9.3
CVSSv2

CVE-2017-8759

Published: 13/09/2017 Updated: 14/01/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 935
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an malicious user to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."

Vulnerability Trend

Affected Products

Vendor Product Versions
Microsoft.net Framework2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7

Exploits

Source: githubcom/Voulnet/CVE-2017-8759-Exploit-sample Running CVE-2017-8759 exploit sample Flow of the exploit: Word macro runs in the Doc1doc file The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log Then the parsing log results in running mshtaexe which in turn runs a powershell commands t ...

Mailing Lists

Microsoft NET Framework remote code execution exploit toolkit Affects versions 20, 35, 351, 452, 46, 461, 462 and 47 ...

Github Repositories

CVE-2017-8759 Weaponisation PoC This repository contains data that can be used to weaponise the CVE-2017-8759 vulnerability For full information visit wwwmdseccouk/blog/ to find the post related to this vulnerability As always, my research is aimed to help the community become more aware of rising threats as well as the adversary simulation community to better simu

Exploit toolkit for CVE-2017-8759 Do not be an asshole Simple tool written in C# to handle the RCE vulnerability in NET Framework 20, 35, 351, 452, 46, 461, 462 and 47 aka "NET Framework Remote Code Execution Vulnerability" Help C:\Users\Jonas Uliana\tools>CVE-2017-8759exe /h INFO : Exploit toolkit for CVE-2017-8759 DEV : Uliana Tech SITE :

CVE-2017-8759-Exploit-sample Running CVE-2017-8759 exploit sample Flow of the exploit: Word macro runs in the Doc1doc file The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log Then the parsing log results in running mshtaexe which in turn runs a powershell commands that runs mspaintexe To test: Run a webserver on port 8080, and put

CVE-2017-8759 CVE-2017-8759   如何使用? wwwlz1ycn/?p=799 cmdhta文件修改 192168211149:80 为你的钓鱼域名 端口   同样修改 exploittxt中   examplecom 为你的钓鱼域名 端口 发现很多朋友在BIN to RTF那里出现了问题,本人修改了下别人的脚本,利用创建RTF的函数重写了一个脚本

What is CVE-2017-8759 is Remote Code Execution Vulnerability On SOAP WDSL A remote code execution vulnerability exists when Microsoft NET Framework processes untrusted input An attacker who successfully exploited this vulnerability in software using the NET framework could take control of an affected system An attacker could then install programs; view, change, or delete d

Exploit toolkit CVE-2017-8759 - v10 Exploit toolkit CVE-2017-8759 - v10 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft NET Framework RCE It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration Disclaimer This program is fo

CVE-2017-8759 Just My ports of CVE-2017-8759 Code shifted to another parent repository Redirect?

معرفی و اکسپلویت آسیب پذیری CVE-2017-8759 با تولید یک فایل

CVE-2017-8759-exploits Two versions of CVE-2017-8759 exploits Example 1 - Downloads a Net dll from a remote location (without touching disk), loads and executes Example 2 - Loads an embedded Net dll and executes

Exploit toolkit CVE-2017-8759 - v10 Exploit toolkit CVE-2017-8759 - v10 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft NET Framework RCE It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration Disclaimer This program is fo

CVE-2017-8759 漏洞检测脚本

CVE-2017-8759 This repo contains sample exploits for CVE-2017-8759 for Microsoft PowerPoint, along with a description of how similar vulnerabilities were, and can, be exploited using the same techniques Some background The aim of publishing this repo is to highlight alternative exploitation techniques that defenders may currently be unaware of By highlighting these alternativ

QuickSandio QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits File Formats For Exploit and Active

RTF-Cleaner RTF Cleaner, tries to extract URL from malicious RTF samples using CVE-2017-0199 & CVE-2017-8759

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 webSettingsxml 获取 NTLM SSP hash macro 工具 生成、混淆 Shellntel/luckystrike - A PowerShell base

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25+Gb Install Guide: git clone githubcom/shr3ddersec/Shr3dKitgit pip install -r requirementstxt bash shr3dkitsh Change Log Fixed: macro_pack, LaZagne Code: Added all requirements to s

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

区块链生态被黑统计 参考来源 EOS 假充值(hard_fail 状态攻击)红色预警细节披露与修复方案 paperseebugorg/853/ 渗透测试不同阶段的工具收集整理 侦察阶段 主动情报收集 EyeWitness:可用于网站截图,以及提供一些服务器头信息,并在可能的情况下识别默认凭据。githubcom/ChrisTruncer/

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ActionScript AppleScript Arduino Assembly AutoHotkey Batchfile Brainfuck C C# C++ CMake CSS Clojure CoffeeScript Common Lisp Crystal Cuda D DIGITAL Command Language Dart Dockerfile Elixir Elm Emacs Lisp Erlang F# GAP Gherkin Go Gosu Groff HTML Haskell Java JavaScript Julia Jupyter Notebook Kotli

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25G Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligenc

APT & CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly & PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT & CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

MicroSoft Office RCEs A collection of MicroSoft Office vulnerabilities that could end up remote command execution CVE-2012-0158 CVE-2015-1641(customXML type confusion) CVE-2016-7193(dfrxst) CVE-2017-0199 CVE-2017-8570 CVE-2017-8759(NET Framework) CVE-2017-11182 CVE-2017-11826(EQNEDT32EXE) CVE-2018-0802(EQNEDT32EXE again) CVE-2018-0797(RTF UAF) CVE-2018-8597(Excel) CVE-2018

My Infosec Awesome My curated list of awesome links, resources and tools Articles Cryptography Digital Forensics and Incident Response Exploitation Hardening Malware Analysis Mobile Security Post Exploitation Privacy Reverse Engineering Tutorials Web Application Security Tools Adversary Emulation AWS Security Binary Analysis Cryptography Data Exfiltration Data Sets Digit

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

My Infosec Awesome My curated list of awesome links, resources and tools Articles Cryptography Digital Forensics and Incident Response Exploitation Hardening Malware Analysis Mobile Security Post Exploitation Privacy Reverse Engineering Tutorials Web Application Security Tools Adversary Emulation AWS Security Binary Analysis Cryptography Data Exfiltration Data Sets Digit

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

IT threat evolution Q1 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 14 May 2018

According to KSN:
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.
It wasn’t a drive-by-download case, since the success of the attack larg...

The King is dead. Long live the King!
Securelist • Vladislav Stolyarov Boris Larin Anton Ivanov • 09 May 2018

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by...

Threat Landscape for Industrial Automation Systems in H2 2017
Securelist • Kaspersky Lab ICS CERT • 26 Mar 2018

For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second hal...

Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware
Threatpost • Tom Spring • 17 Jan 2018

Spam campaigns delivering Zyklon HTTP malware are attempting to exploit three relatively new Microsoft Office vulnerabilities. The attacks are targeting telecommunications, insurance and financial service firms.
According to FireEye researchers who identified the campaigns, attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future distributed denial of service attacks.
Researchers said attacks begin with sp...

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
Fireeye Threat Research • by Swapnil Patil, Yogesh Londhe • 17 Jan 2018

Introduction
FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.
Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self...

IT threat evolution Q3 2017. Statistics
Securelist • Roman Unuchek Fedor Sinitsyn Denis Parinov Alexander Liskin • 10 Nov 2017

According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s ...

Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug
The Register • Iain Thomson in San Francisco • 16 Oct 2017

So much for that security-patch-free October

Adobe today issued an emergency security patch for Flash, which squashes a bug being used in the wild right now by hackers to infect Windows PCs with spyware.
The flaw, CVE-2017-11292, was discovered by Kaspersky Labs, and affects all current versions of Flash for Windows, macOS, Linux and Chrome OS. A programming cockup in the software allows malicious Flash files – hidden on websites or embedded in Office documents and other files – to corrupt the plugin's internal memory structures ...

BlackOasis APT and new targeted attacks leveraging zero-day exploit
Securelist • GReAT • 16 Oct 2017

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com
Kaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.
On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in...

Adobe Patches Flash Zero Day Exploited by Black Oasis APT
Threatpost • Michael Mimoso • 16 Oct 2017

Adobe today released an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.
The group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It’s sold to governments and law enfor...

It's September 2017, and .NET lets PDFs hijack your Windows PC
The Register • Shaun Nichols in San Francisco • 12 Sep 2017

Look Microsoft, we'll stop these headlines when your stuff stops getting pwned

While much of the tech world is still fixating on Apple's $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month's Patch Tuesday load.
Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet Explorer, and Android.
Redmond's September patch dump addresses a total of 81 CVE-listed vulnerabilities, 39 of which would allow for remote code execution. Four o...

Microsoft Patches .NET Zero Day Vulnerability in September Update
Threatpost • Tom Spring • 12 Sep 2017

An actively exploited zero-day vulnerability tied to Microsoft’s .NET framework is one of 25 critical and 54 important vulnerabilities fixed by Microsoft in its September Patch Tuesday security bulletin.
According to Microsoft, the .NET framework vulnerability (CVE-2017-8759) allows attackers to “take control of an affected system.” From there, attackers can install programs and view, change, or delete data, or create new accounts with full user rights.
“To exploit the vulner...

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
Fireeye Threat Research • by Genwei Jiang, Ben Read, James T. Bennett • 12 Sep 2017

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.
FireEye shared the details of the vulnerability wi...