CVE-2021-40444/README.md

# Fully Weaponized CVE-2021-40444

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.

# Background

Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability,
as what I found available lacked valuable information that it's worth sharing, also considering Microsoft already
released a patch for this vulnerability.

So far, the only valuable resources I've seen to create a fully working generator are:
* [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/)
* [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466)

The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much
unnecessary information, I'll just summarize the relevant details.

### Exploit Chain
1. Docx opened
2. Relationship stored in document.xml.rels points to malicious html
3. IE preview is launched to open the HTML link
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
   prefixed with the ".cpl:" directive
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 
  (if this is a DLL)

### Overlooked Requirements

There are quite a bit of overlooked requirements for this exploit to work, which caused even good PoCs, like
[the one by lockedbyte](https://github.com/lockedbyte/CVE-2021-40444), to fail working properly.

Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched,
so it should not cause a lot of troubles to release the details.

#### HTML File

As for this [tweet](https://twitter.com/wdormann/status/1440036541112328199) by [Will Dormann](https://twitter.com/wdormann), 
the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word. 

#### CAB File

The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
* `filename.inf` should become `../filename.inf`
* `filename.inf` should be exactly `<12-char>.inf`
* `CFFOLDER.typeCompress` should be 0 (not compressed)
* `CFFOLDER.coffCabStart` should be increased by 3
* `CFFOLDER.cCfData` should be 2
* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet`
* `CFDATA.csum` should be recalculated (or zeroed out)

The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but 
let's see the most important:

* **TypeCompress**: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail
* **CoffCabStart**: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../', 
  we would need to increase this by 3 to point to the file (this is more like a guess)
* **cCfData**: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2
* **cbFile**: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion
  by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the
  cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading
  all the bytes defined in cbFile, raising an extraction error.
* Last but not least, the **csum** value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean)
  and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf), 
  this value can be 0

**NOTE1**: Defender now detects if the CAB file contains a PE by using the `_IMAGE_DOS_HEADER.e_magic` value as a 
signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed? 
I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time 
on this. Up to the curious reader to develop this further.

**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)

# DLL Attack

The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the `.cpl` URI scheme. In order to 
exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my [evildll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011)
script.

# JScript, VBScript, Javaw, MSIexec, ...

As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and 
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.

Indeed, irtshould be noted that the method used in the exploit to download files is based on ActiveX control updates, 
and cannot be used to download arbitrary files.
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
can point just to a few filetypes: OCX, INF and CAB.

Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location 
within the system. With the cab exploit, it is possible to move the `.inf` file in a well-known path using the path traversal,
but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.

As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.

Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.

# Cab-less file attack using hybrid RAR file

This technique was firstly disclosed by [Eduardo Braun](https://twitter.com/Edu_Braun_0day) on Twitter and further explained in [this](https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf) paper.

Please note that using this technique, the attack chain is a bit different. This attack requires the user to download 
a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain 
a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.

To summarise:

1. Specially crafted RAR file is downloaded (likely Download folder)
2. DOCX extracted and opened
3. Relationship stored in document.xml.rels points to malicious html
4. IE preview is launched to open the HTML link
5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme
6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed

# What are the exploits PoC implemented by the tool

The generator utility can currently reproduce the following attacks:

| Attack                                    | HTML Templates      | Target | Delivery Method | Execution Method | Working         |
|-------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
| Original version of the attack            | cab-orig-*          | WORD   | DOCX            | CAB + DLL        | YES             |
| j00sean IE-only attack                    | cab-orig-j00san     | IE     | HTML            | CAB + DLL        | YES             |
| My version without DLL                    | cab-uri-*           | WORD   | DOCX            | CAB + JS/VBS     | NO<sup>1</sup>  |
| Eduardo B. "CABless" attack using RAR     | cabless-rar-*       | WORD   | RAR             | WSF              | YES             |
| Modified j00sean attack + HTML smuggling  | cabless-smuggling-* | IE     | HTML            | JS/VBS           | YES<sup>2</sup> | 

_<sup>1</sup>The CAB is not downloaded properly in some environments_

_<sup>2</sup>The user needs to click on "Save" to download the file on IE_

# CAB file parser

The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full 
parser. It's a very quick and dirty CAB header viewer I developed to understand what was going on.

# Install

The generator is designed to work on Windows, as it uses the `makecab` utility. Before usage, be sure to install required dependencies:

* With Virtualenv

```
git clone https://github.com/klezVirus/CVE-2021-40444
cd CVE-2021-40444
pip install virtualenv
python -m virtualenv venv
venv\Scripts\activate.bat 
pip install -r requirements
```

* Without Virtualenv

```
git clone https://github.com/klezVirus/CVE-2021-40444
cd CVE-2021-40444
pip install -r requirements
```

# Usage

The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows
versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as
I have more details to share, I'll post them here.

```
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]

[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]

optional arguments:
  -h, --help            show this help message and exit
  -P PAYLOAD, --payload PAYLOAD
                        DLL payload to use for the exploit
  -u URL, --url URL     Server URL for malicious references (CAB->INF)
  -o OUTPUT, --output OUTPUT
                        Output files basename (no extension)
  --host                If set, will host the payload after creation
  -c COPY_TO, --copy-to COPY_TO
                        Copy payload to an alternate path
  -nc, --no-cab         Use the CAB-less version of the exploit
  -t, --test            Open IExplorer to test the final HTML file
```

# Example

* Generate the original exploit and test it locally

```
python generator.py -u http://127.0.0.1 -P test\calc.dll --host 
```
_Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension_

* Generate the CABless exploit with RAR and test it locally via IE

```
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t 
```

* Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE

```
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t 
```

# Credits

* [RET2_pwn](https://twitter.com/RET2_pwn) for the amazing blog
* [j00sean](https://twitter.com/j00sean) for the good hints
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
* [Max_Mal](https://twitter.com/Max_Mal) for the hint on the alternate URI schemes
* [wdormann](https://twitter.com/wdormann) for the hint on the HTML file size restrictions
* [Edu_Braun_0day](https://twitter.com/Edu_Braun_0day) for the cool CAB-less version of the exploit
First Release 3 years ago			`# Fully Weaponized CVE-2021-40444`

			`Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.`

			`# Background`

			`Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability,`
			`as what I found available lacked valuable information that it's worth sharing, also considering Microsoft already`
			`released a patch for this vulnerability.`

			`So far, the only valuable resources I've seen to create a fully working generator are:`
			`* [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/)`
			`* [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466)`

Updated README 3 years ago			`The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much`
			`unnecessary information, I'll just summarize the relevant details.`
First Release 3 years ago
Minor Edit in Cab Parser 3 years ago			`### Exploit Chain`
			`1. Docx opened`
			`2. Relationship stored in document.xml.rels points to malicious html`
			`3. IE preview is launched to open the HTML link`
			`4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,`
			`prefixed with the ".cpl:" directive`
			`5. The cab file is opened, the INF file stored in the %TEMP%\Low directory`
			`6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%`
			`7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32`
First Release 3 years ago			`(if this is a DLL)`

			`### Overlooked Requirements`

			`There are quite a bit of overlooked requirements for this exploit to work, which caused even good PoCs, like`
			`[the one by lockedbyte](https://github.com/lockedbyte/CVE-2021-40444), to fail working properly.`

			`Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched,`
			`so it should not cause a lot of troubles to release the details.`

Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`#### HTML File`

			`As for this [tweet](https://twitter.com/wdormann/status/1440036541112328199) by [Will Dormann](https://twitter.com/wdormann),`
			`the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word.`

First Release 3 years ago			`#### CAB File`

			`The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:`
Updated README 3 years ago			* `filename.inf` should become `../filename.inf`
			* `filename.inf` should be exactly `<12-char>.inf`
			* `CFFOLDER.typeCompress` should be 0 (not compressed)
			* `CFFOLDER.coffCabStart` should be increased by 3
			* `CFFOLDER.cCfData` should be 2
			* `CFFILE.cbFile` should be greater than the whole `CFHEADER.cbCabinet`
			* `CFDATA.csum` should be recalculated (or zeroed out)
First Release 3 years ago
			`The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but`
			`let's see the most important:`

Updated README 3 years ago			`* TypeCompress: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail`
			`* CoffCabStart: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../',`
First Release 3 years ago			`we would need to increase this by 3 to point to the file (this is more like a guess)`
Updated README 3 years ago			`* cCfData: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2`
			`* cbFile: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion`
First Release 3 years ago			`by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the`
			`cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading`
			`all the bytes defined in cbFile, raising an extraction error.`
Updated README 3 years ago			`* Last but not least, the csum value should be recalculated. Luckily, as noted by [j00sean](https://twitter.com/j00sean)`
First Release 3 years ago			`and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf),`
			`this value can be 0`

Updated README 3 years ago			NOTE1: Defender now detects if the CAB file contains a PE by using the `_IMAGE_DOS_HEADER.e_magic` value as a
			`signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed?`
			`I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time`
			`on this. Up to the curious reader to develop this further.`
First Release 3 years ago
Updated README 3 years ago			`NOTE2: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)`

Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`# DLL Attack`

			The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the `.cpl` URI scheme. In order to
			`exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my [evildll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011)`
			`script.`

			`# JScript, VBScript, Javaw, MSIexec, ...`

			`As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and`
			`the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.`

			`Indeed, irtshould be noted that the method used in the exploit to download files is based on ActiveX control updates,`
			`and cannot be used to download arbitrary files.`
			As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
			`can point just to a few filetypes: OCX, INF and CAB.`

			`Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location`
			within the system. With the cab exploit, it is possible to move the `.inf` file in a well-known path using the path traversal,
			`but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.`

			`As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.`

			`Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.`

			`# Cab-less file attack using hybrid RAR file`

			`This technique was firstly disclosed by [Eduardo Braun](https://twitter.com/Edu_Braun_0day) on Twitter and further explained in [this](https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf) paper.`

			`Please note that using this technique, the attack chain is a bit different. This attack requires the user to download`
			`a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain`
			`a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.`

			`To summarise:`

			`1. Specially crafted RAR file is downloaded (likely Download folder)`
			`2. DOCX extracted and opened`
			`3. Relationship stored in document.xml.rels points to malicious html`
			`4. IE preview is launched to open the HTML link`
			`5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme`
			`6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed`

			`# What are the exploits PoC implemented by the tool`

			`The generator utility can currently reproduce the following attacks:`

			`\| Attack \| HTML Templates \| Target \| Delivery Method \| Execution Method \| Working \|`
			`\|-------------------------------------------\|---------------------\|--------\|-----------------\|------------------\|-----------------\|`
			`\| Original version of the attack \| cab-orig-* \| WORD \| DOCX \| CAB + DLL \| YES \|`
			`\| j00sean IE-only attack \| cab-orig-j00san \| IE \| HTML \| CAB + DLL \| YES \|`
			`\| My version without DLL \| cab-uri-* \| WORD \| DOCX \| CAB + JS/VBS \| NO<sup>1</sup> \|`
			`\| Eduardo B. "CABless" attack using RAR \| cabless-rar-* \| WORD \| RAR \| WSF \| YES \|`
			`\| Modified j00sean attack + HTML smuggling \| cabless-smuggling-* \| IE \| HTML \| JS/VBS \| YES<sup>2</sup> \|`

			`_<sup>1</sup>The CAB is not downloaded properly in some environments_`
Fixed new line 3 years ago
Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`_<sup>2</sup>The user needs to click on "Save" to download the file on IE_`

First Release 3 years ago			`# CAB file parser`

			The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
			`parser. It's a very quick and dirty CAB header viewer I developed to understand what was going on.`

Added install instructions 3 years ago			`# Install`

			The generator is designed to work on Windows, as it uses the `makecab` utility. Before usage, be sure to install required dependencies:

			`* With Virtualenv`

			```
			`git clone https://github.com/klezVirus/CVE-2021-40444`
			`cd CVE-2021-40444`
			`pip install virtualenv`
			`python -m virtualenv venv`
			`venv\Scripts\activate.bat`
			`pip install -r requirements`
			```

			`* Without Virtualenv`

			```
			`git clone https://github.com/klezVirus/CVE-2021-40444`
			`cd CVE-2021-40444`
			`pip install -r requirements`
			```

First Release 3 years ago			`# Usage`

Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows`
			`versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as`
			`I have more details to share, I'll post them here.`
First Release 3 years ago
			```
Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]`
First Release 3 years ago
			`[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]`

			`optional arguments:`
			`-h, --help show this help message and exit`
			`-P PAYLOAD, --payload PAYLOAD`
			`DLL payload to use for the exploit`
			`-u URL, --url URL Server URL for malicious references (CAB->INF)`
			`-o OUTPUT, --output OUTPUT`
			`Output files basename (no extension)`
			`--host If set, will host the payload after creation`
			`-c COPY_TO, --copy-to COPY_TO`
			`Copy payload to an alternate path`
Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`-nc, --no-cab Use the CAB-less version of the exploit`
			`-t, --test Open IExplorer to test the final HTML file`
			```

			`# Example`

			`* Generate the original exploit and test it locally`

			```
			`python generator.py -u http://127.0.0.1 -P test\calc.dll --host`
			```
			`_Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension_`

			`* Generate the CABless exploit with RAR and test it locally via IE`

			```
			`python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t`
			```

			`* Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE`

			```
			`python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t`
First Release 3 years ago			```

			`# Credits`

			`* [RET2_pwn](https://twitter.com/RET2_pwn) for the amazing blog`
			`* [j00sean](https://twitter.com/j00sean) for the good hints`
Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes 3 years ago			`* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc`
			`* [Max_Mal](https://twitter.com/Max_Mal) for the hint on the alternate URI schemes`
			`* [wdormann](https://twitter.com/wdormann) for the hint on the HTML file size restrictions`
			`* [Edu_Braun_0day](https://twitter.com/Edu_Braun_0day) for the cool CAB-less version of the exploit`