|
|
|
@ -14,15 +14,15 @@ So far, the only valuable resources I've seen to create a fully working generato |
|
|
|
|
|
|
|
|
|
The above resources outline a lot of the requirements needed to create a full chain. As I do not desire |
|
|
|
|
|
|
|
|
|
### Chain |
|
|
|
|
* Docx opened |
|
|
|
|
* Relationship stored in document.xml.rels points to malicious html |
|
|
|
|
* IE preview is launched to open the HTML link |
|
|
|
|
* JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, |
|
|
|
|
prefixed with the ".cpl:" directive |
|
|
|
|
* The cab file is opened, the INF file stored in the %TEMP%\Low directory |
|
|
|
|
* Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP% |
|
|
|
|
* Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 |
|
|
|
|
### Exploit Chain |
|
|
|
|
1. Docx opened |
|
|
|
|
2. Relationship stored in document.xml.rels points to malicious html |
|
|
|
|
3. IE preview is launched to open the HTML link |
|
|
|
|
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, |
|
|
|
|
prefixed with the ".cpl:" directive |
|
|
|
|
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory |
|
|
|
|
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP% |
|
|
|
|
7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 |
|
|
|
|
(if this is a DLL) |
|
|
|
|
|
|
|
|
|
### Overlooked Requirements |
|
|
|
|