Compare commits

...

9 Commits

Author SHA1 Message Date
Aleff 8b35d04ee5
Merge 47cf3bde11 into 257081013d 2024-09-03 17:11:48 -05:00
Aleff 47cf3bde11 Update payload.txt 2024-06-11 08:18:02 +02:00
Aleff 9b9dfe8045 Attackmode and img replaced with link 2024-06-06 17:07:22 +02:00
Aleff 617aa0a25f
Update payload.txt 2023-07-22 10:59:49 +02:00
Aleff 55242ea4cf
QUACKed 2023-07-22 09:44:14 +02:00
Aleff 87354048c8
QUACKed 2023-07-22 09:43:23 +02:00
aleff-github ac02af58f4 Update README.md 2023-07-14 16:35:11 +02:00
aleff-github 0adde48233 README 2023-07-14 11:22:21 +02:00
Aleff d6bae24975
Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability
This script allows you to set the Register Key block rule that will allow you to defend against CVE-2023-36884.
2023-07-14 11:21:09 +02:00
2 changed files with 224 additions and 0 deletions

View File

@ -0,0 +1,118 @@
# Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability
This script allows you to set the Register Key block rule that will allow you to defend against CVE-2023-36884.
**Category**: Incident Response
## Table of Contents
- [Payload Description](#payload-description)
- [CVE-2023-36884 Description](#cve-2023-36884-description)
- [Summary](#summary)
- [Note](#note)
- [Dependencies](#dependencies)
- [Settings](#settings)
- [Administrative Privileges](#administrative-privileges)
- [Set the rule](#set-the-rule)
- [See the new rule](#see-the-new-rule)
- [Remove the rule](#remove-the-rule)
- [Credits](#credits)
## Payload Description
This script allows you to set the Register Key block rule that will allow you to defend against CVE-2023-36884.
Open a PowerShell, set the Register Key block rule trough the [command line interface](https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3).
![](https://i.ibb.co/g7Tj3fV/2.png)
## CVE-2023-36884 Description
### Summary
Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Please see the Microsoft Threat Intelligence [Blog Entry](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) for important information about steps you can take to protect your system from this vulnerability.
This CVE will be updated with new information and links to security updates when they become available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See [Microsoft Technical Security Notifications](https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1) and [Security Update Guide Notification System News: Create your profile now Microsoft Security Response Center](https://msrc.microsoft.com/blog/2022/08/security-update-guide-notification-system-news-create-your-profile-now/).
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
### Note
Tested on:
- Windows 11 Eng
### Dependencies
* ExecutionPolicy Bypass
## Settings
In this payload, I created a new registry key called "FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION." All of the following application names are then added as a value of type REG_DWORD with data 1.
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- Powerpnt.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Remember that you must run PowerShell with administrative privileges to create and manage registry keys.
### Administrative Privileges
- I used the Payload [Starting a PowerShell with administrator permissions in Windows 10/11](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows) by Hak5 Payloads
```
DELAY 1000
GUI x
DELAY 500
STRING a
DELAY 500
LEFT_ARROW
DELAY 500
ENTER
```
### Set the rule
![](https://i.ibb.co/XZB8NDJ/1.png)
### See the new rule
![](https://i.ibb.co/g7Tj3fV/2.png)
### Remove the rule
![](https://i.ibb.co/jRLj8j3/3.png)
## Credits
<h2 align="center">Aleff</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

View File

@ -0,0 +1,106 @@
#######################################################################################################################
# #
# Title : Defend yourself against CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability #
# Author : Aleff #
# Version : 1.0 #
# Category : Incident Response #
# Target : Windows 10/11 #
# #
#######################################################################################################################
ATTACKMODE HID
# PlugAndPlay <3
# Requirements:
# - ExecutionPolicy Bypass
# Impact: Remote Code Execution
# Max Severity: Important
# Mitigation:
# - Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
# - The registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION is located in the Main folder under the Internet Explorer settings, within the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FeatureControl. This registry key is used to mitigate the vulnerability known as 'Office and Windows HTML Remote Code Execution Vulnerability' (CVE-2023-36884).
# The CVE-2023-36884 vulnerability allows remote code execution through the processing of HTML files by Office and Windows applications. Creating this registry key and adding specific application values, such as REG_DWORD with data 1, helps block cross-protocol file navigation to mitigate the exploitation of this vulnerability.
# It is recommended to implement these protective measures to prevent potential attacks that could exploit the vulnerability and compromise the security of Office and Windows systems. It is important to understand the implications of modifying the registry and carefully evaluate the impact on the regular functionality of the involved applications.
# Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
QUACK DELAY 1000
QUACK GUI x
QUACK DELAY 500
QUACK STRING a
QUACK DELAY 500
QUACK LEFTARROW
QUACK DELAY 500
QUACK ENTER
QUACK DELAY 500
# Sets the path to the registry key
QUACK STRING \$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
QUACK ENTER
QUACK DELAY 500
# Array of application names
QUACK STRING \$applicationNames = @(
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'Excel.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'Graph.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'MSAccess.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'MSPub.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'Powerpnt.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'Visio.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'WinProj.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'WinWord.exe',
QUACK ENTER
QUACK DELAY 500
QUACK STRING 'Wordpad.exe'
QUACK ENTER
QUACK DELAY 500
QUACK STRING )
QUACK ENTER
QUACK DELAY 500
# Create the registry key if it does not already exist
QUACK STRING if (!(Test-Path \$registryPath)) {
QUACK ENTER
QUACK DELAY 500
QUACK STRING New-Item -Path \$registryPath -Force # Out-Null
QUACK ENTER
QUACK DELAY 500
QUACK STRING echo 'Registry key created'
QUACK ENTER
QUACK DELAY 500
QUACK STRING }
QUACK ENTER
QUACK DELAY 500
# Add the values to the registry key
QUACK STRING foreach (\$appName in \$applicationNames) {
QUACK ENTER
QUACK DELAY 500
QUACK STRING Set-ItemProperty -Path \$registryPath -Name \$appName -Value 1 -Type DWORD -Force # Out-Null
QUACK ENTER
QUACK DELAY 500
QUACK STRING echo '[+] \$appName'
QUACK ENTER
QUACK DELAY 500
QUACK STRING }
QUACK ENTER
QUACK DELAY 500