1
0
Fork 0
mirror of https://github.com/klezVirus/CVE-2021-40444.git synced 2024-12-21 18:26:34 +00:00

Minor Edit in Cab Parser

This commit is contained in:
d3adc0de 2021-09-15 23:53:37 +01:00
parent 7562cfa66a
commit 53af9514ef
2 changed files with 18 additions and 10 deletions

View file

@ -14,15 +14,15 @@ So far, the only valuable resources I've seen to create a fully working generato
The above resources outline a lot of the requirements needed to create a full chain. As I do not desire
### Chain
* Docx opened
* Relationship stored in document.xml.rels points to malicious html
* IE preview is launched to open the HTML link
* JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
prefixed with the ".cpl:" directive
* The cab file is opened, the INF file stored in the %TEMP%\Low directory
* Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
* Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32
### Exploit Chain
1. Docx opened
2. Relationship stored in document.xml.rels points to malicious html
3. IE preview is launched to open the HTML link
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
prefixed with the ".cpl:" directive
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32
(if this is a DLL)
### Overlooked Requirements

View file

@ -200,10 +200,18 @@ def parse(file):
data = open(file, "rb").read()
cab = Cab(data=data)
print(cab.to_string())
def change_e_magic(cab: Cab, value: bytes):
if not value or not isinstance(value, bytes) or len(value) != 4:
return
new_cab = cab.change_bytes(offset=0x58, size=4, value=b"MZ\x90\x00")
print(Cab(new_cab).to_string())
def save(cab: Cab, file: str):
with open(file, "wb") as out:
out.write(Cab(new_cab).to_bytes())
out.write(cab.to_bytes())
if __name__ == "__main__":