关联漏洞
标题:Microsoft .NET Framework 安全漏洞 (CVE-2017-8759)Description:Microsoft .NET Framework是美国微软(Microsoft)公司开发的一种全面且一致的编程模型,也是一个用于构建Windows、Windows Store、Windows Phone、Windows Server和Microsoft Azure的应用程序的开发平台。该平台包括C#和Visual Basic编程语言、公共语言运行库和广泛的类库。 Microsoft .NET Framework中存在远程代码执行漏洞。远程攻击者可借助恶意的文档或引用程序利用该漏洞执行代码。以下版本受到影响
Description
CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability
介绍
# OHTS
CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability
1) Introduction
A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application. The security update addresses the vulnerability by correcting how .NET validates untrusted input. Microsoft .NET Framework allow an attacker to execute code remotely via a malicious document or application, .NET Framework Remote Code Execution Vulnerability.
2) Vulnerable Versions
According to Microsoft, the following are the affected products
• Microsoft .NET Framework 2.0 SP2
• Microsoft .NET Framework 3.5
• Microsoft .NET Framework 3.5.1
• Microsoft .NET Framework 4.5.2
• Microsoft .NET Framework 4.6
• Microsoft .NET Framework 4.6.1
• Microsoft .NET Framework 4.6.2
• Microsoft .NET Framework 4.7
3) Attack Process
The attack occurs in the following manner:
• Create Rtf file, with the help of Python script or manually.
• When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file.
• The HTA file returned by the server with an embedded malicious script.
• exe looks up the file handler for application/hta through a DLLobject, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script.
4) Requirements
First, we need two virtual machines. I am using Kali Linux as my exploitation environment and Windows7 as my victim.
Then, we need to have a small research on the CVE-2017-8759 for get some idea about the vulnerability.
• https://github.com/bhdresh/CVE-2017-8759
• https://github.com/nccgroup/CVE-2017-8759
• https://securitytracker.com/id/1039324
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759
• https://www.securityfocus.com/bid/100742
• https://www.exploit-db.com/exploits/42711
• https://www.cvedetails.com/cve/CVE-2017-8759/
I used above references to get more details about this .NET Framework Remote Code Execution Vulnerability. As in the Figure 4.3 this vulnerability has 9.3 CVSS score and also there is total information disclosure, resulting in all system files being revealed, total compromise of system integrity, there is a complete loss of system protection, resulting in the entire system being compromised, total shutdown of the affected resource. The attacker can render the resource completely unavailable. The access conditions are somewhat specialized. Some preconditions must be satistified to exploit. Authentication is not required to exploit the vulnerability.
文件快照
[4.0K] /data/pocs/a06d8450d63cc66a99a20d85a5d1b075d6a3a120
├── [8.0M] IT17030168.docx
└── [3.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。