关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
Description
Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444
介绍
# cve-2021-40444
Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444
Files (including malicious word and cab-file) may be downloaded on any.run: https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/#
**Note!**
The domain name in the original malicious code is **replaced with 127.0.0.1:8000** to avoid any mistakes executing malicious code.
So, if you want to serve your own championship.inf-file (which is actually a PE-file), just use:
python3 -m http.server
**The step 3 file**
In this step, the code is human readably enough to see how the cve-2021-40444 bug is used by the malicious word document.
**championship.inf**
This is the PE-file that is loaded on a successful attack.
**Stages**
1. Word file loads the web-address (internet address) as an OLE-object (side.html in this case)
2. Side.html uses ActiveX loading to download a .cab file from internet
3. Side.html javascript references the championship.inf contained in the .cab file as a loadable activex-object
4. Thereafter... code execution by the activex
文件快照
[4.0K] /data/pocs/da863c808521de56bf4a1459e3622e8966c21cb5
├── [1.1K] README.md
├── [7.7K] side_step1.html
├── [6.2K] side_step2.html
└── [3.4K] side_step3.html
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。