https://github.com/winstxnhdw/cve-2022-30190

A proof of concept for CVE-2022-30190 (Follina).
https://github.com/winstxnhdw/cve-2022-30190

cve-2021-40444 follina msdt remote-code-execution trojan

Last synced: 15 days ago
JSON representation

A proof of concept for CVE-2022-30190 (Follina).

• Host: GitHub
• URL: https://github.com/winstxnhdw/cve-2022-30190
• Owner: winstxnhdw
• Created: 2022-09-15T16:12:57.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-03-01T16:26:36.000Z (about 1 year ago)
• Last Synced: 2025-03-27T23:41:46.180Z (about 1 month ago)
• Topics: cve-2021-40444, follina, msdt, remote-code-execution, trojan
• Language: C#
• Homepage:
• Size: 66.4 KB
• Stars: 2
• Watchers: 2
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2022-30190 (Follina)

[![build.yml](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/main.yml/badge.svg)](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/main.yml)

[![dependabot.yml](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/dependabot.yml/badge.svg)](https://github.com/winstxnhdw/CVE-2022-30190/actions/workflows/dependabot.yml)

A proof of concept (PoC) for CVE-2022-30190 (Follina).

## Requirements

### Victim

- Windows 10 21H1 (equivalent/earlier)

- Security update KB5016616 uninstalled

### Attacker

- [Microsoft .NET SDK](https://dotnet.microsoft.com/en-us/download)

- Python 3.9 or later

## Configuration

Edit `config.xml` to modify the attacker's server hostname and port number.

```xml

  { hostname }

  { port }

```

## Usage

### Trojan

The following Python script will build the `trojan.docx` file and initialise the attacker's server.

```bash

python init.py

```

### Payload

Build the payload and remove all unnecessary binaries with the following.

```bash

dotnet publish LocalEXF

```

### Clean

Run the following batch script to permanently delete this directory and everything in it.

```ps1

.\destroy_all.bat

```

## Important Notes

- To execute complex PowerShell commands, like this PoC, these commands **must** be Base64 encoded.

- [index.html](build/index.html) must contain at least 4096 bytes of data within the `` tag.

- All arguments must be used as described within [href.txt](build/href.txt).

- Microsoft Word cannot use the [index.html](build/index.html) file to execute JavaScript. But for whatever reason, `location.href` works.

- For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.