Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DLL Uploaded but Not Executed (Windows 10) #11

Open
reznok opened this issue Jun 30, 2021 · 8 comments
Open

DLL Uploaded but Not Executed (Windows 10) #11

reznok opened this issue Jun 30, 2021 · 8 comments

Comments

@reznok
Copy link

reznok commented Jun 30, 2021
edited
Loading

Running remotely against a Windows 10 host.

Running the exploit successfully drops the malicious DLL in C:\Windows\System32\spool\drivers\x64\3. However, the "backup" process in the exploit write-up does not appear to be happening. C:\Windows\System32\spool\drivers\x64\3\old never appears to exist, resulting in RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified. errors when trying to execute the dll.

I have tried changing the pConfigFile to point at the .dll that I know exists:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename)

But this results in what I believe is expected from the original writeup:
RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.
@sdhornet
Copy link

sdhornet commented Jun 30, 2021
edited
Loading

This is the exact issue I am having as well. I am able to get it to trigger if I drop the dll on disk at C:\test.dll and point container_info['DriverInfo']['Level2']['pConfigFile'] directly at it. It then does the backup process and creates the old and new folders. Whereas attempting to run the PoC fully remote, the folders are not created or only for a split second.

@0xDrizzo
Copy link

Same issue here against a Windows Server 2019 (DC) host. Tried everything, I could think of. It seems that the print spooler service also crashes after I make the attempt.

@armanduz
Copy link

armanduz commented Jul 1, 2021

Same problem on windows server 2012 R2 updated with 2021/02 patch bundle

@tehdisko
Copy link

tehdisko commented Jul 2, 2021

Yeap, same issue on DC 2019 Server

@pr0t0nus3rxyz
Copy link

anyone figured this out?

@sdhornet
Copy link

sdhornet commented Jul 2, 2021

I retested just now, Server2019 fully patched, promoted to a DC and it worked fine. My previous test was on a server2019 but not as a DC. Make sure you have "Authenticated Users" as a member of the "Pre-Windows 2000 Compatible Access" Builtin group. This appears to be what allows a normal domain user to have access to the spooler.

@citronneur
Copy link

citronneur commented Jul 4, 2021
edited
Loading

See #25

@5n1p3r0010
Copy link

Hey,guys
I came across with the same issue on windows server 2019 both fully patched or pure original iso.
I figure out that the root cause of this is the privilege of the user is wrong,the left domain user of the following picture will work fine,not the right.
image

@Florablia Florablia mentioned this issue Nov 30, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@citronneur @reznok @5n1p3r0010 @tehdisko @pr0t0nus3rxyz @0xDrizzo @sdhornet @armanduz