From 4d8e10e09a68402524ed8767f3a2d8b27cbab1a2 Mon Sep 17 00:00:00 2001
From: Metasploit <metasploit@rapid7.com>
Date: Wed, 5 Jan 2022 12:48:00 -0600
Subject: [PATCH] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 68 +++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index c9ee719942..cdc55274bf 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -537,6 +537,70 @@
     "session_types": false,
     "needs_cleanup": false
   },
+  "auxiliary_admin/dcerpc/cve_2021_1675_printnightmare": {
+    "name": "Print Spooler Remote DLL Injection",
+    "fullname": "auxiliary/admin/dcerpc/cve_2021_1675_printnightmare",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Zhiniang Peng",
+      "Xuefeng Li",
+      "Zhipeng Huo",
+      "Piotr Madej",
+      "Zhang Yunhai",
+      "cube0x0",
+      "Spencer McIntyre",
+      "Christophe De La Fuente"
+    ],
+    "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n          DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n          vector which requires the Print Spooler service to be running.",
+    "references": [
+      "CVE-2021-1675",
+      "CVE-2021-34527",
+      "URL-https://github.com/cube0x0/CVE-2021-1675",
+      "URL-https://github.com/afwu/PrintNightmare",
+      "URL-https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1",
+      "URL-https://github.com/byt3bl33d3r/ItWasAllADream"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2021-09-21 15:16:58 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/cve_2021_1675_printnightmare",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "PrintNightmare"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
   "auxiliary_admin/dns/dyn_dns_update": {
     "name": "DNS Server Dynamic Update Record Injection",
     "fullname": "auxiliary/admin/dns/dyn_dns_update",
@@ -20751,7 +20815,7 @@
       "Alberto Solino",
       "Christophe De La Fuente"
     ],
-    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. First, it\n          reads as much data as possible from the registry and then save the\n          hives locally on the target (%SYSTEMROOT%\\random.tmp). Finally, it\n          downloads the temporary hive files and reads the rest of the data\n          from it. This temporary files are removed when it's done.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino. Note that the `NTDS.dit` technique has not been\n          implement yet. It will be done in a next iteration.",
+    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. First, it\n          reads as much data as possible from the registry and then save the\n          hives locally on the target (%SYSTEMROOT%\\random.tmp). Finally, it\n          downloads the temporary hive files and reads the rest of the data\n          from it. This temporary files are removed when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
     "references": [
       "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
     ],
@@ -20767,7 +20831,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2021-09-01 10:30:54 +0000",
+    "mod_time": "2022-01-03 19:13:32 +0000",
     "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
     "is_install_path": true,
     "ref_name": "gather/windows_secrets_dump",