🔥 MS-MSDT Office RCE
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c
For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.
#office #rce #msmsdt #nomacro
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c
For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.
#office #rce #msmsdt #nomacro
🔥14👍7