Windows 10, word 2013 not working

Question

Windows 10, word 2013 not working

Closed this issue 7 years ago · 16 comments

I have a Win10, Word2013 box. I complete the whole tutorial and when i open word, i get an automation error. If i pull down the hta file myself and manaully open it, it works fine. What gives? I cannot get the exploit.txt to auto run the cmd.hta. I set the localhost in the exploit.txt and the macro to my local kali box, host the files on the root of my webserver and finally, launch the webserver. I can see the download of the exploit, but it never grabs the cmd.hta.

Answer 1 · 2017-09-15T18:47:42.000Z

I am also getting a "Microsoft Visual Basic for Application: Automation Error" error message as well. I am testing the Word Doc on Windows 7 SP1 running Office 2016 and I am hosting the cmd.hta and exploit.txt files out of my Kali root web server. When I open the document, I can't see anything happening from Kali machine (this is when SimpleHTTPServer is running.)

Answer 2 · 2017-09-15T18:51:06.000Z

glad its not just me, ive gotten other exploits of this CVE to work using metasploit and meterpreter

Answer 3 · 2017-09-15T18:52:47.000Z

Yeah, same here. I'm sure it is something we are missing from our setups.

Answer 4 · 2017-09-15T18:55:28.000Z

i dont know man, ive literally read every single letter of every word on a few sites and watched a few videos - this isnt that complicated of an exploit. that automation error i think is causing this not to work. Or we got patched already and dont know it, have you checked your win7 box for the KB to patch this?

Answer 5 · 2017-09-15T19:03:59.000Z

I'm pretty sure I didn't apply this month's updates. I think , however, this may be related to Visual Studio 2017.I have it installed and I've come across other issues relating to VS 2017. Unfortunately, a simple Google search doesn't find anything.

Answer 6 · 2017-09-15T19:06:46.000Z

Interesting. I have visual studio 2013 installed

Answer 7 · 2017-09-15T19:07:46.000Z

I could try my win7 vm. But I'll need to get word on it. Actually ya know what I tried this on my mom's win8 box and same deal. She doesn't have vs installed.

Answer 8 · 2017-09-15T19:09:17.000Z

If you get anywhere let me know I'm going to keep trying. I'm sure it's something stupid.

Answer 9 · 2017-09-16T13:11:44.000Z

Figured it out. I was patched. I removed the patch installed on 9/13 rebooted and the exploit worked.

Answer 10 · 2017-09-16T16:27:23.000Z

Fuck. Lucky you. Congrats and happy hacking.

Answer 11 · 2017-09-16T16:42:49.000Z

You sure u don't have the patch? I spent fucking hours trying different shit and I was finally like let me just check.

Answer 12 · 2017-09-16T16:58:05.000Z

I had some Sept. patches installed (non-security) thinking that it would fix the issue. That didn't work so I uninstalled them and tried again. No luck. So, I am uninstalling my copy of VS 2017 to see if that would work. As of now, all my updates are as recent as May 2017.

Answer 13 · 2017-09-16T18:05:33.000Z

@derek7467 I got it to work. It was user error on my part (D'oh).

Answer 14 · 2017-09-16T18:29:16.000Z

What was it?

Answer 15 · 2017-09-16T19:16:18.000Z

First, I wasn't entering the correct ip address in exploit.txt. and in the Word Doc Object. Second, I was only running SimpleHTTPServer. I put cmd.hta and exploit.txt in the www folder, ran apache and ran SimpleHTTPServer 8080. I guess the word document not reaching exploit.txt caused the VS automation error. I have should have known better. Anyhow, all is good. I got calc.exe and mspaint.exe to run. I tried to get the script to connect back to my machine via metasploit but no luck. I'll try that empire suite to see how that works.

Answer 16 · 2017-09-16T19:30:47.000Z

Ah OK. Nice that you got it working. Yea empire is pretty cool. Similar to metasploit. There's a vid out there on using this exploit w metasploit but it passes thru a payload via an exe so I would imagine we would need veil to bypass AVs. Either way businesses better patch this quickly.