Microsoft patch?

[leosilberg]

Hey man awesome work with this tool. I was just wondering what Microsoft patch involved. So far I've read they only block 2 file types - hta and script. I'm playing around with different files besides these and they seem to work. Have you found the same issue and which file types have you used?
Thanks

[resource-not-found-blank]

Patch blocked next CLSID:
{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} => htafile <= CVE-2017-0199 (over http);
{06290BD3-48AA-11D2-8432-006008C3FBFC} => script <= CVE-2017-0199 (over http);
{06290BD2-48AA-11D2-8432-006008C3FBFC} => scriptletfile <= CVE-2017-8570 (over smb).

[leosilberg]

And there are no other file types that can be executed?

[leosilberg]

For example a vbs file? My limited understanding is that office loads the associated dll of the file and executes. Does this mean any file can work

[resource-not-found-blank]

Office request CLSID over ole32.dll (call GetClassFile()).
https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms691424(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms688580(v=vs.85).aspx

[leosilberg]

Lastly, in the ppsx file the Target="script: can that be changed? I know of the URL moniker but are there any other ones?

[resource-not-found-blank]

In RTF-file HEX-string: e0c9ea79f9bace118c8200aa004ba90b, it's CLSID: 79eac9e0-baf9-11ce-8c82-00aa004ba90b.
CLSID: 79eac9e0-baf9-11ce-8c82-00aa004ba90b => URL Moniker (C:\Windows\system32\urlmon.dll).
URl Moniker create session to external resource and download request.
Request have type (Header "ContentType").
If type = "application/hta" > CLSID 3050F4D8-98B5-11CF-BB82-00AA00BDCE0B (htafile) > C:\Windows\System32\mshta.exe
Mshta.exe starts and executes the previously loaded request body.

[leosilberg]

Thanks

[X0R1972]

Just use Empire windows/launcher.vbs

[X0R1972]

not working,all pc's are patched now