PrintNightmare

Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM.

Because Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The Metasploit module documentation details the process of generating a payload DLL and using this module to load it.

CVE-2021-34527 is being actively exploited in the wild. For more information and a full timeline, see Rapid7’s blog on PrintNightmare!

NSClient++

Great work by community contributor Yann Castel on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.

For this module to work, both the web interface of NSClient++ and the ExternalScripts feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.

New module content (2)

  • Print Spooler Remote DLL Injection by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits CVE-2021-34527 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.

  • NSClient++ 0.5.2.35 - Privilege escalation by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.

Enhancements and features

  • #15366 from pingport80 - This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).

Bugs fixed

  • #15320 from agalway-r7 - A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.
  • #15371 from bcoles - This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from

GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

binary installers (which also include the commercial edition).