Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

module windows/dcerpc/cve_2021_1675_printnightmare - Exploit failed: NoMethodError undefined method `call' for nil:NilClass #19123

Closed
myfirstCTFgithub opened this issue Apr 22, 2024 · 6 comments
Closed

module windows/dcerpc/cve_2021_1675_printnightmare - Exploit failed: NoMethodError undefined method `call' for nil:NilClass #19123

myfirstCTFgithub opened this issue Apr 22, 2024 · 6 comments
Assignees
@smcintyre-r7
Labels
bug Stale Marks an issue as stale, to be closed if no action is taken

Comments

@myfirstCTFgithub
Copy link

myfirstCTFgithub commented Apr 22, 2024
edited by adfoster-r7
Loading

Operating system: installed via kali apt repository on kali linux.

expected behavior:
exploit runs and interacts with target machine

current:
exploit crashes after running. I've also ran this against remote windows machines with the same result

version:

Framework: 6.4.5-dev
Console  : 6.4.5-dev

what I ran:

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit 

[*] Started reverse TCP handler on 10.0.2.16:4444 
[*] 127.0.0.1:445 - Running automatic check ("set AutoCheck false" to disable)
[-] 127.0.0.1:445 - Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Failed to connect to the remote service. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > set AutoCheck false
AutoCheck => false

msf6 exploit(windows/dcerpc/cve_2021_1675_printnightmare) > exploit

[*] Started reverse TCP handler on 10.0.2.16:4444 
[!] 127.0.0.1:445 - AutoCheck is disabled, proceeding with exploitation
[*] 127.0.0.1:445 - Server is running. Listening on 10.0.2.16:445
[*] 127.0.0.1:445 - Server started.
[*] 127.0.0.1:445 - Using DLL path: \??\UNC\10.0.2.16\oZxm\rsXGu.dll
[-] 127.0.0.1:445 - Exploit failed: NoMethodError undefined method `call' for nil:NilClass
[*] 127.0.0.1:445 - Server stopped.
[*] Exploit completed, but no session was created.

debug output:

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/ui/console]
ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare

[windows/dcerpc/cve_2021_1675_printnightmare]
RHOSTS=127.0.0.1
AutoCheck=false
loglevel=3
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=WORKGROUP
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=true
KrbCacheMode=read-write
SMB::Auth=auto
SMB::Rhostname=
DomainControllerRhost=
SMB::Krb5Ccname=
SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1
SRVHOST=10.0.2.16
SRVPORT=445
ListenerBindAddress=
ListenerBindPort=
ListenerComm=
SHARE=
FILE_NAME=
FOLDER_NAME=
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
ReconnectTimeout=10
ForceExploit=false
LHOST=10.0.2.16
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependMigrate=false
PrependMigrateProc=
EXITFUNC=process
PayloadBindPort=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
49     search nightmare
50     use 0
51     options
52     RHOSTS=127.0.0.1
53     set !!
54     set RHOST 127.0.0.1
55     exploit
56     set AutoCheck false
57     exploit
58     set loglevel 3
59     exploit
60     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH
[04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[04/22/2024 11:59:22] [d(0)] core: Negotiated SMB version: SMB3
D, [2024-04-22T11:59:22.591564 #1914] DEBUG -- : Adding disk share: Mqmf
[04/22/2024 11:59:22] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T11:59:22.595452 #1914] DEBUG -- : Removing share: Mqmf
[04/22/2024 11:59:22] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 12:23:18] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 12:24:42] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare) - NoMethodError undefined method `remove_share' for nil:NilClass
D, [2024-04-22T12:26:05.937894 #22830] DEBUG -- : Adding disk share: MUxf
[04/22/2024 12:26:05] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:26:05.945973 #22830] DEBUG -- : Removing share: MUxf
[04/22/2024 12:26:05] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 12:34:37] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:34:52] [w(0)] core: The following modules could not be loaded!
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[04/22/2024 12:34:52] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/exchange_enum
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/host_id
[04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/onprem_enum
D, [2024-04-22T12:37:04.039760 #1708] DEBUG -- : Adding disk share: GxDH
[04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH
[04/22/2024 12:37:04] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:01:35] [w(0)] core: The following modules could not be loaded!
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[04/22/2024 13:01:35] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
D, [2024-04-22T13:02:20.741106 #15061] DEBUG -- : Adding disk share: oZxm
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:02:20] [w(0)] core: IOError: stream closed in another thread
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:10:30] [w(0)] core: IOError: stream closed in another thread
D, [2024-04-22T13:13:53.544344 #19252] DEBUG -- : Adding disk share: jkvesC
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC
[04/22/2024 13:13:53] [w(0)] core: IOError: stream closed in another thread

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.5-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify
@adfoster-r7
Copy link
Contributor

Could you run set verbose true and setg loglevel 3 and then rerun the debug command and attach the output? 🤞

@myfirstCTFgithub
Copy link
Author

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare

[windows/dcerpc/cve_2021_1675_printnightmare]
RHOSTS=127.0.0.1
VERBOSE=true
AutoCheck=false
WORKSPACE=
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=WORKGROUP
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::ProtocolVersion=1,2,3
SMB::AlwaysEncrypt=true
KrbCacheMode=read-write
SMB::Auth=auto
SMB::Rhostname=
DomainControllerRhost=
SMB::Krb5Ccname=
SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1
SRVHOST=10.0.2.16
SRVPORT=445
ListenerBindAddress=
ListenerBindPort=
ListenerComm=
SHARE=
FILE_NAME=
FOLDER_NAME=
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
ReconnectTimeout=10
ForceExploit=false

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
70     use windows/dcerpc/cve_2021_1675_printnightmare
71     set RHOST 127.0.0.1
72     set verbose true
73     setg loglevel 3
74     exploit
75     set AutoCheck false
76     exploit
77     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm
[04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file
D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh
[04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh
[04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC
[04/22/2024 13:30:42] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 13:31:15] [e(0)] core: Exception encountered in cmd_set - Msf::OptionValidateError The following options failed to validate: Value 'host' is not valid for option 'LHOST'.
[04/22/2024 14:56:55] [e(0)] core: Exploit failed (multi/handler): Interrupt  - Interrupt 
[04/22/2024 16:14:16] [e(0)] core: Failed to connect to the database: No database YAML file
[04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: bind to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: none to reverse
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to reverse
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/dcerpc/cve_2021_1675_printnightmare
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/dcerpc/cve_2021_1675_printnightmare
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: reverse to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: bind to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: noconn to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: none to tunnel
[04/22/2024 16:15:30] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/dcerpc/cve_2021_1675_printnightmare]: tunnel to tunnel
[04/22/2024 16:15:30] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/dcerpc/cve_2021_1675_printnightmare
D, [2024-04-22T16:15:31.075022 #1921] DEBUG -- : Adding disk share: ThjBh
[04/22/2024 16:15:31] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass
Call stack:
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:280:in `rprn_call'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:240:in `add_printer_driver_ex'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:184:in `block in primer'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `times'
/usr/share/metasploit-framework/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb:183:in `primer'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/socket_server.rb:46:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:27:in `block in exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:36:in `with_prepended_auto_check'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:26:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
D, [2024-04-22T16:15:31.081133 #1921] DEBUG -- : Removing share: ThjBh
[04/22/2024 16:15:31] [w(0)] core: IOError: stream closed in another thread

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.5-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Apr 22, 2024
edited
Loading

Looks like the exploit method assumes that the check method has run successfully - which it looks like you've bypassed

As far as I can see from the error message, either the RHOST is wrong or the target's SMB isn't accessible?

@myfirstCTFgithub
Copy link
Author

I tried this both against my localhost and a remote windows computer, getting the same error. It is possible that's the case.
When running
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
against the target computer it shows
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
with spooler being active. This configuration should be exploitable although other things could be playing into this like the attacking machine not being on the domain that the target IP is on.

@smcintyre-r7 smcintyre-r7 moved this to In Progress in Metasploit Kanban Apr 26, 2024
@smcintyre-r7 smcintyre-r7 self-assigned this Apr 26, 2024
@zeroSteiner zeroSteiner mentioned this issue Apr 26, 2024
Closed
2 tasks
@github-actions GitHub Actions
Copy link

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label May 27, 2024
@github-actions GitHub Actions
Copy link

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug Stale Marks an issue as stale, to be closed if no action is taken
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smcintyre-r7 @adfoster-r7 @myfirstCTFgithub