LPE_Reflect_Elevate.x64.dll or CVE-2021-1675.x64.dll) to a randomized filename in C:\Windows\Temp, then executes it to escalate privileges to SYSTEM. The exploit is designed for use within Cobalt Strike's Beacon, and only supports 64-bit Windows targets. The README provides usage instructions and notes that the exploit attempts to bypass Defender/EDR by obfuscating the DLL name. The repository contains three files: the main exploit script, a README, and a .gitattributes file. No network endpoints are hardcoded; the only fingerprintable endpoint is the temporary DLL path on the target system.

This repository is a functional local privilege escalation exploit for CVE-2021-1675 (PrintNightmare) targeting Windows 10 and Windows Server 2012. The exploit is implemented in C++ and consists of three main components: 1. **PrintNightmareLPE**: The main exploit binary (PrintNightmareLPE.cpp) orchestrates the attack. It creates a directory (`C:\temp\testcase`), copies a malicious DLL (`vlib.dll`) and a client executable (`xconsole.exe`) to this directory, and then abuses the Windows Print Spooler service via the `AddPrinterDriverEx` API to load the malicious DLL with SYSTEM privileges. 2. **vlib.dll**: This DLL, when loaded by the Print Spooler, spawns a bind shell on TCP port 31337 (localhost only) as NT SYSTEM. The shell is implemented in `BindShell.cpp` and is triggered via the DLL's `DllMain` entry point. 3. **xconsole.exe**: This is a client program that connects to the bind shell on 127.0.0.1:31337, providing the attacker with an interactive NT SYSTEM shell. The exploit requires local access to the target system and the ability to copy files and execute binaries. The attack vector is local privilege escalation via the vulnerable Print Spooler service. The repository is well-structured, with separate Visual Studio projects for each component. The exploit is operational and provides a working SYSTEM shell if the target is vulnerable and properly configured.

This repository contains a Nim-based proof-of-concept exploit for CVE-2021-1675 (PrintNightmare), a Windows Print Spooler local privilege escalation vulnerability. The main file, 'nimnightmare.nim', is a command-line tool that takes the path to a malicious DLL as an argument. It enumerates installed printer drivers, retrieves the driver path, and attempts to install a new printer driver using the supplied DLL as both the configuration and data file. If successful, this results in the DLL being loaded as SYSTEM, allowing for arbitrary code execution. The README provides instructions for generating a reverse shell DLL payload using msfvenom and describes the exploitation process. The exploit is not weaponized but serves as a functional POC for local privilege escalation on vulnerable Windows systems.

This repository provides an operational exploit for CVE-2021-1675 (PrintNightmare), specifically targeting local privilege escalation on Windows systems. The main exploit is a PowerShell script (not included in the provided files) that leverages a custom DLL payload, which is built from the C++ source code in 'nightmare-dll/nightmare/dllmain.cpp'. The DLL, when loaded by the Print Spooler service, creates a new local user ('adm1n' with password 'P@ssw0rd') and adds it to the Administrators group, effectively granting SYSTEM-level privileges. The DLL can be replaced with a user-supplied payload for arbitrary code execution. The repository includes Visual Studio project files for building the DLL, and the exploit is intended for use on Windows Server 2016 and 2019. The attack vector is local, requiring the attacker to execute code on the target system. The only fingerprintable endpoint is the file path for a custom DLL payload. The structure is typical for a C++ DLL project, with source, header, and project configuration files.

This repository contains a local privilege escalation (LPE) exploit for CVE-2021-1675 (PrintNightmare) targeting Microsoft Windows systems. The main code file, CVE-2021-1675-LPE.cpp, is a C++ program that leverages the AddPrinterDriverEx API to load an attacker-supplied DLL as a printer driver, resulting in code execution as SYSTEM. The exploit dynamically discovers the appropriate printer driver path using EnumPrinterDriversW, reducing the need for hardcoded paths except on Windows Server 2008, where manual adjustment may be required. The README provides usage instructions and notes on compatibility, listing successful tests on Windows 10, Windows Server 2012 R2, and Windows Server 2008 R2. The exploit requires local access and a malicious DLL payload, which can perform arbitrary actions as SYSTEM (the example DLL creates a file as proof). The repository includes Visual Studio project files for building the exploit. No network endpoints are involved; the attack vector is local privilege escalation via the Windows Print Spooler service.

This repository contains a Python implementation of the PrintNightmare exploit (targeting CVE-2021-1675 and CVE-2021-34527) using the Impacket library. The main file, printnightmare.py, is a standalone exploit script that allows an attacker to check for vulnerability, list printer drivers, delete drivers, and most importantly, exploit the Print Spooler service on vulnerable Windows systems by uploading and loading a malicious DLL. The exploit can use both local and remote (UNC/SMB) paths for the DLL payload, enabling remote code execution with SYSTEM privileges. The README.md provides detailed usage instructions, example commands, and guidance on setting up an SMB share to host the malicious DLL. The repository is operational and ready for use, requiring only a valid DLL payload and credentials for the target system. The attack vector is network-based, exploiting the MS-RPRN (Remote Procedure Call) interface of the Windows Print Spooler service. Multiple fingerprintable file paths and UNC paths are present, both as targets for the DLL payload and as part of the exploitation process.