Introduction to Microsoft Word Remote Code Execution CVE-2015-0097

Introduction to Microsoft Word Remote Code Execution CVE-2015-0097

0x00 Introduction
Microsoft Office Word 2003,200 7 Remote Code Execution Vulnerability

0x01 known successful environment
Word 2003,200 7 SP3 on Windows XP, 7, 8, 8.1 all up to this date.

0x02poc file description
Create-Recordset.hta: used to generate recordset.txt and dldrun. vbs
Poc. bin: used to fill in Word Files
POC-Generator.vbs: Generate poc after running
Readme + Instructions. rtf: English Instructions

0x03 simple principle
1. Vulnerability description:
Word allows arbitrary code execution by calling the ADO object.
2. poc description:
After opening a malicious Word file:
Download recordset.txt from the remote server and save it to the local startup Item and name it poc. hta;
The poc. hta function is to download dldrun. vbs;
Dldrun. vbs is used to run calculators;

0x04poc Modification
Test POC-Generator.vbs found at least 3 locations to be modified
1. Add an ip address
The strURL variable does not specify the Server ip address and needs to be manually set
2. Remove Redundancy
"Plase tell me the file name of the executable, with the. exe extension, to download and run", "EXE name" is useless and can be deleted
3. An error occurred while determining the startup Item path.
Ax. writeLine ("svd =" "\ users \" "+ f +" "\ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup \ poc. hta ") This statement points to an error path and cannot be written.

0x05 actual test
1. Follow these steps to modify the POC-Generator.vbs and run

2. Upload recordset.txt and dldrun. vbs to the server
3. Run test. rtf locally and then start the item to generate poc. hta

4. Run poc. hta at the next boot. Download dldrun. vbs and bring up the calculator.

0x06 additional instructions
Doc/docx/rtf tests are successful.