The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote malicious users to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
nmap -p 445 <target> --script=smb-vuln-ms10-061
PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.
msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > show targets ...targets... msf exploit(ms10_061_spoolss) > set TARGET <target-id> msf exploit(ms10_061_spoolss) > show options ...show and set options... msf exploit(ms10_061_spoolss) > exploit
This section of the report forms part of Kaspersky Security Bulletin 2010 and is based on data obtained and processed using the Kaspersky Security Network (KSN). KSN integrates cloud-based technologies into personal and corporate products and is one of Kaspersky Lab’s most important innovations.
KSN assists Kaspersky Lab’s experts to swiftly detect new malware in real-time, when no corresponding signature or heuristic detection exists for these threats. KSN helps identify sources of ma...