Re: [NSE] smb-vuln-ms10-061

[Aleksandar Nikolic <nikolic.alek () gmail com>]

On 7/26/2012 10:33 PM, Aleksandar Nikolic wrote:
> Hi all,
>
> I've written a vuln check script that checks for ms10-061 aka Print
> Spooler Service Impersonation
> vulnerability, aka one of the Stuxnet vulns...
>
> It's really a neat vuln. Basically it allows you to write any data into
> a file on the remote system
> even traversing directories. Folks from metasploit wrote an exploit that
> abuses this to write a PE file
> and then schedule it for execution in near future. So it's 100% reliable
> exploit provided that you
> have access to at least one printer share.
>
> My script follows the same approach, only we aren't interested in
> exploiting the vuln but
> checking if the machine is patched or not.
> One concern with this is that, in case print job works, the remote
> machine would actually print
> the file, so the script stops that by aborting the job. In that way the
> printer stays silent and
> we save threes.
>
> In order for the check to work , we need at least one available printer
> share.
> You can specify printer share name by "printer" script arg but if you
> don't, script tries
> to find one by using LANMAN api.
> LANMAN api may not be available on remote systems, so you can use
> smb-enum-shares
> to get valid shares and from there deduce the printer share name.
> Also, newer versions of windows require valid credentials by default, as
> usual, these
> can be specified as arguments to smb library (smbuser and smbpassword).
>
>
> msrpc library patch needed for this script is available in my previous
> message here:
> http://seclists.org/nmap-dev/2012/q3/411
>
> And the script it's self is attached here.
>
> Comments and ideas are welcome.
>
> Aleksandar
This has been merged into trunk as  29408.

Aleksandar
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/