Description
Escalates to SYSTEM via the Windows Print Spooler (CVE-2021-34527 / PrintNightmare) by loading a SpecterInsight implant DLL through AddPrinterDriverEx.
Overview
Exploits CVE-2021-34527 (PrintNightmare) to escalate privileges to SYSTEM. Compiles a SpecterInsight implant DLL server-side, writes it to a temporary path on the target, then calls Invoke-LevelUp -Technique CVE-2021-34527 to load it via the Print Spooler’s AddPrinterDriverEx API. The DLL is deleted after the exploit fires.
The Print Spooler service (spoolsv.exe, SYSTEM) loads the DLL during driver validation, executing the implant’s DllMain which spawns a thread that decodes and runs the embedded sRDI shellcode in-memory.
Arguments
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
| Build | string | Yes | The Specter build identifier. Drives which implant binary is embedded in the DLL. |
| DllPath | string | No | Local path on the target where the DLL is staged. Default: C:\Windows\Temp\pn.dll. |
Dependencies
- levelup
Operating Systems
- Windows (pre-July 2021 patch — KB5004945 / KB5004946 / KB5004948 not applied)
Pre-Requisites
- Print Spooler service must be running (
sc query Spooler). - Session must be running as a standard (non-elevated) user.
- The target must not have the July 2021 OOB patch applied.
- Staging path (
C:\Windows\Temp\by default, or the path supplied via-DllPath) must be writable and not excluded by application control policies.
Example Output
Name Value
---- -----
Technique CVE-2021-34527
CheckPassed True
ExecuteSucceeded True
{
"Technique": "CVE-2021-34527",
"CheckPassed": true,
"ExecuteSucceeded": true
}