Deep Technical Analysis of an Office RCE Exploit
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/
#office #rce #cve_2021_40444
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/
#office #rce #cve_2021_40444
🔥 MS-MSDT Office RCE
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c
For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.
#office #rce #msmsdt #nomacro
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c
For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.
#office #rce #msmsdt #nomacro
🔥14👍7
Office Injector - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.
Shim Injector - Writes an undocumented shim data structure into the memory of another process that causes apphelp.dll to apply the “Inject Dll” fix on the process without registering a new SDB file on the system, or even writing such file to disk.
DefCon Presentation
🔗 Source:
https://github.com/deepinstinct/ShimMe
#windows #office #rpc #inject #lpe
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
A new vulnerability related to capturing NTLMv2 hashes via Office URI schemes has been discovered. The http:// protocol can be used for attacks such as NTLM relay to a Domain Controller.
Microsoft 365 and Office 2019 versions are vulnerable, as they open remote files without warnings, unlike earlier versions. The exploit involves using a 302 redirect and abusing GPO misconfigurations to capture NTLMv2 hashes over SMB and HTTP.
🔗 Source:
https://github.com/passtheticket/CVE-2024-38200
#windows #office #ntlm #relay
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - passtheticket/CVE-2024-38200: CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability
CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability - passtheticket/CVE-2024-38200
🔥7👍2❤1