Windows Print Spooler Exploit (PrintNightmare)

PrintNightmare — CVE-2021-34527 / CVE-2021-1675

Exploit for the vulnerability in the Windows Print Spooler service allowing remote code execution and local privilege escalation:

• Remote RCE Mode — Exploits the RpcAddPrinterDriverEx function to load a malicious DLL from a remote SMB share, executing arbitrary code as SYSTEM on the target host.
• Local Privilege Escalation — Variant that loads the malicious driver DLL from a local path, escalating from any authenticated user to NT AUTHORITYSYSTEM.
• DLL Payload — Pre-built DLL templates: add local admin user, reverse shell callback, Cobalt Strike beacon loader, or custom command execution.
• SMB Server — Integrated Python SMB server (impacket-based) that serves the malicious DLL and handles authentication for the remote exploitation variant.
• Point-and-Print Abuse — Additional technique exploiting Point-and-Print configurations for post-patch exploitation on systems where the fix was improperly applied.
• Detection and Remediation — Event log signatures (Event IDs 808, 316), registry hardening keys, and GPO configurations to properly disable the vulnerable Print Spooler functionality.