the .cab file has not been requested, no execution

[rtfghd]

Hello, I have a issue, on the target machine to open the .docx, I can see a successful request for http://attackIP/exploit.html, but the .cab file has not been requested, no execution

[lockedbyte]

Hi,

As the README says, did you check for championship.inf at C:\Users\<your user>\AppData\Temp

If it is there, it is not a cab problem, but a exploit.html problem on executing

Make sure that the doc is on a folder like Desktop or Downloads (user home folders)

Also, check if you can execute the extracted championship.inf at Temp manually with rundll32 to see if the extracted payload works

I do not know if you mean that out.cab has not been requested on HTTP Request? Then it might be an HTML problem... Are you sure on exploit.html out.cab is pointed in the right way (right IP and path?)

[prcabral]

Hello,

I'm having similar issue where using the obfuscated html I can pop the calc but when using the deobfuscated one I can't. For the obfuscated one I have just changed the hardcoded domain of the first sample to point to my domain.

[lockedbyte]

Hi @prcabral

Yes! I deobfuscated the original one just for transparency so people know what happens under the hood. But I have still pending to make the non-obfuscated version to work. Consider it right now as a reference to know what the obfuscated one does

[kmahyyg]

I use the dll generated by cobalt strike for testing purpose, and also tried to directly use the calc.cab attached in your repo. None of them is working here. The HTTP request is all working, all files are requested and returned 200.

Test Environment: Win7 x64 with IE 11, Office 2013. Doc file put at Desktop folder.

[kmahyyg]

I use the dll generated by cobalt strike for testing purpose, and also tried to directly use the calc.cab attached in your repo. None of them is working here. The HTTP request is all working, all files are requested and returned 200.

Test Environment: Win7 x64 with IE 11, Office 2013. Doc file put at Desktop folder.

Update: I changed the dll to an cpl file copied from https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function , however, I cannot find the championship.inf in C:\users\myname\appdata\local\temp

[lockedbyte]

If you are using the PoC and not the old repo the extracted Image should be "msword.inf"

[kmahyyg]

If you are using the PoC and not the old repo the extracted Image should be "msword.inf"

Also not msword.inf here. However, I try to reproduce it on my windows 10, I can see msword.inf, but still no popup.

[lockedbyte]

On the Windows 10 make sure as I already mentioned that you open docx from a user home directory like Downloads.

Also, to make sure inf extracted successfully launch a rundll32 manually to it and see if it pops

[kmahyyg]

On the Windows 10 make sure as I already mentioned that you open docx from a user home directory like Downloads.

Also, to make sure inf extracted successfully launch a rundll32 manually to it and see if it pops

It pops if I change msword.inf to msword.cpl then double-click. I always put the docx on my desktop.

[Ascotbe]

hello ~ I will hop multiple HTML pages after I open the document, as shown, what is the reason?

[kmahyyg]

hello ~ I will hop multiple HTML pages after I open the document, as shown, what is the reason?

It just works like this. I have a lot of security popups which ask for my confirmation.

[kmahyyg]

On the Windows 10 make sure as I already mentioned that you open docx from a user home directory like Downloads. Also, to make sure inf extracted successfully launch a rundll32 manually to it and see if it pops

It pops if I change msword.inf to msword.cpl then double-click. I always put the docx on my desktop.

@lockedbyte

I think I found the reason, according to procmon, it seems that the PATH of inf is not correct.

[Ascotbe]

hello ~ I will hop multiple HTML pages after I open the document, as shown, what is the reason?

It just works like this. I have a lot of security popups which ask for my confirmation.

but It does not have normal pop-up calc.exe

[kmahyyg]

hello ~ I will hop multiple HTML pages after I open the document, as shown, what is the reason?

It just works like this. I have a lot of security popups which ask for my confirmation.

but It does not have normal pop-up calc.exe

Yes, we are currently discussing on this. More modification might is on the way.

[kmahyyg]

@b4sh1t1 I've already completely turned off defender before I do this. And also, I've just wanna it open a messageBox here, so how to correct the info location(this location is about function in dll or calc.exe location or something else)?

[Ascotbe]

@b4sh1t1 I've already completely turned off defender before I do this. And also, I've just wanna it open a messageBox here, so how to correct the info location(this location is about function in dll or calc.exe location or something else)?

Some Windows versions are not available, such as 1709, when I changed into 2004, I can refer to https://github.com/Ascotbe/Kernelhub/tree/master/CVE-2021-40444 The pop-up problem can be set in IE to set up :D

[kmahyyg]

@b4sh1t1 I've already completely turned off defender before I do this. And also, I've just wanna it open a messageBox here, so how to correct the info location(this location is about function in dll or calc.exe location or something else)?

Some Windows versions are not available, such as 1709, when I changed into 2004, I can refer to https://github.com/Ascotbe/Kernelhub/tree/master/CVE-2021-40444 The pop-up problem can be set in IE to set up :D

The pop-up problem, I don't want to resolve it, since it will break my whole system security mechanism... I've always disabled ActiveX in all my machine even some legacy and evil Chinese bank site still need this sh*t.

My test OS is windows 7 sp1 and also Windows 10 21H1. I'll try to build a payload using MSF, and will feedback later.

[kmahyyg]

On the Windows 10 make sure as I already mentioned that you open docx from a user home directory like Downloads. Also, to make sure inf extracted successfully launch a rundll32 manually to it and see if it pops

It pops if I change msword.inf to msword.cpl then double-click. I always put the docx on my desktop.

@lockedbyte

I think I found the reason, according to procmon, it seems that the PATH of inf is not correct.

By the way, @Ascotbe , the control.exe seems to be a 32-bit process. I guess I need to build 32-bit dll to have a try.

[Ascotbe]

On the Windows 10 make sure as I already mentioned that you open docx from a user home directory like Downloads. Also, to make sure inf extracted successfully launch a rundll32 manually to it and see if it pops

It pops if I change msword.inf to msword.cpl then double-click. I always put the docx on my desktop.

@lockedbyte I think I found the reason, according to procmon, it seems that the PATH of inf is not correct.

By the way, @Ascotbe , the control.exe seems is a 32-bit process. I guess I need to build 32-bit dll to have a try.

I am using a 32-bit DLL.by msfconsole

[kmahyyg]

This time, it pops up before defender kills it... Windows 10 21H1 amd64, but it seems opened another file I manually placed before which is forgotten to get cleaned... But the document is using a dll built by MSF to run notepad.exe.

I don't know what went wrong...

[kmahyyg]

@Ascotbe Things works on 21H1 if you manually place the inf file to correct path at \AppData\Local\Temp\Low\msword.inf with latest Office 365 Version...... The cab always extract inf to \appdata\local\temp\msword.inf.

And another discovery is this operation must have some cache mechanism... So clear cache or rest for a long time of period before you test another time.

cc @lockedbyte something must have a mod.