Windows 10, word 2013 not working

[derek7467]

I have a Win10, Word2013 box. I complete the whole tutorial and when i open word, i get an automation error. If i pull down the hta file myself and manaully open it, it works fine. What gives? I cannot get the exploit.txt to auto run the cmd.hta. I set the localhost in the exploit.txt and the macro to my local kali box, host the files on the root of my webserver and finally, launch the webserver. I can see the download of the exploit, but it never grabs the cmd.hta.

[securitaydude]

I am also getting a "Microsoft Visual Basic for Application: Automation Error" error message as well. I am testing the Word Doc on Windows 7 SP1 running Office 2016 and I am hosting the cmd.hta and exploit.txt files out of my Kali root web server. When I open the document, I can't see anything happening from Kali machine (this is when SimpleHTTPServer is running.)

[derek7467]

glad its not just me, ive gotten other exploits of this CVE to work using metasploit and meterpreter

[securitaydude]

Yeah, same here. I'm sure it is something we are missing from our setups.

[derek7467]

i dont know man, ive literally read every single letter of every word on a few sites and watched a few videos - this isnt that complicated of an exploit. that automation error i think is causing this not to work. Or we got patched already and dont know it, have you checked your win7 box for the KB to patch this?

[securitaydude]

I'm pretty sure I didn't apply this month's updates. I think , however, this may be related to Visual Studio 2017.I have it installed and I've come across other issues relating to VS 2017. Unfortunately, a simple Google search doesn't find anything.

[derek7467]

Interesting. I have visual studio 2013 installed

[derek7467]

I could try my win7 vm. But I'll need to get word on it. Actually ya know what I tried this on my mom's win8 box and same deal. She doesn't have vs installed.

[derek7467]

If you get anywhere let me know I'm going to keep trying. I'm sure it's something stupid.

[derek7467]

Figured it out. I was patched. I removed the patch installed on 9/13 rebooted and the exploit worked.

[securitaydude]

Fuck. Lucky you. Congrats and happy hacking.

[derek7467]

You sure u don't have the patch? I spent fucking hours trying different shit and I was finally like let me just check.

[securitaydude]

I had some Sept. patches installed (non-security) thinking that it would fix the issue. That didn't work so I uninstalled them and tried again. No luck. So, I am uninstalling my copy of VS 2017 to see if that would work. As of now, all my updates are as recent as May 2017.

[securitaydude]

@derek7467 I got it to work. It was user error on my part (D'oh).

[derek7467]

What was it?

[securitaydude]

First, I wasn't entering the correct ip address in exploit.txt. and in the Word Doc Object. Second, I was only running SimpleHTTPServer. I put cmd.hta and exploit.txt in the www folder, ran apache and ran SimpleHTTPServer 8080. I guess the word document not reaching exploit.txt caused the VS automation error. I have should have known better. Anyhow, all is good. I got calc.exe and mspaint.exe to run. I tried to get the script to connect back to my machine via metasploit but no luck. I'll try that empire suite to see how that works.

[derek7467]

Ah OK. Nice that you got it working. Yea empire is pretty cool. Similar to metasploit. There's a vid out there on using this exploit w metasploit but it passes thru a payload via an exe so I would imagine we would need veil to bypass AVs. Either way businesses better patch this quickly.