outflanknl / printnightmare Goto Github PK

Hi!

I keep getting heap corruption errors in my lab machine while trying to launch the exploit through Beacon. I think this might be a matter of compiling and therefore I've tried to compile the binary in both VS2022 and VS2019, trying both /MD and /MT runtime libraries. I'm not too familiar with debugging C programs so this is the best I can do for now.

So, what's the specific setup needed to compile the binary?

The error from Windows log:

Faulting application name: rundll32.exe, version: 10.0.19041.746, time stamp: 0xfb4a9a6b
Faulting module name: ntdll.dll, version: 10.0.19041.1466, time stamp: 0xe2f8ca76
Exception code: 0xc0000374
Fault offset: 0x00000000000ff199
Faulting process ID: 0xecc
Faulting application start time: 0x01d83786454eec85
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report ID: 88cab659-788c-40e2-9047-4feaa5c7dd68
Faulting package full name: 
Faulting package-relative application ID: 

These are mostly hygiene issues than actual bugs. Resource allocations will be freed at process exit anyway. But the code takes care to release resources and so just noting them. Code may be copy/pasted into other frameworks where resource hygiene may matter more.

1. The call to CreateBindingHandle initializes bHandle. The CleanUp routine should call RpcBindingFree on this resource.

Allocated here:

2. Should check for failed allocation before writing:

	container_info.Level = 2;
!	container_info.DriverInfo.Level2 = (DRIVER_INFO_2*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DRIVER_INFO_2));   /// check for failed allocation
	container_info.DriverInfo.Level2->cVersion = 3;

This is both in the reflective and non-reflective cases:

3. Should free memory from call to Utf8ToUtf16 in CleanUp

4. Code inconsistently switches from MAX_BUF to MAX_PATH

LPWSTR GetDriverPath(IN LPWSTR lpwTarget) {
...
	WCHAR wcKeyName[MAX_BUF] = { 0 };
	DWORD dwNamelen = MAX_BUF;
...
		if (lResult == 0) {
			for (DWORD i = 0; ; i++) {
				RtlZeroMemory(wcKeyName, sizeof(wcKeyName));
				lResult = RegEnumKeyEx(hSubKeyHandle, i, wcKeyName, &dwNamelen, NULL, NULL, NULL, NULL);
				if (StrStrIW(wcKeyName, L"ntprint.inf_amd64")) {
					wcscpy_s(lpwDriverPath, MAX_BUF, L"C:\\Windows\\System32\\DriverStore\\FileRepository\\");
					wcscat_s(lpwDriverPath, MAX_BUF, wcKeyName);
					wcscat_s(lpwDriverPath, MAX_BUF, L"\\Amd64\\UNIDRV.DLL");
					wprintf(L"[>] pDriverPath:  -> %s\n\n", lpwDriverPath);
					break;
				}

				if (lResult == ERROR_NO_MORE_ITEMS) {
					break;
				}

!				dwNamelen = MAX_PATH;  //changed from MAX_BUF to MAX_PATH?
			}
		}
	}