search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
32.92k stars 13.72k forks source link

module windows/dcerpc/cve_2021_1675_printnightmare - Exploit failed: NoMethodError undefined method `call' for nil:NilClass #19123

Open myfirstCTFgithub opened 3 weeks ago

myfirstCTFgithub commented 3 weeks ago

Operating system: installed via kali apt repository on kali linux.

expected behavior: exploit runs and interacts with target machine

current: exploit crashes after running. I've also ran this against remote windows machines with the same result

version: 

Framework: 6.4.5-dev
Console  : 6.4.5-dev

what I ran:

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit 

[*] Started reverse TCP handler on 10.0.2.16:4444 
[*] 127.0.0.1:445 - Running automatic check ("set AutoCheck false" to disable)
[-] 127.0.0.1:445 - Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Failed to connect to the remote service. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > set AutoCheck false
AutoCheck => false

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit

[*] Started reverse TCP handler on 10.0.2.16:4444 
[!] 127.0.0.1:445 - AutoCheck is disabled, proceeding with exploitation
[*] 127.0.0.1:445 - Server is running. Listening on 10.0.2.16:445
[*] 127.0.0.1:445 - Server started.
[*] 127.0.0.1:445 - Using DLL path: \??\UNC\10.0.2.16\oZxm\rsXGu.dll
[-] 127.0.0.1:445 - Exploit failed: NoMethodError undefined method `call' for nil:NilClass
[*] 127.0.0.1:445 - Server stopped.
[*] Exploit completed, but no session was created.

debug output:

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/ui/console] ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare [windows/dcerpc/cve_2021_1675_printnightmare] RHOSTS=127.0.0.1 AutoCheck=false loglevel=3 WORKSPACE= VERBOSE=false WfsDelay=2 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBUser= SMBPass= SMBDomain=WORKGROUP SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=true KrbCacheMode=read-write SMB::Auth=auto SMB::Rhostname= DomainControllerRhost= SMB::Krb5Ccname= SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 SRVHOST=10.0.2.16 SRVPORT=445 ListenerBindAddress= ListenerBindPort= ListenerComm= SHARE= FILE_NAME= FOLDER_NAME= EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false ReconnectTimeout=10 ForceExploit=false LHOST=10.0.2.16 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=process PayloadBindPort= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: postgresql selected, no connection ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 49 search nightmare 50 use 0 51 options 52 RHOSTS=127.0.0.1 53 set !! 54 set RHOST 127.0.0.1 55 exploit 56 set AutoCheck false 57 exploit 58 set loglevel 3 59 exploit 60 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH [04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm [04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh [04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh [04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [04/22/2024 11:59:22] [d(0)] core: Negotiated SMB version: SMB3 D, [2024-04-22T11:59:22.591564 #1914] DEBUG -- : Adding disk share: Mqmf [04/22/2024 11:59:22] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T11:59:22.595452 #1914] DEBUG -- : Removing share: Mqmf [04/22/2024 11:59:22] [w(0)] core: IOError: stream closed in another thread [04/22/2024 12:23:18] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 12:24:42] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare) - NoMethodError undefined method `remove_share' for nil:NilClass D, [2024-04-22T12:26:05.937894 #22830] DEBUG -- : Adding disk share: MUxf [04/22/2024 12:26:05] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:26:05.945973 #22830] DEBUG -- : Removing share: MUxf [04/22/2024 12:26:05] [w(0)] core: IOError: stream closed in another thread [04/22/2024 12:34:37] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:52] [w(0)] core: The following modules could not be loaded! [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/exchange_enum [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/host_id [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/onprem_enum D, [2024-04-22T12:37:04.039760 #1708] DEBUG -- : Adding disk share: GxDH [04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH [04/22/2024 12:37:04] [w(0)] core: IOError: stream closed in another thread [04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [w(0)] core: The following modules could not be loaded! [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go D, [2024-04-22T13:02:20.741106 #15061] DEBUG -- : Adding disk share: oZxm [04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm [04/22/2024 13:02:20] [w(0)] core: IOError: stream closed in another thread [04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh [04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh [04/22/2024 13:10:30] [w(0)] core: IOError: stream closed in another thread D, [2024-04-22T13:13:53.544344 #19252] DEBUG -- : Adding disk share: jkvesC [04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC [04/22/2024 13:13:53] [w(0)] core: IOError: stream closed in another thread ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.4.5-dev Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu] OpenSSL: OpenSSL 3.1.4 24 Oct 2023 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
adfoster-r7 commented 3 weeks ago

Could you run set verbose true and setg loglevel 3 and then rerun the debug command and attach the output? 🤞

myfirstCTFgithub commented 3 weeks ago

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] loglevel=3 [framework/ui/console] ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare [windows/dcerpc/cve_2021_1675_printnightmare] RHOSTS=127.0.0.1 VERBOSE=true AutoCheck=false WORKSPACE= WfsDelay=2 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBUser= SMBPass= SMBDomain=WORKGROUP SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=true KrbCacheMode=read-write SMB::Auth=auto SMB::Rhostname= DomainControllerRhost= SMB::Krb5Ccname= SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 SRVHOST=10.0.2.16 SRVPORT=445 ListenerBindAddress= ListenerBindPort= ListenerComm= SHARE= FILE_NAME= FOLDER_NAME= EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false ReconnectTimeout=10 ForceExploit=false ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: postgresql selected, no connection ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 70 use windows/dcerpc/cve_2021_1675_printnightmare 71 set RHOST 127.0.0.1 72 set verbose true 73 setg loglevel 3 74 exploit 75 set AutoCheck false 76 exploit 77 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm [04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh [04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh [04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC [04/22/2024 13:30:42] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 13:31:15] [e(0)] core: Exception encountered in cmd_set - Msf::OptionValidateError The following options failed to validate: Value 'host' is not valid for option 'LHOST'. [04/22/2024 14:56:55] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [04/22/2024 16:14:16] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass Call stack: /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:23:in `
' D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to reverse [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: bind to reverse [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to reverse [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: none to reverse [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to reverse [04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/dcerpc/cve_2021_1675_printnightmare [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel [04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/dcerpc/cve_2021_1675_printnightmare [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel [04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel [04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/dcerpc/cve_2021_1675_printnightmare D, [2024-04-22T16:15:31.075022 #1921] DEBUG -- : Adding disk share: ThjBh [04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass Call stack: /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times' /usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:23:in `
' D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh [04/22/2024 16:15:31] [w(0)] core: IOError: stream closed in another thread ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.4.5-dev Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu] OpenSSL: OpenSSL 3.1.4 24 Oct 2023 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
adfoster-r7 commented 3 weeks ago

Looks like the exploit method assumes that the check method has run successfully - which it looks like you've bypassed

As far as I can see from the error message, either the RHOST is wrong or the target's SMB isn't accessible?

myfirstCTFgithub commented 3 weeks ago

I tried this both against my localhost and a remote windows computer, getting the same error. It is possible that's the case. When running REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" against the target computer it shows RestrictDriverInstallationToAdministrators REG_DWORD 0x0 NoWarningNoElevationOnInstall REG_DWORD 0x1 with spooler being active. This configuration should be exploitable although other things could be playing into this like the attacking machine not being on the domain that the target IP is on.