Re: print spooler module exception

[Varga-Perke Balint <vpbalint () gmail com>]

 2010-10-06 09:30 keltezéssel, 김무성 írta:
> I think that when ms10_061_spooler module send packet(StartDocPrinter),
> trigger is on this packet.
> And I found that There is output file (\\ip\pipe\atsvc) and document name
> (xkd30qdornbzhyamwecjhm8)
> This output file, document name is made randomly?

The "document name" is made up randomly. The ATSVC pipe is used to 
access the scheduling service (it's name is constant).

> Can I know specific offset which have vulnerability?

You can write arbitrary files via the StartDocPrinter call with SYSTEM 
privileges on unpatched systems by specifying the spool file.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework