9.3
CVSSv2

CVE-2017-8759

Published: 13/09/2017 Updated: 14/01/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 946
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an malicious user to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."

Vulnerability Trend

Affected Products

Vendor Product Versions
Microsoft.net Framework2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7

Exploits

Source: githubcom/Voulnet/CVE-2017-8759-Exploit-sample Running CVE-2017-8759 exploit sample Flow of the exploit: Word macro runs in the Doc1doc file The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log Then the parsing log results in running mshtaexe which in turn runs a powershell commands t ...

Mailing Lists

Microsoft NET Framework remote code execution exploit toolkit Affects versions 20, 35, 351, 452, 46, 461, 462 and 47 ...

Github Repositories

CVE-2017-8759 Weaponisation PoC This repository contains data that can be used to weaponise the CVE-2017-8759 vulnerability For full information visit wwwmdseccouk/blog/ to find the post related to this vulnerability As always, my research is aimed to help the community become more aware of rising threats as well as the adversary simulation community to better simu

معرفی و اکسپلویت آسیب پذیری CVE-2017-8759 با تولید یک فایل

Exploit tool CVE-2017-8759 Exploit tool CVE-2017-8759 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft NET Framework RCE It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration Disclaimer This program is for Educational purpos

Exploit toolkit CVE-2017-8759 - v10 Exploit toolkit CVE-2017-8759 - v10 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft NET Framework RCE It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration Disclaimer This program is fo

What is CVE-2017-8759 is Remote Code Execution Vulnerability On SOAP WDSL A remote code execution vulnerability exists when Microsoft NET Framework processes untrusted input An attacker who successfully exploited this vulnerability in software using the NET framework could take control of an affected system An attacker could then install programs; view, change, or delete d

CVE-2017-8759-exploits Two versions of CVE-2017-8759 exploits Example 1 - Downloads a Net dll from a remote location (without touching disk), loads and executes Example 2 - Loads an embedded Net dll and executes

CVE-2017-8759-Exploit-sample Running CVE-2017-8759 exploit sample Flow of the exploit: Word macro runs in the Doc1doc file The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log Then the parsing log results in running mshtaexe which in turn runs a powershell commands that runs mspaintexe To test: Run a webserver on port 8080, and put

CVE-2017-8759 CVE-2017-8759   如何使用? wwwlz1ycn/?p=799 cmdhta文件修改 192168211149:80 为你的钓鱼域名 端口   同样修改 exploittxt中   examplecom 为你的钓鱼域名 端口 发现很多朋友在BIN to RTF那里出现了问题,本人修改了下别人的脚本,利用创建RTF的函数重写了一个脚本

CVE-2017-8759 Weaponisation PoC This repository contains data that can be used to weaponise the CVE-2017-8759 vulnerability For full information visit wwwmdseccouk/blog/ to find the post related to this vulnerability As always, my research is aimed to help the community become more aware of rising threats as well as the adversary simulation community to better simu

Exploit toolkit for CVE-2017-8759 Do not be an asshole Simple tool written in C# to handle the RCE vulnerability in NET Framework 20, 35, 351, 452, 46, 461, 462 and 47 aka "NET Framework Remote Code Execution Vulnerability" Help C:\Users\Jonas Uliana\tools>CVE-2017-8759exe /h INFO : Exploit toolkit for CVE-2017-8759 DEV : Uliana Tech SITE :

CVE-2017-8759 漏洞检测脚本

CVE-2017-8759 Just My ports of CVE-2017-8759 Code shifted to another parent repository Redirect?

Exploit toolkit CVE-2017-8759 - v10 Exploit toolkit CVE-2017-8759 - v10 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft NET Framework RCE It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration Disclaimer This program is fo

CVE-2017-8759 This repo contains sample exploits for CVE-2017-8759 for Microsoft PowerPoint, along with a description of how similar vulnerabilities were, and can, be exploited using the same techniques Some background The aim of publishing this repo is to highlight alternative exploitation techniques that defenders may currently be unaware of By highlighting these alternativ

RTF-Cleaner RTF Cleaner, tries to extract URL from malicious RTF samples using CVE-2017-0199 & CVE-2017-8759

QuickSandio QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits File Formats For Exploit and Active

CEH_resources Respositorio de recursos para hacking Hacking repo --> githubcom/Hack-with-Github/Awesome-Hacking CTF RESOURCES githubcom/apsdehal/awesome-ctf Helpfull commands --> wwwtunnelsupcom/helpful-linux-commands-for-ctfs/ Tools --> resourcesinfosecinstitutecom/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 webSettingsxml 获取 NTLM SSP hash macro 工具 生成、混淆 Shellntel/luckystrike - A PowerShell base

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25+Gb Install Guide: apt -y install git apache2 python-requests libapache2-mod-php python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl libssl10-dev libffi-dev

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

区块链生态被黑统计 参考来源 EOS 假充值(hard_fail 状态攻击)红色预警细节披露与修复方案 paperseebugorg/853/ 渗透测试不同阶段的工具收集整理 侦察阶段 主动情报收集 EyeWitness:可用于网站截图,以及提供一些服务器头信息,并在可能的情况下识别默认凭据。githubcom/ChrisTruncer/

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25G Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligenc

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ActionScript AppleScript Arduino Assembly AutoHotkey Batchfile Brainfuck C C# C++ CMake CSS Clojure CoffeeScript Common Lisp Crystal Cuda D DIGITAL Command Language Dart Dockerfile Elixir Elm Emacs Lisp Erlang F# GAP Gherkin Go Gosu Groff HTML Haskell Java JavaScript Julia Jupyter Notebook Kotli

APT & CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly & PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT & CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

APT & CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly & PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

MicroSoft Office RCEs A collection of MicroSoft Office vulnerabilities that could end up remote command execution CVE-2012-0158 CVE-2015-1641(customXML type confusion) CVE-2016-7193(dfrxst) CVE-2017-0199 CVE-2017-8570 CVE-2017-8759(NET Framework) CVE-2017-11182 CVE-2017-11826(EQNEDT32EXE) CVE-2018-0802(EQNEDT32EXE again) CVE-2018-0797(RTF UAF) CVE-2018-8597(Excel) CVE-2018

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask Max Nginx Objective-C Objective-C++ Others PHP PLpgSQL Pascal Perl PostScri

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 address | introduce | -|-|- 名字 | 介绍 | 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

IT threat evolution Q2 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 19 Aug 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q2 2019 will be remembered for several events.
First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.
Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobil...

IT threat evolution Q1 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 23 May 2019

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q1 2019 is remembered mainly for mobile financial threats.
First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartpho...

IT threat evolution Q1 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 14 May 2018

According to KSN:
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.
It wasn’t a drive-by-download case, since the success of the attack larg...

The King is dead. Long live the King!
Securelist • Vladislav Stolyarov Boris Larin Anton Ivanov • 09 May 2018

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by...

Threat Landscape for Industrial Automation Systems in H2 2017
Securelist • Kaspersky Lab ICS CERT • 26 Mar 2018

For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second hal...

Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware
Threatpost • Tom Spring • 17 Jan 2018

Spam campaigns delivering Zyklon HTTP malware are attempting to exploit three relatively new Microsoft Office vulnerabilities. The attacks are targeting telecommunications, insurance and financial service firms.
According to FireEye researchers who identified the campaigns, attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future distributed denial of service attacks.
Researchers said attacks begin with sp...

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
Fireeye Threat Research • by Swapnil Patil, Yogesh Londhe • 17 Jan 2018

Introduction
FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.
Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self...

A Hacking Group Is Already Exploiting the Office Equation Editor Bug
BleepingComputer • Catalin Cimpanu • 24 Nov 2017

A week after details about a severe Microsoft Office vulnerability came to light, at least one criminal group is now using it to infect users.
The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.
According to Reversing Labs, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-va...

IT threat evolution Q3 2017. Statistics
Securelist • Roman Unuchek Fedor Sinitsyn Denis Parinov Alexander Liskin • 10 Nov 2017

According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s ...

Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug
The Register • Iain Thomson in San Francisco • 16 Oct 2017

So much for that security-patch-free October

Adobe today issued an emergency security patch for Flash, which squashes a bug being used in the wild right now by hackers to infect Windows PCs with spyware.
The flaw, CVE-2017-11292, was discovered by Kaspersky Labs, and affects all current versions of Flash for Windows, macOS, Linux and Chrome OS. A programming cockup in the software allows malicious Flash files – hidden on websites or embedded in Office documents and other files – to corrupt the plugin's internal memory structures ...

BlackOasis APT and new targeted attacks leveraging zero-day exploit
Securelist • GReAT • 16 Oct 2017

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com
Kaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.
On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in...

Adobe Patches Flash Zero Day Exploited by Black Oasis APT
Threatpost • Michael Mimoso • 16 Oct 2017

Adobe today released an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.
The group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It’s sold to governments and law enfor...

Adobe Patches Flash Zero-Day Used by BlackOasis APT
BleepingComputer • Catalin Cimpanu • 16 Oct 2017

Last week, Adobe claimed it wouldn't release security updates for the first time since July 2012 because it had nothing to patch.
Less than six days later, the company released a critical update for Flash Player that fixes a zero-day vulnerability exploited in live attacks.
The zero-day, CVE-2017-11292, is a "type confusion" that leads to remote code execution on targeted systems.
The issue affects Flash Player 27.0.0.159 on Windows, Linux, macOS, and Chrome OS. Adobe fixed the...

ISP Involvement Suspected in the Distribution of FinFisher Spyware
BleepingComputer • Catalin Cimpanu • 21 Sep 2017

Security researchers have tracked a malware distribution campaign spreading the FinFisher spyware — also known as FinSpy — to the infrastructure of  Internet Service Providers (ISPs) in at least two countries.
Researchers suspect that ISPs used their ability to control user trafic and redirect users attempting to download certain software to a different link offering the same software, but laced with the FinFisher spyware.
The list of malware-infected applications delivered this...

It's September 2017, and .NET lets PDFs hijack your Windows PC
The Register • Shaun Nichols in San Francisco • 12 Sep 2017

Look Microsoft, we'll stop these headlines when your stuff stops getting pwned

While much of the tech world is still fixating on Apple's $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month's Patch Tuesday load.
Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet Explorer, and Android.
Redmond's September patch dump addresses a total of 81 CVE-listed vulnerabilities, 39 of which would allow for remote code execution. Four o...

Microsoft Patches .NET Zero Day Vulnerability in September Update
Threatpost • Tom Spring • 12 Sep 2017

An actively exploited zero-day vulnerability tied to Microsoft’s .NET framework is one of 25 critical and 54 important vulnerabilities fixed by Microsoft in its September Patch Tuesday security bulletin.
According to Microsoft, the .NET framework vulnerability (CVE-2017-8759) allows attackers to “take control of an affected system.” From there, attackers can install programs and view, change, or delete data, or create new accounts with full user rights.
“To exploit the vulner...

Microsoft September Patch Tuesday Fixes 82 Security Issues, Including a Zero-Day
BleepingComputer • Catalin Cimpanu • 12 Sep 2017

Moments ago, Microsoft published the September 2017 Patch Tuesday, and this month the OS maker fixed 82 security bugs.
Among the patches, there is one zero-day vulnerability exploited in the wild and three bugs whose details became public but have yet to be exploited in attacks.
The zero-day is tracked under the identifier of CVE-2017-8759 and is a remote code execution vulnerability that affects the .NET Framework.
"An attacker who successfully exploited this vulnerability in ...

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
Fireeye Threat Research • by Genwei Jiang, Ben Read, James T. Bennett • 12 Sep 2017

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.
FireEye shared the details of the vulnerability wi...