Nmap Development mailing list archives
Re: [NSE] smb-vuln-ms10-061
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Mon, 30 Jul 2012 11:53:19 +0200
On 7/26/2012 10:33 PM, Aleksandar Nikolic wrote:
Hi all, I've written a vuln check script that checks for ms10-061 aka Print Spooler Service Impersonation vulnerability, aka one of the Stuxnet vulns... It's really a neat vuln. Basically it allows you to write any data into a file on the remote system even traversing directories. Folks from metasploit wrote an exploit that abuses this to write a PE file and then schedule it for execution in near future. So it's 100% reliable exploit provided that you have access to at least one printer share. My script follows the same approach, only we aren't interested in exploiting the vuln but checking if the machine is patched or not. One concern with this is that, in case print job works, the remote machine would actually print the file, so the script stops that by aborting the job. In that way the printer stays silent and we save threes. In order for the check to work , we need at least one available printer share. You can specify printer share name by "printer" script arg but if you don't, script tries to find one by using LANMAN api. LANMAN api may not be available on remote systems, so you can use smb-enum-shares to get valid shares and from there deduce the printer share name. Also, newer versions of windows require valid credentials by default, as usual, these can be specified as arguments to smb library (smbuser and smbpassword). msrpc library patch needed for this script is available in my previous message here: http://seclists.org/nmap-dev/2012/q3/411 And the script it's self is attached here. Comments and ideas are welcome. Aleksandar
This has been merged into trunk as 29408. Aleksandar _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smb-vuln-ms10-061 Aleksandar Nikolic (Jul 26)
- Re: [NSE] smb-vuln-ms10-061 Aleksandar Nikolic (Jul 30)