Windows VBScript Engine Remote Code Execution Vulnerability

This repository contains a Metasploit module (CVE-2018-8174.rb) and a malicious RTF template (CVE-2018-8174.rtf) for exploiting CVE-2018-8174, a VBScript memory corruption vulnerability in Microsoft Office Word (32-bit). The exploit works by generating a specially crafted RTF file that, when opened in a vulnerable version of Word, causes the application to fetch and execute a malicious HTML payload containing VBScript from an attacker-controlled HTTP server. The Metasploit module allows the operator to specify the filename and URI path for the exploit delivery, and embeds a customizable payload (such as a reverse shell) into the exploit. The README provides installation instructions and notes that the exploit is most reliable with non-staged reverse shell payloads. The main attack vector is via malicious file delivery (RTF), with a secondary network component (HTTP server hosting the payload). The exploit is operational and can be used to achieve code execution on unpatched systems.

This repository contains a Python exploit script (CVE-2018-8174.py) targeting the Microsoft Internet Explorer VBScript Engine remote code execution vulnerability (CVE-2018-8174, also known as Double Kill). The script generates a malicious RTF file and an HTML file containing shellcode that exploits the vulnerability. The attacker can specify a URL (where the HTML exploit will be hosted), an output RTF filename, and optionally an IP and port for a reverse shell payload. The README provides usage instructions, including how to host the exploit and set up a netcat listener to receive the reverse shell. The exploit is operational, allowing for customizable payload delivery and remote code execution on vulnerable Windows systems. The repository structure is simple, with one main Python exploit script and a README for instructions.

This repository contains a detailed analysis and a proof-of-concept (POC) exploit for CVE-2018-8174, a use-after-free vulnerability in the VBScript engine of Microsoft Internet Explorer. The repository consists of a README.md with an in-depth technical write-up and a single exploit script, analysis.vbs, written in VBScript. The exploit demonstrates how to trigger the vulnerability by manipulating VBScript class objects and memory, leading to type confusion and ultimately arbitrary code execution. The script includes routines to leak memory addresses, resolve function pointers for VirtualProtect and NtContinue, and construct the necessary structures to bypass DEP and execute shellcode. The payload is a placeholder shellcode, but the exploit structure allows for arbitrary shellcode execution. The attack vector is via the browser (Internet Explorer) or any environment that executes VBScript. No network endpoints or external IPs/domains are present; the exploit is self-contained and targets the local system via browser scripting. The repository is a valuable resource for understanding the exploitation process of this vulnerability and serves as a POC for researchers and defenders.

This repository is a proof-of-concept exploit for CVE-2018-8174, a remote code execution vulnerability in the VBScript engine as used by Internet Explorer, which can be triggered via Microsoft Word or WordPad. The repository contains four files: a LICENSE, a README.md with usage instructions, an index.html file containing obfuscated VBScript exploit code, and a Python script (msvbs.py) that generates a malicious RTF file embedding a link to the attacker's web server. The exploit works by having a victim open the crafted RTF file, which causes Word/WordPad to load the attacker's HTML (index.html) via an embedded OLE object. The VBScript in index.html exploits the vulnerability to execute shellcode, which downloads and runs Putty.exe from a remote site. The main fingerprintable endpoints are the attacker's web server URL (e.g., http://192.168.1.2:8080) and the reference to Putty.exe. The exploit is a POC and uses a static payload, but demonstrates full remote code execution capability.