diff --git a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt index 6ba9d344..d19ad595 100644 --- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt +++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt @@ -1,32 +1,32 @@ -REM ####################################################################################################################### -REM # | -REM # Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability | -REM # Author : Aleff | -REM # Version : 1.0 | -REM # Category : Incident Response | -REM # Target : Windows 10/11 | -REM # | -REM ####################################################################################################################### +* REM ####################################################################################################################### +* REM # | +* REM # Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability | +* REM # Author : Aleff | +* REM # Version : 1.0 | +* REM # Category : Incident Response | +* REM # Target : Windows 10/11 | +* REM # | +* REM ####################################################################################################################### -REM PlugAndPlay <3 +* REM PlugAndPlay <3 -REM Requirements: -REM - ExecutionPolicy Bypass +* REM Requirements: +* REM - ExecutionPolicy Bypass -REM Impact: Remote Code Execution -REM Max Severity: Important +* REM Impact: Remote Code Execution +* REM Max Severity: Important -REM Mitigation: +* REM Mitigation: -REM - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. +* REM - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. -REM - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884). +* REM - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884). -REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability. +* REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability. -REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications. +* REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications. -REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 +* REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 QUACK DELAY 1000 QUACK GUI x @@ -37,11 +37,11 @@ QUACK LEFTARROW QUACK DELAY 500 QUACK ENTER -REM Sets the path to the registry key +* REM Sets the path to the registry key QUACK STRING $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" QUACK ENTER -REM Array of application names +* REM Array of application names QUACK STRING $applicationNames = @( QUACK ENTER QUACK STRING "Excel.exe", @@ -65,7 +65,7 @@ QUACK ENTER QUACK STRING ) QUACK ENTER -REM Create the registry key if it does not already exist +* REM Create the registry key if it does not already exist QUACK STRING if (!(Test-Path $registryPath)) { QUACK ENTER QUACK STRING New-Item -Path $registryPath -Force | Out-Null @@ -75,7 +75,7 @@ QUACK ENTER QUACK STRING } QUACK ENTER -REM Add the values to the registry key +* REM Add the values to the registry key QUACK STRING foreach ($appName in $applicationNames) { QUACK ENTER QUACK STRING Set-ItemProperty -Path $registryPath -Name $appName -Value 1 -Type DWORD -Force | Out-Null