CVE-2021-34527
HIGH KEV RANSOMWAREWindows Print Spooler - Remote Code Execution via Privileged File Operations
Title source: llmExploitation Summary
CVE-2021-34527 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns.
EIP tracks 34 public exploits from researchers including byt3bl33d3r, JohnHammond, nemo-wq, including a Metasploit module lib/msf/core/mcp/tools/search_modules.
AI-analyzed exploit summary This repository contains a Python-based scanner for CVE-2021-34527 (PrintNightmare) that checks for vulnerability over MS-PAR and MS-RPRN protocols without exploiting the hosts. It generates a CSV report with results.
Description
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
Exploits (34)
This repository contains a Python-based scanner for CVE-2021-34527 (PrintNightmare) that checks for vulnerability over MS-PAR and MS-RPRN protocols without exploiting the hosts. It generates a CSV report with results.
This repository contains a functional PowerShell script that exploits CVE-2021-34527 (PrintNightmare) to achieve local privilege escalation by adding a new local administrator user or executing a custom DLL as NT AUTHORITY\SYSTEM. The exploit leverages the Windows Print Spooler service to load a malicious driver.
This repository contains a functional exploit for CVE-2021-34527 (PrintNightmare), which leverages the Windows Print Spooler service to achieve remote code execution (RCE) via crafted RPC calls to add a malicious printer driver. The exploit includes Python and C++ implementations, demonstrating the vulnerability by copying a DLL to a remote system and executing it.
This repository contains a functional Python exploit for CVE-2021-34527, leveraging the Print Spooler service to achieve remote code execution via a crafted driver installation. The exploit includes an SMB server for staging payloads and uses DCERPC for communication with the target.
This repository contains a functional exploit for CVE-2021-34527, leveraging the AddPrinterDriverEx() API to escalate privileges to SYSTEM by loading a malicious DLL into spoolsv.exe. The exploit includes cleanup mechanisms and is designed for Windows Desktop and Server versions.
The repository contains only a vague README with no technical details or exploit code, instead using buzzwords and referencing external CVEs without providing any substantive analysis or PoC.
This repository provides a PowerShell script and documentation for mitigating the PrintNightmare vulnerability (CVE-2021-34527) by applying registry modifications and service configurations. It does not contain exploit code but offers technical guidance on remediation.
This repository contains a functional exploit for CVE-2021-34527, a vulnerability in the Windows Print Spooler service. The exploit leverages the RpcAddPrinterDriverEx function to achieve remote code execution by manipulating printer driver configurations.
This repository contains a Python script that scans for the PrintNightmare vulnerability (CVE-2021-34527) by checking for the presence of security updates, registry settings, and the status of the Print Spooler service. It also attempts to mitigate the vulnerability by disabling the service and updating registry keys.
This repository contains PowerShell scripts to exploit CVE-2021-34527 (PrintNightmare) by modifying ACLs on the Windows Print Spooler directory to grant or deny SYSTEM access, enabling privilege escalation or lateral movement. The scripts include functionality to backup, restore, and manipulate permissions on the spooler directory.
This repository provides a workaround for CVE-2021-34527 (Windows Print Spooler RCE) by disabling the RegisterSpoolerRemoteRpcEndPoint registry entry. It includes detailed instructions for manual mitigation via Group Policy Editor.
The repository contains PowerShell scripts for detecting and remediating registry settings related to CVE-2021-34527 (PrintNightmare). It does not include exploit code but provides detection and mitigation tools.
This repository contains a functional PowerShell script that exploits CVE-2021-34527 (PrintNightmare) to achieve local privilege escalation by adding a new local administrator user or executing a custom DLL as NT AUTHORITY\SYSTEM. The exploit leverages the Windows Print Spooler service to load a malicious DLL.
This repository contains a functional PowerShell exploit for CVE-2021-34527 (PrintNightmare), which leverages a vulnerability in the Windows Print Spooler service to achieve local privilege escalation (LPE) by loading a malicious DLL. The exploit includes a custom DLL payload that creates a new local administrator user with a specified password.
This repository contains a detailed technical analysis of CVE-2021-34527 (PrintNightmare), including root cause, attack flow, affected systems, mitigation steps, and detection guidance. It does not include exploit code but provides in-depth vulnerability research.
This repository does not contain actual exploit code but instead provides a GitLab CI pipeline to build an external exploit (SharpPrintNightmare) and directs users to download the binary from an external source. The README lacks technical details about CVE-2021-34527 and serves as a redirect to another repository.
This repository contains a functional PowerShell script that exploits CVE-2021-34527 (PrintNightmare) to achieve local privilege escalation by adding a new local administrator user or executing a custom DLL as NT AUTHORITY\SYSTEM. The exploit leverages the Windows Print Spooler service to load a malicious driver.
This repository contains a Python script that detects brute-force attacks by monitoring network traffic for repeated login attempts (e.g., FTP USER/PASS commands) using Scapy. It logs packets to PCAP and CSV files but does not exploit CVE-2021-34527.
This repository contains a functional Python script that sends a crafted SMB payload to exploit CVE-2021-34527 (PrintNightmare). The payload is designed to trigger the vulnerability via SMB port 445.
This repository provides PowerShell scripts to mitigate CVE-2021-34527 (PrintNightmare) by setting registry keys to restrict printer driver installation and block remote printing. It includes technical details on registry modifications and references external blogs for deeper analysis.
This repository contains PowerShell scripts to mitigate CVE-2021-34527 (PrintNightmare) by disabling the Print Spooler service and modifying ACLs to prevent driver installation. The scripts are functional and directly address the vulnerability by blocking exploit paths.
This repository provides PowerShell scripts to mitigate CVE-2021-34527 (PrintNightmare) by modifying ACLs to deny write permissions to the printer drivers directory. It includes scripts to apply and rollback the mitigation, along with a detailed explanation of its effectiveness.
The repository contains only a minimal README with a CVE reference and no functional exploit code or technical details. It appears to be a placeholder without substantive content.
This PowerShell script mitigates CVE-2021-34527 (PrintNightmare) by disabling the Print Spooler service and blocking remote RPC endpoints. It provides options to temporarily or permanently re-enable the service for printing tasks.
This repository contains a simple batch script to disable the Microsoft Print Spooler service as a mitigation for CVE-2021-34527 (PrintNightmare). It does not include an exploit PoC or technical analysis of the vulnerability.
The repository contains only a vague README with no technical details or exploit code, and the title suggests a mix of two unrelated CVEs (CVE-2021-1675 and CVE-2021-34527). No actual exploit or analysis is provided.
The repository contains PowerShell scripts that scan for the state of the Print Spooler service across domain controllers in an Active Directory environment. It does not exploit CVE-2021-34527 but checks for the service status, which could be used to identify vulnerable systems.
This code is a Metasploit Framework module search tool that queries the module database for exploits, including those related to CVE-2021-34527. It does not contain exploit code but provides a structured way to search for modules.
This Metasploit module exploits CVE-2021-34527 (PrintNightmare) by abusing the Print Spooler service to load a malicious DLL via a crafted DCERPC request, achieving remote code execution as NT AUTHORITY\SYSTEM.
This repository contains a functional PowerShell exploit for CVE-2021-1675 (PrintNightmare), which allows local privilege escalation by adding a new local administrator user via a malicious printer driver. The exploit includes a custom DLL payload and leverages the Windows Print Spooler service to execute arbitrary code as NT AUTHORITY\SYSTEM.
This repository contains a functional exploit for CVE-2021-34527 (PrintNightmare), which leverages the Windows Print Spooler service to achieve remote code execution by loading a malicious DLL. The exploit uses the AddPrinterDriverExW API to trigger the vulnerability and requires a SMB server to host the payload.
This repository contains a functional Python exploit for CVE-2021-34527 (PrintNightmare), leveraging Impacket to achieve remote code execution via the Windows Print Spooler service. The exploit supports multiple modes, including DLL injection, vulnerability checking, and driver enumeration.
This repository contains a functional Python exploit for CVE-2021-34527 (PrintNightmare), which leverages the Windows Print Spooler service to achieve remote code execution via a malicious DLL. The exploit uses the MS-RPRN protocol to manipulate printer driver configurations and execute arbitrary code.
References (6)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H