jacob-baines / concealed_position Goto Github PK
View Code? Open in Web Editor NEWBring your own print driver privilege escalation tool
License: BSD 3-Clause "New" or "Revised" License
Bring your own print driver privilege escalation tool
License: BSD 3-Clause "New" or "Revised" License
You can not run: cp_client.exe -l -e POISONDAMAGE without firstly running cp_server.exe -e POISONDAMAGE and deleting the shared printer. If you do it tells you the driver doesn't exist, if you don't delete the shared printer it tells you the printer is already installed. is this a bug?
I tried replicating the attack but my DLL is loaded as the user running cp_client and not as SYSTEM. Any ideas?
My mistake.
Hi there, floyd from Pentagrid here (the "POISIONDAMAGE" guys)
I tried to use concealed position and it worked fine until I tried to install the printer with cp_client.exe. It seems deactivating the password protected sharing in the advanced sharing settings is breaking the exploit in this setup. The error message of cp_client.exe is:
Couldn't connect to the remote printer: 1272
Digging a little, I found that error 1272 is probably:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
And of course if I don't deactivate password protected sharing, I get:
Couldn't connect to the remote printer: 2
Which is access denied, because cp_client.exe didn't authenticate.
Some more debug info. This line fails:
concealed_position/src/cp_client/main.cpp
Line 54 in c41ef9b
OpenPrinter doc is here and is called with the first argument (pPrinterName) being an UNC path (\<name>):
https://docs.microsoft.com/en-us/windows/win32/printdocs/openprinter
So the question is which component is responsible for authentication on the UNC paths. Probably the machine sees that it is a non-authenticated share. So we need authentication. The question is if there is something that allows to accept any NTLM/Kerberos authentication the Windows machine is doing.
Any chance to fix this? Any other ideas?
Edit: I'm going to try to mount the server first (aka "net use Z: \Server\SharedFolder passwordGoesHere /USER:userAccountGoesHere /persistent:no"), then try the exploit again, I guess the UNC authentication part is transparent Windows magic to OpenPrinter and if the printer is alread "mounted" that might work
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.