dionaea emulates MS10-061

MS10-061 allows uploading a file to a remote computer using the printer service (spoolss), use the spool service to write an 'at command' to the AT service, to run a job in the future, basically run the uploaded file.

While it is not perfect yet, it basically works.
Whats missing for metasploit:

  • the WritePrinter piped ATSVC command is lost
  • the piped NetShareEnum Trans command is lost - you have to set PNAME in metasploit

But, in the end, we already get the file, which is a good start.

Thanks to Tan Kean Siong for his contribution.

Below you can see how such an attack currently looks like using readlogsqltree:

2010-09-26 20:53:37
  connection 25889 smbd tcp accept ::ffff:127.0.0.1:445 <- ::ffff:127.0.0.1:45470 (25889 None)
   dcerpc bind: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '14d8483f-8f73-fc08-3b1b-c15070355ffe' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '24b9a895-d259-b5d6-7f1c-e0196c35cb12' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2559f952-03e3-f9b2-662b-4e6f4fbfa993' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2815b485-8bcc-cbc6-a45c-1cca0bc8a928' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '5877c11c-b7d6-92ac-b8e6-4a016a66d521' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '8c5c0212-2c8b-e9de-8889-19b94be5063e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'c186c5da-bfeb-d0a3-8751-e8e50eea0004' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'cc3824ba-b733-5994-5aab-186390e18f3e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'd0e857b9-7929-9ab0-d61b-6f64c1543512' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'e89a99e6-2782-7bc4-3fe6-1d3d1dcf4b5f' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'faf39128-da8f-234f-a9f4-9d466e2f6fc3' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fd6e11c8-d3ad-c481-7a20-0ba79198b65e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fedc56ef-4c84-abd6-0f34-ac63f9d512cb' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 69 (OpenPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 29 (ClosePrinter ())
   profile: []
   offer: spoolss://::ffff:127.0.0.1/Xhbqy5httERSXV.exe
   download: 6b07a937c7a89f30206cfdf25b8331de spoolss://::ffff:127.0.0.1

Comments



147 +8 = ?
2010/09/26/dionaea_emulates_ms10-061.txt · Last modified: 2010/09/26 21:57 by common
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0