# Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection

*Note: this was posted back in 2017 and was the first post and release of fully weaponised code*

*This post was originally published on* [*https://www.mdsec.co.uk/blog/*](https://www.mdsec.co.uk/blog/) *when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.*

### Introduction <a href="#introduction" id="introduction"></a>

CVE-2017–8759, the vulnerability recently discovered by FireEye as being exploited in the wild is a code injection vulnerability that occurs in the .NET framework when parsing a WSDL using the SOAP moniker. An overview of the vulnerability can be found in [this](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) post by FireEye and is recommended as pre-requisite reading.

This vulnerability was of particular interest to the Vincent as its weaponisation could be leveraged during our Adversary Simulation exercises. This post serves as a walk through on how to exploit this vulnerability without user interaction in the RTF file format.

### Tutorial <a href="#tutorial" id="tutorial"></a>

Firstly, create a new RTF document with a new OLE object using the steps similar to as described in our [post on CVE-2017–0199](https://vincentyiu.co.uk/exploiting-cve-2017-0199-hta-handler-vulnerability/).

![](/files/-LQ3TyDVYC6UUKtcL88e)

Next, save the file as an RTF then reopen it using a hex editor and locate the “objdata” parameter to identify where the OLE blob is. When the parameter is located, add the “\objupdate” directive in a similar way to as described in our CVE-2017–0199 post.

Once this is complete, retrieve the “blob.bin” OLE blob from this [GitHub](https://github.com/vysec/CVE-2017-8759) repository, open it in a hex editor and update the URL of the WSDL file which contains the code injection. This OLE blob should now be used to replace the one in the existing RTF document.

At this point, on opening the RTF document the exploit should execute the HTA file pointed to in the WSDL, without user interaction.

An end to end video walk through of exploiting this vulnerability is shown below:

{% embed url="<https://youtu.be/hlkx5uYBT1Y>" %}

Happy hacking!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/cve-exploitation/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.