CVE-2017-0199 - Office Word HTA Module #8254
Conversation
|
If hat_server is used. a black flash window will come. A new pr wants to fix the issue. Another question:
|
| # require 'rex/ole' | ||
| # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ) | ||
| # ministream = ole.instance_variable_get(:@ministream) | ||
| # ministream_data = ministream.instance_variable_get(:@data) |
There was a problem hiding this comment.
we should take a look at what was broken in rex-ole, e.g. is it disallowing us to parse a corrupted document
There was a problem hiding this comment.
RTF may be not a corrupted document. Please check my steps.
-
Original RTF is created by Office Word 2010 on Windows 7. I've try to recreate a new one with the same issue.
-
Show OLE Object info with oletools - rtfobj
$ rtfobj cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index |OLE Object |OLE Package
---+----------+-------------------------------+-------------------------------
0 |00002A2Ah |format_id: 2 |Not an OLE Package
| |class name: 'OLE2Link' |
| |data size: 2560 |
---+----------+-------------------------------+-------------------------------
- Dump OLE object with rtfobj.
$ rtfobj -s 0 cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index |OLE Object |OLE Package
---+----------+-------------------------------+-------------------------------
0 |00002A2Ah |format_id: 2 |Not an OLE Package
| |class name: 'OLE2Link' |
| |data size: 2560 |
---+----------+-------------------------------+-------------------------------
Saving file embedded in OLE object #0:
format_id = 2
class name = 'OLE2Link'
data size = 2560
saving to file cve-2017-0199.rtf_object_00002A2A.bin
- When rtf is dumped successfully, Please try to parse OLE Object binary data with read_oleobject.rb
$ ruby read_oleobject.rb cve-2017-0199.rtf_object_00002A2A.bin
4
- #<Dirent:"Root Entry">
|- #<Dirent:"\u0001Ole" size=162 data="\x01\x00\x00\x02\t...">
|- #<Dirent:"\u0003ObjInfo" size=6 data="\x10\x02\x03\x00\x04\x00">
\- #<Dirent:"\u0003LinkInfo" size=102 data="\x1E\x00htt...">
From: /Users/Open-Security/Code/labs/CVE-2017-0199/read_oleobject.rb @ line 26 Object#read_ole_ministream:
14: def read_ole_ministream(filename)
15: # ole/storage
16: ole = Ole::Storage.open(filename, 'rb+')
17: puts ole.dirents.length
18: puts ole.root.to_tree
19:
20: # rex/ole
21: ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
22: ministream = ole.instance_variable_get(:@ministream)
23: data = ministream.instance_variable_get(:@data)
24:
25:
=> 26: binding.pry
27:
28: olebin = ::File.open("#{filename}-ministream_data.bin", 'wb+')
29: olebin.write(data)
30: olebin.close
31: end
[1] pry(main)> data
=> "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00V\x00\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\v>\x00\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00 \xED\xE0P\x9D\xB8\xD2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB1\x00\x05\x00\x10\x00\b\x01\x10\x02\x03\x00\x04\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAC\x00\x05\x00\x1F\x00\b\x01\xC0\x81\xA7\bx\x01\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x00http://www.baidu.com/index.htm\x00\x00\xBB\xBB\xCC\xCC\x1E\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
||
| def create_rtf_format | ||
| template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf") | ||
| template_rtf = ::File.open(template_path, 'rb') |
There was a problem hiding this comment.
TODO - it would be nice if there was a wrapper to get a data directory file (not needed for this module)
|
Thanks @busterb . I'll add module doc later. |
|
|
|
@jooeji Could you share the packet here ? If you failed to exploit CVE-2017-0199, please try it with a IE cache clean. Thanks @busterb Module doc is added. |
|
Any question for the module ? |
|
I'll take over from here. I will be landing this soon. Sorry for the wait. And thanks! |
Release NotesThe exploit/windows/misc/hta_server module has been added to the framework. It exploits a Microsoft Office vulnerability that started off as an 0day being exploited in the wild. By using an OLE2 link object in a doc or RTF file, it is possible to abuse the HTA handler, which will allow the document to download a malicious HTA application and execute it. |
|
Sorry for the slow response. I modified the exploit to run its own HTA server, and it allows the HTA window to be invisible. Also updated the doc a little. |
|
Thanks @wchen-r7 . |
|
I have tried the old and new version of this module but it failed on Windows 7 with all Office (2007->2016), i also tried with both fresh and normal VM. The process WINWORD.exe just download .hta file but doesn't execute the payload. Is anybody has the same problem ? |
|
Please read the module info, and check your lab version. I've failed to exploit it on Windows 7, but ok on Windows 7 sp 1. Vulnerable OS list, ex: |
|
@nixawk Hi i dont know why it does not work fine. i have running windows 7 sp1, Office 2016 pro plus 64 bits could be AV? i have an screenshot to show you.
|
|
I have same problem as @kalifan on Windows 7 sp1 with Office 2013 sp1 |
|
@C6h0st i try with the new exploit from exploit-db and it does not work fine too. :( |
|
I have a same problem as jooeji, do not can back a meterpreter |
tdoan-r7
added
rn-enhancement
|
|
@nixawk almost we can keep trying thanks bro |
@wvu-r7 @wchen-r7 @busterb Please check it. The details about the module is here #8220 .
Copy /Users/securitytest/.msf4/local/msf.doc into a victim machine, and open it with Microsoft Word....