Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
CVE-2022-30190
Exploit : https://github.com/chvancooten/follina.py
Follina' MS-MSDT n-day Microsoft Office RCE
Quick POC to replicate the 'Follina' Office RCE vulnerability for local testing purposes. Running the script will generate a clickme.docx
(or clickme.rtf
) payload file in your current working directory, and start a web server with the payload file (www/exploit.html
). The payload and web server parameters are configurable (see help and examples).
⚠ DO NOT USE IN PRODUCTION LEST YOU BE REGARDED A DUMMY
Usage:
$ python .\follina.py -h
usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] -t {rtf,docx} [-u URL] [-H HOST] [-P PORT]
options:
-h, --help show this help message and exit
Required Arguments:
-m {command,binary}, --mode {command,binary}
Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command
Binary Execution Arguments:
-b BINARY, --binary BINARY
The full path of the binary to run. Can be local or remote from an SMB share
Command Execution Arguments:
-c COMMAND, --command COMMAND
The encoded command to execute in "command" mode
Optional Arguments:
-t {rtf,docx}, --type {rtf,docx}
The type of payload to use, can be "docx" or "rtf"
-u URL, --url URL The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost". Disables web server if custom URL scheme or path are specified
-H HOST, --host HOST The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
-P PORT, --port PORT The port to run the HTTP server on, defaults to 80
Related topic :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://otx.alienvault.com/pulse/629898a10462dc371ec628d4
Mitigate :
Bonus
*Beware click the link!