Jump to content

PrintNightmare


Recommended Posts

10 hours ago, itman said:

You can also download the source code for the .dll used in this test, add some additional code

In Our tests ESET will detect attack with any DLL file , Even with an empty file ! it does not depend on detection of Dll file.

10 hours ago, itman said:

Also check this out which tests the previous known vulnerabilities: https://github.com/cube0x0/CVE-2021-1675

We will also check that.

Link to comment
Share on other sites

9 hours ago, kamiran.asia said:

We will also check that.

Actually, the test exploit you need to run is the PowerShell based one because:

Quote

This PowerShell script performs local privilege escalation (LPE) with the PrintNightmare attack technique.

The LPE technique does not need to work with remote RPC or SMB, as it is only working with the functions of Print Spooler.

https://github.com/calebstewart/CVE-2021-1675

BTW - if you test this: https://github.com/JumpsecLabs/PrintNightmare and have PowerShell set to ConstrainedLanguage mode, the remote script will fail since CL will block the import-module command. So Constrained_Language mode has to removed;i.e. set to FullLanguage  mode, for testing purposes.

Edited by itman
Link to comment
Share on other sites

Oops - I missed this detection by Eset in regards to the above PowerShell exploit test:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/11/2021 2:09:28 PM;HTTP filter;file;https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1;PowerShell/Exploit.CVE-2021-1675.A trojan;connection terminated;XXXX\XXX;Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054).;2645CC7AA381D5D4A6386F84FB2BE23C586CB46A;

Here's the problem. Eset didn't actually block the connection. I saw the script running in a PowerShell session I had open. Now I do monitor outbound Powershell network traffic with an Eset firewall rule. But allowing the connection which I did, should have no bearing on the above.

-EDIT- Reflecting, it did appear the script "petered out" at the end. The script execution comments being displayed ended in mid-sentence. So it is possible Eset did eventually block the connection but the damage would have already been done.

 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...