jacob-baines / concealed_position Goto Github PK

Hi there, floyd from Pentagrid here (the "POISIONDAMAGE" guys)

I tried to use concealed position and it worked fine until I tried to install the printer with cp_client.exe. It seems deactivating the password protected sharing in the advanced sharing settings is breaking the exploit in this setup. The error message of cp_client.exe is:

Couldn't connect to the remote printer: 1272

Digging a little, I found that error 1272 is probably:

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

And of course if I don't deactivate password protected sharing, I get:

Couldn't connect to the remote printer: 2

Which is access denied, because cp_client.exe didn't authenticate.

Some more debug info. This line fails:

OpenPrinter doc is here and is called with the first argument (pPrinterName) being an UNC path (\<name>):

https://docs.microsoft.com/en-us/windows/win32/printdocs/openprinter

So the question is which component is responsible for authentication on the UNC paths. Probably the machine sees that it is a non-authenticated share. So we need authentication. The question is if there is something that allows to accept any NTLM/Kerberos authentication the Windows machine is doing.

Any chance to fix this? Any other ideas?

Edit: I'm going to try to mount the server first (aka "net use Z: \Server\SharedFolder passwordGoesHere /USER:userAccountGoesHere /persistent:no"), then try the exploit again, I guess the UNC authentication part is transparent Windows magic to OpenPrinter and if the printer is alread "mounted" that might work

Always getting the Failed to create printer: 1802 error when trying. Using latest Win 10 release (x64)

My mistake.

You can not run: cp_client.exe -l -e POISONDAMAGE without firstly running cp_server.exe -e POISONDAMAGE and deleting the shared printer. If you do it tells you the driver doesn't exist, if you don't delete the shared printer it tells you the printer is already installed. is this a bug?

I tried replicating the attack but my DLL is loaded as the user running cp_client and not as SYSTEM. Any ideas?