Re: print spooler module exception

[김무성 <kimms () infosec co kr>]

Hello. Jdrake

You are right.

Attacker and victim are on same domain.
As your answer, I fixed my test environment.
Without domain, attack is possible.


I think that when ms10_061_spooler module send packet(StartDocPrinter),
trigger is on this packet.
And I found that There is output file (\\ip\pipe\atsvc) and document name
(xkd30qdornbzhyamwecjhm8)
This output file, document name is made randomly?
Can I know specific offset which have vulnerability?

Thanks
MuSung Kim

-----Original Message-----
From: Joshua J. Drake [mailto:jdrake () metasploit com] 
Sent: Wednesday, October 06, 2010 3:58 AM
To: kimms () infosec co kr
Cc: framework () spool metasploit com
Subject: Re: [framework] print spooler module exception

On Tue, Oct 05, 2010 at 06:29:00PM +0900, ?????? wrote:
> There are exception num 5.
>
> Num 5 is access deny.

I have not seen this particular situation in my testing.

It seems like the target machine may be patched or perhaps the printer is
specifically configured to not allow guest access.

> But when I opened folder explorer and typed \\10.10.50.201\printers 
> <file:///\\10.10.50.201\printers> , I can show print bar window.

If you are logged into a domain, some magic may be happening behind the
scenes that leaves you with valid user credentials.

If you have an account, try using the SMBUser/SMBPass options.

Please let us know if you manage to figure out what caused this error or
how you managed to work around it.

Hope this helps,

--
Joshua J. Drake

Attachment: smime.p7s
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework