11import sys
22from impacket import system_errors
3- from impacket .dcerpc .v5 .rpcrt import DCERPCException , RPC_C_AUTHN_GSS_NEGOTIATE
3+ from impacket .dcerpc .v5 .rpcrt import DCERPCException , RPC_C_AUTHN_GSS_NEGOTIATE , rpc_status_codes
44from impacket .structure import Structure
55from impacket .dcerpc .v5 import transport , rprn
66from impacket .dcerpc .v5 .ndr import NDRCALL , NDRPOINTER , NDRSTRUCT , NDRUNION , NULL
@@ -39,7 +39,8 @@ def options(self, context, module_options):
3939
4040 def on_login (self , context , connection ):
4141 # Connect and bind to MS-RPRN (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515)
42- stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % connection .host
42+ target = connection .host if not connection .kerberos else connection .hostname + "." + connection .domain
43+ stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % target
4344
4445 context .log .info (f"Binding to { stringbinding !r} )
4546
@@ -55,7 +56,7 @@ def on_login(self, context, connection):
5556 )
5657
5758 rpctransport .set_kerberos (connection .kerberos , kdcHost = connection .kdcHost )
58- rpctransport .setRemoteHost (connection . host )
59+ rpctransport .setRemoteHost (target )
5960 rpctransport .set_dport (self .port )
6061
6162 try :
@@ -101,7 +102,12 @@ def on_login(self, context, connection):
101102 if e .error_code == system_errors .ERROR_INVALID_PARAMETER :
102103 context .log .highlight ("Vulnerable, next step https://github.com/ly4k/PrintNightmare" )
103104 return True
104- raise e
105+ context .log .fail (f"Unexpected error: { e } )
106+ except DCERPCException as e :
107+ if rpc_status_codes [e .error_code ] == "rpc_s_access_denied" :
108+ context .log .info ("Not vulnerable :'(" )
109+ return False
110+ context .log .fail (f"Unexpected error: { e } )
105111 context .log .highlight ("Vulnerable, next step https://github.com/ly4k/PrintNightmare" )
106112 return True
107113
0 commit comments