Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

module windows/dcerpc/cve_2021_1675_printnightmare - Exploit failed: NoMethodError undefined method `call' for nil:NilClass #19123

Open
myfirstCTFgithub opened this issue Apr 22, 2024 · 4 comments
Open

module windows/dcerpc/cve_2021_1675_printnightmare - Exploit failed: NoMethodError undefined method `call' for nil:NilClass #19123

myfirstCTFgithub opened this issue Apr 22, 2024 · 4 comments
Assignees
@smcintyre-r7
Labels
bug

Comments

@myfirstCTFgithub
Copy link

myfirstCTFgithub commented Apr 22, 2024
edited by adfoster-r7

Operating system: installed via kali apt repository on kali linux.

expected behavior:
exploit runs and interacts with target machine

current:
exploit crashes after running. I've also ran this against remote windows machines with the same result

version:

Framework: 6.4.5-dev
Console  : 6.4.5-dev

what I ran:

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit 

[*] Started reverse TCP handler on 10.0.2.16:4444 
[*] 127.0.0.1:445 - Running automatic check ("set AutoCheck false" to disable)
[-] 127.0.0.1:445 - Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Failed to connect to the remote service. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > set AutoCheck false
AutoCheck => false

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit

[*] Started reverse TCP handler on 10.0.2.16:4444 
[!] 127.0.0.1:445 - AutoCheck is disabled, proceeding with exploitation
[*] 127.0.0.1:445 - Server is running. Listening on 10.0.2.16:445
[*] 127.0.0.1:445 - Server started.
[*] 127.0.0.1:445 - Using DLL path: \??\UNC\10.0.2.16\oZxm\rsXGu.dll
[-] 127.0.0.1:445 - Exploit failed: NoMethodError undefined method `call' for nil:NilClass
[*] 127.0.0.1:445 - Server stopped.
[*] Exploit completed, but no session was created.

debug output:

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/ui/console]
ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare

[windows/dcerpc/cve_2021_1675_printnightmare]
RHOSTS=127.0.0.1
AutoCheck=false
loglevel=3
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=WORKGROUP
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=true
KrbCacheMode=read-write
SMB::Auth=auto
SMB::Rhostname=
DomainControllerRhost=
SMB::Krb5Ccname=
SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1
SRVHOST=10.0.2.16
SRVPORT=445
ListenerBindAddress=
ListenerBindPort=
ListenerComm=
SHARE=
FILE_NAME=
FOLDER_NAME=
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
ReconnectTimeout=10
ForceExploit=false
LHOST=10.0.2.16
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependMigrate=false
PrependMigrateProc=
EXITFUNC=process
PayloadBindPort=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
49     search nightmare
50     use 0
51     options
52     RHOSTS=127.0.0.1
53     set !!
54     set RHOST 127.0.0.1
55     exploit
56     set AutoCheck false
57     exploit
58     set loglevel 3
59     exploit
60     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH
[04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[04/22/2024 11:59:22] [d(0)] core: Negotiated SMB version: SMB3
D, [2024-04-22T11:59:22.591564 #1914] DEBUG -- : Adding disk share: Mqmf
[04/22/2024 11:59:22] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T11:59:22.595452 #1914] DEBUG -- : Removing share: Mqmf
[04/22/2024 11:59:22] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 12:23:18] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 12:24:42] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare) - NoMethodError undefined method `remove_share' for nil:NilClass
D, [2024-04-22T12:26:05.937894 #22830] DEBUG -- : Adding disk share: MUxf
[04/22/2024 12:26:05] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:26:05.945973 #22830] DEBUG -- : Removing share: MUxf
[04/22/2024 12:26:05] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 12:34:37] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:52] [w(0)] core: The following modules could not be loaded!
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/exchange_enum
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/host_id
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/onprem_enum
D, [2024-04-22T12:37:04.039760 #1708] DEBUG -- : Adding disk share: GxDH
[04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH
[04/22/2024 12:37:04] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [w(0)] core: The following modules could not be loaded!
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
D, [2024-04-22T13:02:20.741106 #15061] DEBUG -- : Adding disk share: oZxm
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:02:20] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:10:30] [w(0)] core: IOError: stream closed in another thread
D, [2024-04-22T13:13:53.544344 #19252] DEBUG -- : Adding disk share: jkvesC
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC
[04/22/2024 13:13:53] [w(0)] core: IOError: stream closed in another thread

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.5-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify
@adfoster-r7
Copy link
Contributor

Could you run set verbose true and setg loglevel 3 and then rerun the debug command and attach the output? 🤞

@myfirstCTFgithub
Copy link
Author

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare

[windows/dcerpc/cve_2021_1675_printnightmare]
RHOSTS=127.0.0.1
VERBOSE=true
AutoCheck=false
WORKSPACE=
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=WORKGROUP
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=true
KrbCacheMode=read-write
SMB::Auth=auto
SMB::Rhostname=
DomainControllerRhost=
SMB::Krb5Ccname=
SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1
SRVHOST=10.0.2.16
SRVPORT=445
ListenerBindAddress=
ListenerBindPort=
ListenerComm=
SHARE=
FILE_NAME=
FOLDER_NAME=
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
ReconnectTimeout=10
ForceExploit=false

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
70     use windows/dcerpc/cve_2021_1675_printnightmare
71     set RHOST 127.0.0.1
72     set verbose true
73     setg loglevel 3
74     exploit
75     set AutoCheck false
76     exploit
77     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC
[04/22/2024 13:30:42] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:31:15] [e(0)] core: Exception encountered in cmd_set - Msf::OptionValidateError The following options failed to validate: Value 'host' is not valid for option 'LHOST'.
[04/22/2024 14:56:55] [e(0)] core: Exploit failed (multi/handler): Interrupt  - Interrupt 
[04/22/2024 16:14:16] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: bind to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: none to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to reverse
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/dcerpc/cve_2021_1675_printnightmare
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/dcerpc/cve_2021_1675_printnightmare
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/dcerpc/cve_2021_1675_printnightmare
D, [2024-04-22T16:15:31.075022 #1921] DEBUG -- : Adding disk share: ThjBh
[04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh
[04/22/2024 16:15:31] [w(0)] core: IOError: stream closed in another thread

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.5-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Apr 22, 2024
edited

Looks like the exploit method assumes that the check method has run successfully - which it looks like you've bypassed

As far as I can see from the error message, either the RHOST is wrong or the target's SMB isn't accessible?

@myfirstCTFgithub
Copy link
Author

I tried this both against my localhost and a remote windows computer, getting the same error. It is possible that's the case.
When running
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
against the target computer it shows
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
with spooler being active. This configuration should be exploitable although other things could be playing into this like the attacking machine not being on the domain that the target IP is on.

@smcintyre-r7 smcintyre-r7 self-assigned this Apr 26, 2024
@zeroSteiner zeroSteiner mentioned this issue Apr 26, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug
Projects
Metasploit Kanban
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smcintyre-r7 @adfoster-r7 @myfirstCTFgithub