Attackmode and img replaced with link

2024-06-06 17:07:22 +02:00 · 2024-06-06 17:07:22 +02:00 · 9b9dfe8045
parent 617aa0a25f
commit 9b9dfe8045
5 changed files with 20 additions and 21 deletions
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/README.md
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/README.md
@ -25,7 +25,7 @@ This script allows you to set the Register Key block rule that will allow you to
 Open a PowerShell, set the Register Key block rule trough the [command line interface](https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3).


-![](docs/2.png)
+![](https://i.ibb.co/g7Tj3fV/2.png)

 ## CVE-2023-36884 Description

@ -85,19 +85,19 @@ ENTER

 ### Set the rule

-![](docs/1.png)
+![](https://i.ibb.co/XZB8NDJ/1.png)

 ### See the new rule

-![](docs/2.png)
+![](https://i.ibb.co/g7Tj3fV/2.png)

 ### Remove the rule

-![](docs/3.png)
+![](https://i.ibb.co/jRLj8j3/3.png)

 ## Credits

-<h2 align="center"> Aleff :octocat: </h2>
+<h2 align="center">Aleff</h2>
 <div align=center>
 <table>
  <tr>
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/1.png
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/1.png
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/2.png
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/2.png
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/3.png
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/docs/3.png
--- a/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
+++ b/payloads/library/Incident_Response/Defend_yourself_against_CVE-2023-36884_Office_and_Windows_HTML_R/payload.txt
@ -8,6 +8,8 @@
 * REM #                                                                                                                     |
 * REM #######################################################################################################################

+ATTACKMODE HID
+
 * REM PlugAndPlay <3

 * REM Requirements:
@ -17,11 +19,8 @@
 * REM Max Severity: Important

 * REM Mitigation:
-
 * REM     - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
-
-* REM     - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as "Office and Windows HTML Remote Code Execution Vulnerability" (CVE-2023-36884).
-
+* REM     - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as 'Office and Windows HTML Remote Code Execution Vulnerability' (CVE-2023-36884).
 * REM The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.

 * REM It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
@ -38,29 +37,29 @@ QUACK DELAY 500
 QUACK ENTER

 * REM Sets the path to the registry key
-QUACK STRING $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"
+QUACK STRING $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 QUACK ENTER

 * REM Array of application names
 QUACK STRING $applicationNames = @(
 QUACK ENTER
-QUACK STRING "Excel.exe",
+QUACK STRING 'Excel.exe',
 QUACK ENTER
-QUACK STRING "Graph.exe",
+QUACK STRING 'Graph.exe',
 QUACK ENTER
-QUACK STRING "MSAccess.exe",
+QUACK STRING 'MSAccess.exe',
 QUACK ENTER
-QUACK STRING "MSPub.exe",
+QUACK STRING 'MSPub.exe',
 QUACK ENTER
-QUACK STRING "Powerpnt.exe",
+QUACK STRING 'Powerpnt.exe',
 QUACK ENTER
-QUACK STRING "Visio.exe",
+QUACK STRING 'Visio.exe',
 QUACK ENTER
-QUACK STRING "WinProj.exe",
+QUACK STRING 'WinProj.exe',
 QUACK ENTER
-QUACK STRING "WinWord.exe",
+QUACK STRING 'WinWord.exe',
 QUACK ENTER
-QUACK STRING "Wordpad.exe"
+QUACK STRING 'Wordpad.exe'
 QUACK ENTER
 QUACK STRING )
 QUACK ENTER
@ -70,7 +69,7 @@ QUACK STRING if (!(Test-Path $registryPath)) {
 QUACK ENTER
 QUACK STRING New-Item -Path $registryPath -Force | Out-Null
 QUACK ENTER
-QUACK STRING echo "Registry key created"
+QUACK STRING echo 'Registry key created'
 QUACK ENTER
 QUACK STRING }
 QUACK ENTER
@ -80,7 +79,7 @@ QUACK STRING foreach ($appName in $applicationNames) {
 QUACK ENTER
 QUACK STRING Set-ItemProperty -Path $registryPath -Name $appName -Value 1 -Type DWORD -Force | Out-Null
 QUACK ENTER
-QUACK STRING echo "[+] $appName"
+QUACK STRING echo '[+] $appName'
 QUACK ENTER
 QUACK STRING }
 QUACK ENTER