Metasploit mailing list archives
Re: ms10_061_spoolss.rb working for anyone?
From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Thu, 23 Sep 2010 12:54:35 -0500
On Thu, Sep 23, 2010 at 11:51:29AM -0600, hacksauce wrote:
On a XP SP3 VM (VMware) I created a printer (there isn't really a printer there) and shared it. When I run the exploit I get : I checked the victim, and 2hvWFCf29WnRxV.exe doesn't exist in the system32 folder. I've attached the output of filemon (filtered on system32) while the exploit is running, and I don't see the exploit exe being created. I've checked at and I'm not seeing a scheduled task at all.
I saw this kind of behavior when the target system was already patched. Double-check that the patch hasn't been installed by following the guidance in Microsoft's bulletin.
1. Does the printer have to physically exist? I noticed that when I changed the port from lpt to file, I get jobs queued up, that need to be saved...
It shouldn't need to exist. Jobs queuing up is also points towards the patch already being applied.
2. When the exploit succeeds, is there an job left in the scheduled tasks folder?
No. It will run only once. The exe will remain in the system32 folder though. -- Joshua J. Drake
Attachment:
_bin
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ms10_061_spoolss.rb working for anyone? Richard Miles (Sep 21)
- Re: ms10_061_spoolss.rb working for anyone? HD Moore (Sep 21)
- Re: ms10_061_spoolss.rb working for anyone? hacksauce (Sep 23)
- Re: ms10_061_spoolss.rb working for anyone? Joshua J. Drake (Sep 23)
- Adobe adobe_cooltype_sing.rb Jeffs (Sep 26)
- Re: ms10_061_spoolss.rb working for anyone? hacksauce (Sep 23)
- Re: ms10_061_spoolss.rb working for anyone? HD Moore (Sep 21)