"Fork" of lockedbytes CVE-2021-40444 PoC

Folks, I tried to port his PoC for usage on Win using given modules for that, but I think I messed up at some point... Connection to the local server will be established but either my CAB file is corrupt or the generated DOCX.

Usage

All variables will be read from config.json and can be changed there.

Generate CAB and DOCX

python3 3xpl01t.py gen

Start test server

python3 3xpl01t.py srv

Structure

A Letter before court 4: original sample downloaded from any.run (used as a template)
data: like a temp folder ^^
3xpl01t.py: the name says it all.
calc.cab: original CAB file from lockedbytes PoC
config.json: hopefully the configuration is self explaining ...
cve.*:
- cve.nim: code for generating custom DLLs (compile with: nim c -d=mingw --app=lib --nomain --cpu=amd64 .\cve.nim)
- cve.dll: output of the given command
- cve.cab: generated and patched CAB file (not working!)
malicious.docx: generated DOCX file
methods.py: this is where the partly working magic happens
side.html: patched entry file (stolen from lockedbyte)

Improvements

Add a MD to DOCX Engine to customize your malicious documents
Get rid of the config file and work with arguments ^^ (was easier to test with a config ;))
Automated sending of emails
...

Conclusion

If you really wanna exploit CVE-2021-40444 you need to patch this approach or go directly with the mentioned PoC. If you wanna fix the unknown issue here, feel free to pull your changes and I will happily merge shit together!

remember deactivating the Defender when testing ...., not the best approach, but its windows, so what do you expect??!