Update payload.txt

2024-06-11 08:18:02 +02:00 · 2024-06-11 08:18:02 +02:00 · 47cf3bde11
parent 9b9dfe8045
commit 47cf3bde11
1 changed files with 52 additions and 31 deletions
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
@ -1,31 +1,31 @@
-* REM #######################################################################################################################
-* REM #                                                                                                                     |
-* REM # Title        : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability   |
-* REM # Author       : Aleff                                                                                                |
-* REM # Version      : 1.0                                                                                                  |
-* REM # Category     : Incident Response                                                                                    |
-* REM # Target       : Windows 10/11                                                                                        |
-* REM #                                                                                                                     |
-* REM #######################################################################################################################
+#######################################################################################################################
+#                                                                                                                     #
+# Title        : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability   #
+# Author       : Aleff                                                                                                #
+# Version      : 1.0                                                                                                  #
+# Category     : Incident Response                                                                                    #
+# Target       : Windows 10/11                                                                                        #
+#                                                                                                                     #
+#######################################################################################################################

 ATTACKMODE HID

-* REM PlugAndPlay <3
+# PlugAndPlay <3

-* REM Requirements:
-* REM     - ExecutionPolicy Bypass
+# Requirements:
+#    - ExecutionPolicy Bypass

-* REM Impact: Remote Code Execution
-* REM Max Severity: Important
+# Impact: Remote Code Execution
+# Max Severity: Important

-* REM Mitigation:
-* REM     - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
-* REM     - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as 'Office and Windows HTML Remote Code Execution Vulnerability' (CVE-2023-36884).
-* REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
+# Mitigation:
+#    - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
+#    - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as 'Office and Windows HTML Remote Code Execution Vulnerability' (CVE-2023-36884).
+# The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.

-* REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
+# It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.

-* REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
+# Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

 QUACK DELAY 1000
 QUACK GUI x
@ -35,51 +35,72 @@ QUACK DELAY 500
 QUACK LEFTARROW
 QUACK DELAY 500
 QUACK ENTER
+QUACK DELAY 500

-* REM Sets the path to the registry key
-QUACK STRING $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
+# Sets the path to the registry key
+QUACK STRING \$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 QUACK ENTER
+QUACK DELAY 500

-* REM Array of application names
-QUACK STRING $applicationNames = @(
+# Array of application names
+QUACK STRING \$applicationNames = @(
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'Excel.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'Graph.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'MSAccess.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'MSPub.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'Powerpnt.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'Visio.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'WinProj.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'WinWord.exe',
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING 'Wordpad.exe'
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING )
 QUACK ENTER
+QUACK DELAY 500

-* REM Create the registry key if it does not already exist
-QUACK STRING if (!(Test-Path $registryPath)) {
+# Create the registry key if it does not already exist
+QUACK STRING if (!(Test-Path \$registryPath)) {
 QUACK ENTER
-QUACK STRING New-Item -Path $registryPath -Force | Out-Null
+QUACK DELAY 500
+QUACK STRING New-Item -Path \$registryPath -Force # Out-Null
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING echo 'Registry key created'
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING }
 QUACK ENTER
+QUACK DELAY 500

-* REM Add the values to the registry key
-QUACK STRING foreach ($appName in $applicationNames) {
+# Add the values to the registry key
+QUACK STRING foreach (\$appName in \$applicationNames) {
 QUACK ENTER
-QUACK STRING Set-ItemProperty -Path $registryPath -Name $appName -Value 1 -Type DWORD -Force | Out-Null
+QUACK DELAY 500
+QUACK STRING Set-ItemProperty -Path \$registryPath -Name \$appName -Value 1 -Type DWORD -Force # Out-Null
 QUACK ENTER
-QUACK STRING echo '[+] $appName'
+QUACK DELAY 500
+QUACK STRING echo '[+] \$appName'
 QUACK ENTER
+QUACK DELAY 500
 QUACK STRING }
 QUACK ENTER
+QUACK DELAY 500