MS12_044_midi vulnerability penetration in Metasploit

Source: Internet
Author: User

The Metasploit software in the BT5 penetration tool used today, bt5 is a well-known hacker tool that contains many hacking software and security evaluation tools, although it is a hacker software, but it is also a helper in Security Detection. It can help us detect many vulnerabilities, mainly depending on how you use them. Because it is a hacker software, we hope that you can obtain authorization from others before conducting security detection to avoid unnecessary troubles. The Microsoft MS12_044_midi vulnerability was introduced today. I have not found a good explanation of this vulnerability on Baidu for a long time, so I will introduce the MS12_044_midi vulnerability by myself according to my own instructions: The MS12_044_midi vulnerability is used to construct a URL Trojan connection and then issue the link. When someone else's computer has this vulnerability, if the URL is enabled, a reverse connection is automatically established to the target machine. The vulnerability uses the Internet Explorer MS12_044_midi vulnerability, which is common in IE 6.0, 7.0, and 8.0. This experiment is still performed on a local virtual machine, no damages were performed. Affected Software: 650) this. width = 650; "title =" clipboard.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342452J5-0.png "width =" 650 "height =" 435 "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; width: 740px; height: 399px; "alt =" 103222327.png"/> first, check the IP addresses of BT5 and the target system:

650) this. width = 650; "title =" image 1.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342454256-1.png "width =" 650 "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221228970.png"/>

650) this. width = 650; "title =" image 2.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342453L4-2.png "width =" 650 "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221232756.png"/>

Open msfconfig of bt5 and use the meterasploit tool.

650) this. width = 650; "title =" image 3.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342452C1-3.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 22123169.png"/>

650) this. width = 650; "title =" image 4.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342454402-4.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221240718.png"/>

Here, we select the vulnerability MS12_044_midi used in this experiment to indicate the specific path and view the parameters used for this vulnerability.

650) this. width = 650; "title =" image 5.png "src =" http://www.bkjia.com/uploads/allimg/131227/23424512N-5.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221248840.png"/>

Because most computers have enabled their own firewall functions, we use the reverse_tcp bounce connection to enable the target machine to actively connect to our machine through the firewall ), PAYLOAD is the attack load, which must be entered

650) this. width = 650; "title =" image 6.png "src =" http://www.bkjia.com/uploads/allimg/131227/23424564S-6.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221251140.png"/>

Because Bounce Attack loads are used, we can check the vulnerability configuration module to obtain more bounce connection parameters)

650) this. width = 650; "title =" image 7.png "src =" http://www.bkjia.com/uploads/allimg/131227/23424521a-7.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221300894.png"/>

Next, we need to configure the parameter LHOST to fill in our own bt5 IP address, because we are letting the other party connect to us, we are the receptor URIPATH because it is against browser attacks, therefore, the browsing path is generated. Here, the page is like my xiaoma.html, to be more deceptive. You can write the name of the path page at Will) SRVHOST listening address, because the remote bounce connection is ours, so we can still listen to bt5. As for the port, we can usually use it unless you are using the default port, do not modify

650) this. width = 650; "title =" image 8.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342454143-8.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221303242.png"/>

650) this. width = 650; "title =" image 9.png "src =" http://www.bkjia.com/uploads/allimg/131227/234245LG-9.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221306711.png"/>

650) this. width = 650; "title =" image 10.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342455412-10.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221315459.png"/>

After the penetration parameter is modified, I will directly execute exploit to overflow!

650) this. width = 650; "title =" image 11.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342455111-11.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221319357.png"/>

After exploit is complete, bt5 will be waiting for automatic monitoring... Open the generated connection in the target machine 192.168.1.121) IE...


650) this. width = 650; "title =" image 12.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342451115-12.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221321584.png"/>

After opening the generated connection in IE, the browser only displays what is stuck there, and then automatically closes after a while...

650) this. width = 650; "title =" 13.13.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342451115-13.png "width =" 650 "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221325992.png"/>

We went back to bt5 and found that our configuration has taken effect and the session has been captured, completing this overflow.

650) this. width = 650; "title =" 14.14.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342452022-14.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221330384.png"/>

Let's check the session obtained from the experiment.

650) this. width = 650; "title =" image 15.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342452009-15.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221356941.png"/>

Use sessions-I session number to open the session and open the shell to obtain the target machine shell. view the IP address of the target machine.

650) this. width = 650; "title =" 16.16.png "src =" http://www.bkjia.com/uploads/allimg/131227/234245B04-16.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; "alt =" 222721365.png"/>

650) this. width = 650; "title =" image 17.png "src =" http://www.bkjia.com/uploads/allimg/131227/2342453225-17.png "style =" padding: 0px; margin: 0px; vertical-align: top; border: none; float: none; "alt =" 221348572.png"/>

Now, we get the shell of the target machine. This windows machine has fallen and the experiment is successful.


This article from the "xy low-key development" blog, please be sure to keep this source http://qq7887174.blog.51cto.com/7898352/1301762

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.