• XSS.stack #1 – первый литературный журнал от юзеров форума

Local RCE, (MSDT) office, CVE-2022-30190

Отслеживать
0xCC

0xCC

floppy-диск
Забанен
Регистрация
23.05.2020
Сообщения
5
Реакции
0
Пожалуйста, обратите внимание, что пользователь заблокирован
Why buy when you can make it yourself?
Please google Follina github POC and you will see several of them.

Here is the best one with step-by-step configuration.
github.com

GitHub - JMousqueton/PoC-CVE-2022-30190: POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina

POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina - JMousqueton/PoC-CVE-2022-30190
github.com

The funny thing is that overnight things changed, as of now Windows Defender is detecting the ms-mdt use. And it was all ok 5-7 hours ago.
 
Последнее редактирование:
astralded сказал(а):
Why buy when you can make it yourself?
Please google Follina github POC and you will see several of them.

Here is the best one with step-by-step configuration.
github.com

GitHub - JMousqueton/PoC-CVE-2022-30190: POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina

POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina - JMousqueton/PoC-CVE-2022-30190
github.com

The funny thing is that overnight things changed, as of now Windows Defender is detecting the ms-mdt use. And it was all ok 5-7 hours ago.
is there any way to bypass AV's ?
 
DanteXDark сказал(а):
is there any way to bypass AV's ?
For now the trigger is the use of ms-mdt.
Need to play with it.
Thats what I am doing at the moment )
 
Пожалуйста, обратите внимание, что пользователь заблокирован
DanteXDark сказал(а):
can we obfuscate the html file? (stupid question btw )
There is no stupid question.
What is interesting was the fact that this method opened up more bugs.

So I wouls suggest you research it step by step and read up other CVEs. Eventually you might come up with something similar.

Obfuscating the html woudlnt work in this case as it would be detected after it is deobfuscated and executed.
 
astralded сказал(а):
There is no stupid question.
What is interesting was the fact that this method opened up more bugs.

So I wouls suggest you research it step by step and read up other CVEs. Eventually you might come up with something similar.

Obfuscating the html woudlnt work in this case as it would be detected after it is deobfuscated and executed.
windows defender detects [word\_rels\document.xml.rels] this file, is it pssible to Obfuscate this file ? OR maybe we can use any other protocol instead of ms-mdt:.
 
The best way to know is testing!

Not only static analysis are detecting this CVE now,but behavior analysis too. It's very suspicious winword.exe spawning msdt.exe and another child process like powershell.exe for example.
 
DanteXDark сказал(а):
windows defender detects [word\_rels\document.xml.rels] this file, is it pssible to Obfuscate this file ? OR maybe we can use any other protocol instead of ms-mdt:.
Totally, continue testing and share your results.

marauda18 сказал(а):
The best way to know is testing!

Not only static analysis are detecting this CVE now,but behavior analysis too. It's very suspicious winword.exe spawning msdt.exe and another child process like powershell.exe for example.
But in this case because you are using the highly reputable protocol, t was allowing to launch apps. One direction for tests are powershell scripts as well.
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх