[Module] Add more exception catch

Signed-off-by: XiaoliChan <[email protected]>
Pennyw0rth · Dec 31, 2024 · 3b443d7 · 3b443d7
1 parent 1d55ccf
commit 3b443d7
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/nxc/modules/printnightmare.py b/nxc/modules/printnightmare.py
@@ -1,6 +1,6 @@
 import sys
 from impacket import system_errors
-from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE
+from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE, rpc_status_codes
 from impacket.structure import Structure
 from impacket.dcerpc.v5 import transport, rprn
 from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRSTRUCT, NDRUNION, NULL
@@ -39,7 +39,8 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         # Connect and bind to MS-RPRN (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515)
-        stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % connection.host
+        target = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
+        stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % target
 
         context.log.info(f"Binding to {stringbinding!r}")
 
@@ -55,7 +56,7 @@ def on_login(self, context, connection):
         )
 
         rpctransport.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
-        rpctransport.setRemoteHost(connection.host)
+        rpctransport.setRemoteHost(target)
         rpctransport.set_dport(self.port)
 
         try:
@@ -101,7 +102,12 @@ def on_login(self, context, connection):
             if e.error_code == system_errors.ERROR_INVALID_PARAMETER:
                 context.log.highlight("Vulnerable, next step https://github.com/ly4k/PrintNightmare")
                 return True
-            raise e
+            context.log.fail(f"Unexpected error: {e}")
+        except DCERPCException as e:
+            if rpc_status_codes[e.error_code] == "rpc_s_access_denied":
+                context.log.info("Not vulnerable :'(")
+                return False
+            context.log.fail(f"Unexpected error: {e}")
         context.log.highlight("Vulnerable, next step https://github.com/ly4k/PrintNightmare")
         return True