A proof of concept (PoC) for CVE-2022-30190 (Follina).

• Windows 10 21H1 (equivalent/earlier)
• Security update KB5016616 uninstalled

• Microsoft .NET SDK
• Python 3.9 or later

Edit config.xml to modify the attacker's server hostname and port number.

<host>
  <name>{ hostname }</name>
  <port>{ port }</port>
</host>

The following Python script will build the trojan.docx file and initialise the attacker's server.

python init.py

Build the payload and remove all unnecessary binaries with the following.

dotnet publish LocalEXF

Run the following batch script to permanently delete this directory and everything in it.

.\destroy_all.bat

• To execute complex PowerShell commands, like this PoC, these commands must be Base64 encoded.

• index.html must contain at least 4096 bytes of data within the <script> tag.

• All arguments must be used as described within href.txt.

• Microsoft Word cannot use the index.html file to execute JavaScript. But for whatever reason, location.href works.

• For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.