CVE-2017-0199
CVE-2017-0199 copied to clipboard
bhdresh
Microsoft patch?
Hey man awesome work with this tool. I was just wondering what Microsoft patch involved. So far I've read they only block 2 file types - hta and script. I'm playing around with different files besides these and they seem to work. Have you found the same issue and which file types have you used? Thanks
Patch blocked next CLSID: {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} => htafile <= CVE-2017-0199 (over http); {06290BD3-48AA-11D2-8432-006008C3FBFC} => script <= CVE-2017-0199 (over http); {06290BD2-48AA-11D2-8432-006008C3FBFC} => scriptletfile <= CVE-2017-8570 (over smb).
For example a vbs file? My limited understanding is that office loads the associated dll of the file and executes. Does this mean any file can work
Office request CLSID over ole32.dll (call GetClassFile()). https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms691424(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ms688580(v=vs.85).aspx
Lastly, in the ppsx file the Target="script: can that be changed? I know of the URL moniker but are there any other ones?
In RTF-file HEX-string: e0c9ea79f9bace118c8200aa004ba90b, it's CLSID: 79eac9e0-baf9-11ce-8c82-00aa004ba90b. CLSID: 79eac9e0-baf9-11ce-8c82-00aa004ba90b => URL Moniker (C:\Windows\system32\urlmon.dll). URl Moniker create session to external resource and download request. Request have type (Header "ContentType"). If type = "application/hta" > CLSID 3050F4D8-98B5-11CF-BB82-00AA00BDCE0B (htafile) > C:\Windows\System32\mshta.exe Mshta.exe starts and executes the previously loaded request body.
