Critical System Protection

 View Only
Back to Library

Microsoft Print Spooler Service Impersonation Vulnerability Exploitation and Prevention Part 1 

Jan 14, 2012 12:27 PM

Microsoft Print Spooler Service Impersonation Vulnerability

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.

Exploitation of Microsoft Print Spooler Service Impersonation Vulnerability

 

1) I am using Unpatched Windows XP Professional SP2 and its IP address is 192.168.42.63 (Victim Machine) and Printer Sharing is enabled.
 
   
 
2) I am using Metasploit Framework Community Edition for exploitation (Attacker Machine).
 
3) I am using Microsoft Print Spooler Service Exploit Present in Metasploit i.e exploit/windows/smb/ms10_061_spoolss.
 
    
 
4) I have to Enter PNAME (Printer Name), RHOST i.e. Remote Host (Victim Machine IP Address).
 
    
 
5) I am using windows/meterpreter/reverse_tcp payload.
 
    
 
6) Now i have to enter LHOST i.e Local Host (Attacker Machine IP Address).
 
    
 
7) Now Write Exploit and hit Enter.
 
8) Exploit sends one request to Victim Machine for printing.
 
    
 
9) Our Exploit successfully executed and Attacker gets the meterpreter session of Victim Machine.
 
    
 
10) Attacker successfully connected with Victim machine.
 
    
 
In next part i will show you how to prevent Microsoft Print Spooler Service Impersonation Vulnerability with Symantec Critical System Protection.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.