From 3b443d7c83dd22fad872a635b7fb8c0407c26a93 Mon Sep 17 00:00:00 2001
From: XiaoliChan <30458572+XiaoliChan@users.noreply.github.com>
Date: Tue, 31 Dec 2024 13:20:46 +0800
Subject: [PATCH] [Module] Add more exception catch

Signed-off-by: XiaoliChan <30458572+XiaoliChan@users.noreply.github.com>
---
 nxc/modules/printnightmare.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/nxc/modules/printnightmare.py b/nxc/modules/printnightmare.py
index 5c7905c42..9bca9941a 100644
--- a/nxc/modules/printnightmare.py
+++ b/nxc/modules/printnightmare.py
@@ -1,6 +1,6 @@
 import sys
 from impacket import system_errors
-from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE
+from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_GSS_NEGOTIATE, rpc_status_codes
 from impacket.structure import Structure
 from impacket.dcerpc.v5 import transport, rprn
 from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRSTRUCT, NDRUNION, NULL
@@ -39,7 +39,8 @@ def options(self, context, module_options):
 
     def on_login(self, context, connection):
         # Connect and bind to MS-RPRN (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515)
-        stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % connection.host
+        target = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
+        stringbinding = r"ncacn_np:%s[\PIPE\spoolss]" % target
 
         context.log.info(f"Binding to {stringbinding!r}")
 
@@ -55,7 +56,7 @@ def on_login(self, context, connection):
         )
 
         rpctransport.set_kerberos(connection.kerberos, kdcHost=connection.kdcHost)
-        rpctransport.setRemoteHost(connection.host)
+        rpctransport.setRemoteHost(target)
         rpctransport.set_dport(self.port)
 
         try:
@@ -101,7 +102,12 @@ def on_login(self, context, connection):
             if e.error_code == system_errors.ERROR_INVALID_PARAMETER:
                 context.log.highlight("Vulnerable, next step https://github.com/ly4k/PrintNightmare")
                 return True
-            raise e
+            context.log.fail(f"Unexpected error: {e}")
+        except DCERPCException as e:
+            if rpc_status_codes[e.error_code] == "rpc_s_access_denied":
+                context.log.info("Not vulnerable :'(")
+                return False
+            context.log.fail(f"Unexpected error: {e}")
         context.log.highlight("Vulnerable, next step https://github.com/ly4k/PrintNightmare")
         return True