CVE-2018-0802

CVE-2018-0802

说明

在CVE-2017-11882之后，2018年1月份又出了一个新的“噩梦公式二代”，在野样本嵌入了利用Nday漏洞和0day漏洞的2个公式对象同时进行攻击，Nday漏洞可以攻击未打补丁的系统，0day漏洞则攻击全补丁系统，绕过了CVE-2017-11882补丁的ASLR（地址随机化）安全保护措施，攻击最终将在用户电脑中植入恶意的远程控制程序

影响范围

• Microsoft Office 2007 SP3
• Microsoft Office 2010 Service Pack 2 (32-bit editions)
• Microsoft Office 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft Office 2016 Click-to-Run (C2R) for 32-bit edition
• Microsoft Office 2016 Click-to-Run (C2R) for 64-bit edition
• Microsoft Office Compatibility Pack Service Pack 3
• Microsoft Word 2007 SP3
• Microsoft Word 2010 Service Pack 2 (32-bit editions)
• Microsoft Word 2010 Service Pack 2 (64-bit editions)
• Microsoft Word 2013 RT Service Pack 1
• Microsoft Word 2013 Service Pack 1 (32-bit editions)
• Microsoft Word 2013 Service Pack 1 (64-bit editions)
• Microsoft Word 2016 (32-bit edition)
• Microsoft Word 2016 (64-bit edition)

用法

创建恶意文档

# python packager_exec_CVE-2018-0802.py -e /path/to/executable.exe -o .test.rtf
[+] Completed!

参考文章

• “噩梦公式”二代 | 2018年微软修复的首个Office 0day漏洞（CVE-2018-0802）分析