Microsoft Office Equation Editor Remote Code Execution

This repository provides a proof-of-concept (PoC) exploit for CVE-2017-11882, a well-known vulnerability in Microsoft Office's Equation Editor. The repository contains two Python scripts, 'poc.py' and 'poc3.py', both of which generate a malicious RTF file that exploits the vulnerability. The user supplies a command to execute (-c) and an output file name (-o); the script embeds the command into a specially crafted OLE object within the RTF. When a vulnerable version of Microsoft Office opens the RTF, the embedded command is executed on the victim's system. The scripts differ slightly in implementation (e.g., use of 'binascii' in 'poc3.py'), but both serve the same purpose. No network endpoints or hardcoded IPs/domains are present; the exploit is delivered via a file. The repository is a clear, functional PoC and does not include weaponized or framework-based code.

This repository provides two Python scripts (Command109b_CVE-2017-11882.py and Command43b_CVE-2017-11882.py) that generate malicious RTF files exploiting CVE-2017-11882, a critical vulnerability in Microsoft Office's Equation Editor. The scripts allow the user to specify an arbitrary command (up to 109 or 43 bytes, depending on the script) to be executed on the victim's system when the RTF is opened. The payload is embedded in the RTF as a specially crafted OLE object. The repository includes a sample exploit RTF (example/exploit.rtf) and a README with usage instructions and references. The exploit is operational, allowing for arbitrary command execution, and can be used to launch local executables or fetch and execute remote scripts (e.g., via mshta or regsvr32). No hardcoded network endpoints are present, but the exploit can be configured to fetch remote payloads by specifying a URL in the command argument.

This repository provides a working exploit for CVE-2017-11882, a critical vulnerability in Microsoft Office's Equation Editor (EQNEDT32.EXE). The main exploit script, 'CVE-2017-11882.py', is a Python program that generates a malicious RTF file. This RTF file, when opened in a vulnerable version of Microsoft Word, triggers the vulnerability and allows arbitrary code execution. The exploit supports two main modes: (1) executing a user-supplied command on the target system (using WinExec), and (2) injecting and executing arbitrary shellcode (such as a reverse shell) in a new process (EQNEDT32.EXE), which can be specified with the '-i' flag. The maximum payload size is approximately 17,967 bytes. The script automatically selects the appropriate RTF template based on payload size. The repository includes: - 'CVE-2017-11882.py': The main exploit generator script. - 'shellcode.c': Example C code for custom shellcode injection, useful for advanced payloads. - 'README.md': Detailed usage instructions, including example commands for generating payloads (e.g., with msfvenom) and for debugging the exploit. - 'LICENSE': MIT license. A notable fingerprintable endpoint is the Windows registry key for EQNEDT32.EXE, referenced for debugging purposes. The exploit is operational and can be used to generate weaponized RTF files for red teaming or penetration testing against unpatched Microsoft Office installations.

This repository provides a working exploit for CVE-2017-11882, a critical remote code execution vulnerability in Microsoft Office's Equation Editor. The main exploit is implemented in 'Command_CVE-2017-11882.py', a Python script that generates a malicious RTF file embedding a specially crafted OLE object. When a vulnerable version of Microsoft Office opens this RTF, it triggers arbitrary command execution on the victim's system. The script allows the attacker to specify any command to be executed, and outputs the exploit RTF file. The repository also includes 'PS_shell.rb', a Metasploit module that sets up an HTTP server to deliver a PowerShell-based HTA payload. This module provides a DDE (Dynamic Data Exchange) command for use in Office documents, which, when executed, causes the victim's system to fetch and run a payload from the attacker's server using mshta.exe. The module is designed for integration with the Metasploit framework and can deliver customizable payloads. An example malicious RTF file is provided in 'example/exploit.rtf', and a brief README points to a Chinese-language blog post explaining the vulnerability. The overall structure is typical for a proof-of-concept exploit repository, with both standalone and framework-based exploitation options. The main attack vectors are malicious file delivery (RTF) and network-based payload retrieval (HTTP/HTA).

This repository contains a Metasploit module (cve_2017_11882.rb) that exploits CVE-2017-11882, a remote code execution vulnerability in Microsoft Office Word's Equation Editor. The exploit works by generating a malicious RTF file (using a template, cve-2017-11882.rtf) that, when opened by a vulnerable version of Word, triggers code execution via mshta.exe. The module sets up an HTTP server to deliver an HTA file containing the attacker's payload. The payload is customizable and can be any Metasploit-supported Windows payload (e.g., reverse shell, Meterpreter). The README provides installation instructions for integrating the module and template into a Metasploit environment. The main attack vectors are file format (malicious RTF) and network (HTTP delivery of the HTA payload). The endpoints include the file paths for the module and template, as well as the HTTP URL used to deliver the payload. The exploit is weaponized, as it is fully integrated into Metasploit and supports arbitrary payloads.

This repository provides a proof-of-concept exploit for CVE-2017-11882, a vulnerability in Microsoft Office's Equation Editor. The main exploit is implemented in 'webdav_exec_CVE-2017-11882.py', a Python script that generates a malicious RTF file containing OLE objects. When the generated RTF file is opened on a vulnerable Windows system, it triggers the WebClient service and executes an attacker-controlled executable from a remote WebDAV share (specified as a UNC path, e.g., \\attacker_ip\ff\1.exe). The repository includes a sample exploit RTF file in the 'example' directory and a README with usage instructions and background information. The exploit demonstrates arbitrary code execution via a crafted document, leveraging both file-based (malicious RTF) and network-based (WebDAV/UNC path) attack vectors. The code is a functional PoC and does not include advanced payload customization or evasion features.

This repository contains a Python proof-of-concept exploit for the Microsoft Office Equation Editor vulnerabilities CVE-2017-11882 and CVE-2018-0802. The main file, RTF_11882_0802.py, is a command-line tool that generates a malicious RTF file. The user specifies a command to execute on the target system and the output file name for the crafted RTF. Optionally, a template RTF can be provided. The exploit works by embedding a specially crafted OLE object into the RTF, which triggers the vulnerability in the Equation Editor component when the file is opened in a vulnerable version of Microsoft Office on Windows. The exploit does not contain any hardcoded payload; instead, it allows the user to specify any command, making it a flexible proof-of-concept. The repository also includes a README with usage instructions and references to research and advisories. No network endpoints or external IPs/domains are present; the attack vector is via a malicious file delivered to the victim.

This repository provides an operational exploit tool for CVE-2017-11882, a memory corruption vulnerability in Microsoft Office's Equation Editor. The main script, SignHere.py, generates malicious RTF documents that exploit this vulnerability to execute arbitrary code when opened in a vulnerable version of Microsoft Office (2007 SP3, 2010 SP2, 2013 SP1, or 2016). The tool allows the attacker to specify a Windows command, a PowerShell command, or a binary payload to be executed on the victim's machine. It can also generate a VBScript-based HTA payload (pay.hta) for use with mshta.exe, and includes a simple HTTP server to host payloads and a TCP listener for reverse shell connections. The exploit is highly customizable, supporting both direct command execution and file download/execution scenarios. The codebase is organized into a main script and supporting libraries for payload generation, RTF exploit crafting, server hosting, and listener functionality. The attack vector is primarily through malicious file delivery (RTF), with network-based payload retrieval and optional reverse shell capabilities.

This repository provides multiple proof-of-concept and operational exploits for CVE-2017-11882, a critical remote code execution vulnerability in the Microsoft Office Equation Editor (EQNEDT32.EXE). The exploit targets Office versions 2003 through 2016 on Windows. The repository includes three Python scripts that generate malicious RTF files embedding a payload to execute arbitrary commands on the victim's system when the file is opened in a vulnerable Office installation. The payload can be customized, for example to launch calc.exe or to execute mshta to fetch and run a remote payload (e.g., from http://192.168.43.165:8080/11882). The repository also contains a Metasploit module (cve_2017_11882.rb) that automates the generation and delivery of the exploit, supporting integration with Metasploit's payloads such as Meterpreter reverse shells. The attack vector is primarily via malicious document files delivered to the victim, with optional network callbacks for payload delivery. The code is operational and can be used to generate weaponized documents for red teaming or penetration testing. The README provides detailed usage instructions and highlights the affected Office versions, as well as mitigation steps.