Name: Microsoft Office Word Malicious Hta Execution
Module: exploit/windows/fileformat/office_word_hta
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2017-04-14
Provided by:
Haifei Li
ryHanson
wdormann
DidierStevens
vysec
Nixawk
sinn3r <sinn3r@metasploit.com>
Available targets:
Id Name
-- ----
0 Microsoft Office Word
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 192.168.0.2 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload information:
Description:
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response. This bug was originally seen being
exploited in the wild starting in Oct 2016. This module was created
by reversing a public malware sample.
References:
https://cvedetails.com/cve/CVE-2017-0199/
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html
https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://www.microsoft.com/en-us/download/details.aspx?id=10725
https://msdn.microsoft.com/en-us/library/dd942294.aspx
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199