CVE-2017-0199 office_word_hta

   Name: Microsoft Office Word Malicious Hta Execution

   Module: exploit/windows/fileformat/office_word_hta

   Platform: Windows

   Privileged: No

   License: Metasploit Framework License (BSD)

   Rank: Excellent

   Disclosed: 2017-04-14

Provided by:

  Haifei Li

  ryHanson

  wdormann

  DidierStevens

  vysec

  Nixawk

  sinn3r <sinn3r@metasploit.com>

Available targets:

  Id  Name

  --  ----

  0   Microsoft Office Word

Basic options:

  Name      Current Setting  Required  Description

  ----      ---------------  --------  -----------

  FILENAME  msf.doc          yes       The file name.

  SRVHOST   192.168.0.2      yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0

  SRVPORT   8080             yes       The local port to listen on.

  SSL       false            no        Negotiate SSL for incoming connections

  SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)

  URIPATH   default.hta      yes       The URI to use for the HTA file

Payload information:

Description:

  This module creates a malicious RTF file that when opened in 

  vulnerable versions of Microsoft Word will lead to code execution. 

  The flaw exists in how a olelink object can make a http(s) request, 

  and execute hta code in response. This bug was originally seen being 

  exploited in the wild starting in Oct 2016. This module was created 

  by reversing a public malware sample.

References:

  https://cvedetails.com/cve/CVE-2017-0199/

  https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

  https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html

  https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/

  https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

  https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html

  https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf

  https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/

  https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100

  https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/

  https://www.microsoft.com/en-us/download/details.aspx?id=10725

  https://msdn.microsoft.com/en-us/library/dd942294.aspx

  https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

转载于:https://blog.51cto.com/472169/2083518