Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • Introduction
  • Tutorial

Was this helpful?

  1. Red Team
  2. General Exploitation

Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection

PreviousPayload Generation with CACTUSTORCHNextExploiting CVE-2017–0199: HTA Handler Vulnerability

Last updated 6 years ago

Was this helpful?

Note: this was posted back in 2017 and was the first post and release of fully weaponised code

This post was originally published on when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.

Introduction

CVE-2017–8759, the vulnerability recently discovered by FireEye as being exploited in the wild is a code injection vulnerability that occurs in the .NET framework when parsing a WSDL using the SOAP moniker. An overview of the vulnerability can be found in post by FireEye and is recommended as pre-requisite reading.

This vulnerability was of particular interest to the Vincent as its weaponisation could be leveraged during our Adversary Simulation exercises. This post serves as a walk through on how to exploit this vulnerability without user interaction in the RTF file format.

Tutorial

Firstly, create a new RTF document with a new OLE object using the steps similar to as described in our .

Next, save the file as an RTF then reopen it using a hex editor and locate the “objdata” parameter to identify where the OLE blob is. When the parameter is located, add the “\objupdate” directive in a similar way to as described in our CVE-2017–0199 post.

At this point, on opening the RTF document the exploit should execute the HTA file pointed to in the WSDL, without user interaction.

An end to end video walk through of exploiting this vulnerability is shown below:

Happy hacking!

Once this is complete, retrieve the “blob.bin” OLE blob from this repository, open it in a hex editor and update the URL of the WSDL file which contains the code injection. This OLE blob should now be used to replace the one in the existing RTF document.

GitHub
https://www.mdsec.co.uk/blog/
this
post on CVE-2017–0199