• Stars
    star
    795
  • Rank 57,274 (Top 2 %)
  • Language
    HTML
  • Created about 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit

Fully Weaponized CVE-2021-40444

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution), works with arbitrary DLL files.

Update 31/05/2022 - CVE-2022-30190 - Follina

Now the generator is able to generate the document required to exploit also the "Follina" attack (leveraging ms-msdt).

Background

Although many PoC are already around the internet, I guessed to give myself a run to weaponizing this vulnerability, as what I found available lacked valuable information that it's worth sharing, also considering Microsoft already released a patch for this vulnerability.

So far, the only valuable resources I've seen to create a fully working generator are:

The above resources outline a lot of the requirements needed to create a full chain. To avoid repeating too much unnecessary information, I'll just summarize the relevant details.

Exploit Chain

  1. Docx opened
  2. Relationship stored in document.xml.rels points to malicious html
  3. IE preview is launched to open the HTML link
  4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, prefixed with the ".cpl:" directive
  5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
  6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it's possible to store the INF in %TEMP%
  7. Then, the INF file is opened with the ".cpl:" directive, causing the side-loading of the INF file via rundll32 (if this is a DLL)

Overlooked Requirements

There are quite a bit of overlooked requirements for this exploit to work, which caused even good PoCs, like the one by lockedbyte, to fail working properly.

Maybe nobody explicitly "released" them to avoid the vulnerability to be exploited more. But now it's patched, so it should not cause a lot of troubles to release the details.

HTML File

As for this tweet by Will Dormann, the HTML should be at least 4096 bytes in size in order to trigger the "Preview" within MS Word.

CAB File

The CAB file needs to be byte-patched to avoid extraction errors and to achieve the ZipSlip:

  • filename.inf should become ../filename.inf
  • filename.inf should be exactly <12-char>.inf Not really true, the important bit is to modify coffCabStart
  • CFFOLDER.typeCompress should be 0 (not compressed)
  • CFFOLDER.coffCabStart should be increased by 3 (due to the added '../'')
  • CFFOLDER.cCfData should be 2
  • CFFILE.cbFile should be greater than the whole CFHEADER.cbCabinet
  • CFDATA.csum should be recalculated (or zeroed out) [OPTIONAL]

The reason for these constraints are many, and I didn't spend enough time to deeply understand all of them, but let's see the most important:

  • TypeCompress: If the CAB is compressed, the trick to open it within an object file to trigger the INF write will fail False, I managed to achieve the same result with a MSZIP compressed sample
  • CoffCabStart: CoffCabStart gives the absolute position of the first CFDATA structure, as we added a '../', we would need to increase this by 3 to point to the file (this is more like a guess)
  • cCfData: As there is only 1 file, we should have just 1 CFDATA, I'm not too sure why this has to be set to 2 Indeed, we can leave it as 1
  • cbFile: Interestingly, if the CAB extraction concludes without any error, the INF file will be marked for deletion by WORD, ruining the exploit. The only way to prevent this is to make WORD believe the extraction failed. If the cbFile value is defined as greater than the cabinet file itself, the extractor will reach an EOF before reading all the bytes defined in cbFile, raising an extraction error.
  • [OPTIONAL] This value seems to not be checked by MS Word. Anyway, to have a correct CAB, the csum value should be recalculated. Luckily, as noted by j00sean and according to MS documentation, this value can be 0

NOTE1: Defender now detects if the CAB file contains a PE by using the _IMAGE_DOS_HEADER.e_magic value as a signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed? I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time on this. Up to the curious reader to develop this further.

NOTE2: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition)

DLL Attack

The main attack chain associated with CVE-2021-40444 is the DLL attack loaded via the .cpl URI scheme. In order to exploit that, an attacker needs to generate a specially crafted DLL. If you want to test it out, try my evildll-gen script.

JScript, VBScript, Javaw, MSIexec, ...

As noted by Max Maluin, it is possible to interact with several filetypes abusing IE and the associated file extension based URI. While this is might be a good way to exploit IE, it has limitations.

Indeed, it should be noted that the method used in the exploit to download files is based on ActiveX control updates, and cannot be used to download arbitrary files. As per Microsoft documentation, the codebase tag can point just to a few filetypes: OCX, INF and CAB.

Even if we can directly download an OCX or INF file, we still can't be sure to download the file in the right location within the system. With the cab exploit, it is possible to move the .inf file in a well-known path using the path traversal, but in any other case the file will be stored in a random directory, making it virtually impossible to reference it.

As of today, I didn't find a way to chain download and execution WITHOUT a CAB file.

Note: Talking about IE alone, HTML smuggling could be a possible scenario to exploit the vulnerability.

Cab-less file attack using hybrid RAR file

This technique was firstly disclosed by Eduardo Braun on Twitter and further explained in this paper.

Please note that using this technique, the attack chain is a bit different. This attack requires the user to download a specially crafted RAR file, obtained by chaining a valid WSF script and a valid RAR file. Once opened, the RAR will contain a DOCX with a reference to an HTML, which in turn will try to load the RAR file as a WSF script.

To summarise:

  1. Specially crafted RAR file is downloaded (likely Download folder)
  2. DOCX extracted and opened
  3. Relationship stored in document.xml.rels points to malicious html
  4. IE preview is launched to open the HTML link
  5. JScript within the HTML contains a script/iframe pointing to the RAR file, prefixed with the ".wsf:" URI scheme
  6. As the RAR was designed to be contemporaneously a valid RAR and a valid WSF script, the script is executed

What are the exploits PoC implemented by the tool

The generator utility can currently reproduce the following attacks:

Attack HTML Templates Target Delivery Method Execution Method Working
Original version of the attack cab-orig-* WORD DOCX CAB + DLL YES
j00sean IE-only attack cab-orig-j00san IE HTML CAB + DLL YES
My version without DLL cab-uri-* WORD DOCX CAB + JS/VBS NO1
Eduardo B. "CABless" attack using RAR cabless-rar-* WORD RAR WSF YES
Modified j00sean attack + HTML smuggling cabless-smuggling-* IE HTML JS/VBS YES2
Follina attack cabless-msdt-* WORD DOCX/RTF MSDT + PS YES3

1The CAB is not downloaded properly in some environments

2The user needs to click on "Save" to download the file on IE

3Not really working on all Windows/MS Word versions

CAB file parser

The utility cab_parser.py can be used to see the headers of the exploit file, but don't consider this a full parser. It's a very quick and dirty CAB header viewer I developed to understand what was going on.

Install

The generator is designed to work on Windows, as it uses the makecab utility. Before usage, be sure to install required dependencies:

  • With Virtualenv
git clone https://github.com/klezVirus/CVE-2021-40444
cd CVE-2021-40444
pip install virtualenv
python -m virtualenv venv
venv\Scripts\activate.bat 
pip install -r requirements
  • Without Virtualenv
git clone https://github.com/klezVirus/CVE-2021-40444
cd CVE-2021-40444
pip install -r requirements

Usage

The generator is trivial to use, and even if it has been tested with a number of different payloads and Windows versions, it is not fail-proof. I'm encountering different behaviours across different Windows builds. As soon as I have more details to share, I'll post them here.

usage: generator.py [-h] -P PAYLOAD -u URL [-o OUTPUT] [--host] [-c COPY_TO] [-nc] [-t]

[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]

optional arguments:
  -h, --help            show this help message and exit
  -P PAYLOAD, --payload PAYLOAD
                        DLL payload to use for the exploit
  -u URL, --url URL     Server URL for malicious references (CAB->INF)
  -o OUTPUT, --output OUTPUT
                        Output files basename (no extension)
  --host                If set, will host the payload after creation
  -c COPY_TO, --copy-to COPY_TO
                        Copy payload to an alternate path
  -nc, --no-cab         Use the CAB-less version of the exploit
  -t, --test            Open IExplorer to test the final HTML file

Example

  • Generate the original exploit and test it locally
python generator.py -u http://127.0.0.1 -P test\calc.dll --host 

Note: the port is selected by the URL, and the exploit is generated basing on the payload file extension

  • Generate the CABless exploit with RAR and test it locally via IE
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t 
  • Generate the CABless exploit (IE-only) with HTML smuggling and test it locally via IE
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t 
  • Generate the CABless exploit leveraging MS-MSDT (Follina attack), in both DOCX and RTF docs
python generator.py -u http://127.0.0.1 -P test\calc.ps1 --no-cab --host --convert

Credits

More Repositories

1

inceptor

Template-Driven AV/EDR Evasion Framework
Assembly
1,561
star
2

SysWhispers3

SysWhispers on Steroids - AV/EDR evasion via direct system calls.
Python
1,256
star
3

CheeseTools

Self-developed tools for Lateral Movement/Code Execution
C#
683
star
4

SilentMoonwalk

PoC Implementation of a fully dynamic call stack spoofer
C++
665
star
5

chameleon

PowerShell Script Obfuscator
Python
485
star
6

vortex

VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit
Python
419
star
7

CandyPotato

Pure C++, weaponized, fully automated implementation of RottenPotatoNG
C++
298
star
8

DriverJack

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
C++
246
star
9

SharpSelfDelete

C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
C#
147
star
10

NimlineWhispers3

A tool for converting SysWhispers3 syscalls for use with Nim projects
Nim
137
star
11

RpcProxyInvoke

Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar
C++
100
star
12

klezVirus.github.io

CyberSec Blog
JavaScript
96
star
13

SharpLdapRelayScan

C# Port of LdapRelayScan
C#
77
star
14

koppeling-p

Adaptive DLL hijacking / dynamic export forwarding - EAT preserve
Python
66
star
15

DCKFinder

Dangling COM Keys Finder
C++
14
star
16

deser-node

NodeJS Deserialization Payload Generator
JavaScript
9
star
17

codegrepper

Pure python, self-contained, silly implementation of a SAST tool
Python
8
star
18

mapt-run

Simple script to setup a local hosted network for Mobile Application Penetration Testing
Shell
8
star
19

faceless

Faceless - Simple Tool for Text-File Anonymization
Python
7
star
20

msf-revhttp-gen

Little utility to facilitate Metasploit Reverse HTTP Payloads
Shell
7
star
21

nmap-report

A simple tool that can be use to extract usful information from a nmap scan
Shell
7
star
22

CryptoCheck

NIST-CAVS Extended - Encryption Auto Testing Toolkit
Python
4
star
23

deser-py

Python Deserialization Payload Generator
Python
4
star
24

deser-ruby

Ruby Deserialization Payload Generator
Ruby
4
star
25

nx_reporter

Rapid7 Nexpose template-based report generator
Python
4
star
26

muts-opt-encoder

Independent implementation of the optimized SUB-Encoder
Python
4
star
27

klezVirus

Temporary unavailable...
3
star
28

php-ipfinder

A simple tool to enumerate various info on a set of IP addresses
PHP
2
star
29

cves

Public Advisories Redirector
1
star
30

cors-security-remove

JavaScript
1
star
31

Posts

Offensive Security Certifications Reviews
1
star
32

oldrivrs

some old drivers and misc crap from a while ago
C
1
star