Metasploit mailing list archives
Re: print spooler module exception
From: Varga-Perke Balint <vpbalint () gmail com>
Date: Wed, 06 Oct 2010 09:41:44 +0200
2010-10-06 09:30 keltezéssel, 김무성 írta:
I think that when ms10_061_spooler module send packet(StartDocPrinter), trigger is on this packet. And I found that There is output file (\\ip\pipe\atsvc) and document name (xkd30qdornbzhyamwecjhm8) This output file, document name is made randomly?
The "document name" is made up randomly. The ATSVC pipe is used to access the scheduling service (it's name is constant).
Can I know specific offset which have vulnerability?
You can write arbitrary files via the StartDocPrinter call with SYSTEM privileges on unpatched systems by specifying the spool file.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- print spooler module exception 김무성 (Oct 05)
- Re: print spooler module exception Joshua J. Drake (Oct 05)
- Re: print spooler module exception 김무성 (Oct 06)
- Re: print spooler module exception Varga-Perke Balint (Oct 06)
- Re: print spooler module exception 김무성 (Oct 06)
- Re: print spooler module exception Carlos Perez (Oct 05)
- Re: print spooler module exception Joshua J. Drake (Oct 05)