Follina

Small 3-file repository containing a lab demonstration of CVE-2022-30190 (Follina), not a full exploit framework. The main exploit artifact is exploit.html, which contains JavaScript that immediately redirects the browser/Office-rendered content to a crafted ms-msdt: URI. That URI invokes PCWDiagnostic with a malicious IT_BrowseForFile parameter and embedded PowerShell expression; the Base64-decoded command is calc.exe, so the payload demonstrates code execution rather than delivering a post-exploitation implant. The repository also includes suricata_follina_rules.rules with two IDS signatures: one for ms-msdt/IT_BrowseForFile content in HTTP responses and one for requests to exploit.html. README.md documents the lab setup, attack chain, victim/attacker IPs, and observed network traffic. Overall purpose: educational/research demonstration of the Follina exploitation flow plus accompanying network detection content. The exploit capability is remote code execution on a vulnerable Windows/Office target via a malicious document that causes Word to fetch attacker-hosted HTML, which then triggers MSDT without requiring macros.

Repository contains a single proof-of-concept HTML file (payload.html). When opened, embedded JavaScript immediately redirects the browser to a crafted ms-msdt: URI that invokes the PCWDiagnostic troubleshooter with attacker-controlled parameters. The parameter string includes a traversal-like sequence and a command substitution pattern to execute a local command, demonstrated by launching calc.exe. The trailing repeated 'a' characters appear to be padding/filler and do not add functionality. No external network infrastructure (URLs/domains/IPs) is used; the exploit relies on the Windows ms-msdt protocol handler and local MSDT execution.

This repository provides a Python-based command-line tool ('follinaExploiter.py') to exploit the Microsoft Office MSDT 'Follina' vulnerability (CVE-2022-30190). The tool allows an attacker to generate a malicious Office document (doc, docx, or rtf) that, when opened or previewed by a victim, triggers code execution via the ms-msdt protocol handler. The attacker can specify a custom command to execute on the victim's machine or set up a reverse shell using Netcat. The exploit works by hosting a malicious HTML payload on an HTTP server (run by the tool) and embedding a reference to this payload in the generated Office document. The README provides detailed usage instructions and background on the vulnerability. The repository contains four files: the main exploit script, a README, a license, and a placeholder XML file. The exploit is operational and provides real code execution on vulnerable targets.

This repository contains a single HTML file ('Payload.html') that serves as a proof-of-concept exploit for the Microsoft Windows MSDT (Microsoft Support Diagnostic Tool) protocol handler vulnerability. The HTML file uses JavaScript to redirect the browser to a specially crafted 'ms-msdt:' URI, which attempts to exploit the protocol handler to execute arbitrary code (in this case, launching 'calc.exe') on a vulnerable Windows system. The exploit demonstrates the attack vector via a browser, requiring the victim to open or be redirected to the malicious HTML file. The repository is minimal, containing only the exploit payload, and does not include detection or post-exploitation features.

This repository provides a proof-of-concept (POC) exploit for CVE-2022-30190, also known as the 'Follina' MSDT Office RCE vulnerability. The exploit leverages the ms-msdt protocol handler in Microsoft Office documents (DOCX/RTF) to achieve remote code execution when a victim opens a crafted file. The repository includes a detailed README.md with step-by-step instructions for crafting a malicious Office document by editing its XML relationships to point to an external payload (such as an HTML file hosted on a web server). The payloads demonstrated include launching calc.exe, executing remote PowerShell scripts (e.g., from http://192.168.198.128/rev.ps1), and loading executables from SMB shares (e.g., \\taretip\share\poc). The exploit abuses the OLEObject relationship in document.xml.rels to trigger the ms-msdt protocol, which in turn executes arbitrary commands on the target system. The included index.html demonstrates a sample payload. The repository structure consists mainly of Office document XML files and a sample HTML payload, with the README.md providing the main exploit logic and usage instructions. This POC is not weaponized but demonstrates the core exploit technique for Follina.

This repository demonstrates a proof-of-concept (POC) exploit for CVE-2022-30190, also known as the 'Follina' vulnerability in Microsoft Office. The exploit leverages the ability of Office documents (DOCX or RTF) to reference external HTML content, which in turn uses the 'ms-msdt:' protocol handler to invoke the Microsoft Support Diagnostic Tool (MSDT) and execute arbitrary code on the target system. The README.md provides a detailed walkthrough of the attack chain, including the construction of malicious HTML and RTF payloads. The cap.rtf file is likely a crafted RTF payload designed to trigger the exploit when opened or previewed in Windows Explorer. The exploit does not require macros and can be triggered with minimal user interaction, making it highly effective. The repository does not contain executable code files but provides the necessary payloads and instructions to reproduce the exploit. Notable endpoints include the external HTML reference and the ms-msdt protocol handler. The exploit targets unpatched Microsoft Windows systems with Office installed and is a POC rather than a weaponized or automated exploit.

This repository is a proof-of-concept (POC) exploit for CVE-2022-30190, also known as 'Follina', a Microsoft Windows/MS Office remote code execution vulnerability. The main script, 'follina.py', automates the creation of a malicious Word document by modifying the OLE object relationship in 'ohno/word/_rels/document.xml.rels' to point to a user-specified payload URL. The script also starts a local HTTP server (default port 1337) to host the payload, which is an HTML file ('web/pwn.html') containing JavaScript that triggers the ms-msdt protocol handler to execute arbitrary code (by default, launching calc.exe) on the victim's machine. The repository includes all necessary files to build the malicious document and host the payload. The exploit demonstrates remote code execution when a victim opens the crafted Word document and their system is able to reach the attacker's HTTP server. The structure includes the Python exploit script, a directory with the Word document template, and the web payload. This POC is operational and demonstrates the vulnerability but is not weaponized for broader attack automation.

This repository contains a Python script (follina.py) that generates a malicious Microsoft Word document exploiting CVE-2022-30190 (Follina), a critical RCE vulnerability in Microsoft Office. The script allows the attacker to specify a command to execute on the victim's machine or to establish a reverse shell by downloading and running netcat. The exploit works by embedding a reference in the Word document to an attacker-controlled HTTP server, which serves a crafted HTML payload that triggers the MSDT protocol handler on the victim's system. The repository includes a README with detailed usage instructions and environment setup. The main code file is follina.py, which handles document generation, payload creation, and hosting the malicious payload via an HTTP server. The exploit targets Windows 10 with Office 2016 Pro and requires the victim to open the generated document. Notable endpoints include the attacker's HTTP server, the netcat download URL, and the file path where netcat is stored on the victim. The exploit is operational and provides reliable code execution or reverse shell access if the target is vulnerable.

This repository is a proof-of-concept (POC) exploit for CVE-2022-30190, also known as 'Follina', a remote code execution vulnerability in Microsoft Office via the MSDT protocol handler. The main exploit script, follina.py, generates a malicious Word document (.docx) that, when opened by a victim, causes Office to retrieve and execute a payload from a specified HTTP server. The script allows the user to specify the command to be executed on the victim's machine (default: calc.exe) or to set up a reverse shell using nc64.exe. The payload is served via a local HTTP server (default: http://127.0.0.1:4444/payload.html), but the IP and port can be customized. The repository includes a template docx directory used to craft the malicious document, and the Python script automates the process of embedding the payload URL. The README provides usage instructions, references, and a registry workaround to disable the vulnerable protocol. The exploit is operational as a POC and demonstrates the attack vector but is not weaponized for mass exploitation.

This repository is a proof-of-concept exploit for CVE-2022-30190 (Follina), a critical Microsoft Office remote code execution vulnerability. The main exploit script, 'cve-2022-30190.py', automates the creation of a malicious Word document (.doc) that references an external HTML payload. The script also sets up a local HTTP server to serve this payload. When the document is opened or previewed on a vulnerable Windows system, the HTML payload is fetched and uses the 'ms-msdt:' protocol to invoke the Microsoft Support Diagnostic Tool, which executes an attacker-supplied command (default: calc.exe, or a reverse shell if specified). The payload is base64-encoded and executed via PowerShell for reliability. The repository includes a Word document skeleton in the 'doc/' directory, which is modified by the script to embed the external reference. The exploit can be configured to deliver arbitrary commands or a reverse shell, and the README provides detailed background and usage instructions. The attack vector is a combination of file-based (malicious document) and network-based (HTTP server hosting the payload) delivery. No detection or fake code is present; this is a functional exploit POC.

This repository is an exploit for CVE-2022-30190 (Follina), a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) invoked via Microsoft Office documents. The main exploit logic is in 'follina.py', a Python script that generates a malicious Word document by modifying a template and embedding a reference to an attacker-controlled HTTP server. When the victim opens the document, Office loads an external HTML payload via the ms-msdt protocol handler, which executes arbitrary commands on the victim's system. The script allows the attacker to specify the command to run (default: calc.exe), or to set up a reverse shell by downloading netcat to the victim and connecting back to the attacker's server. The repository includes the necessary Word document structure in the 'doc/' directory, and the Python script handles both document generation and hosting the payload. The exploit is operational and provides real code execution on vulnerable systems, but is not part of a larger exploitation framework.

This repository is a Go-based proof-of-concept (PoC) exploit for the Follina (CVE-2022-30190) MS-MSDT vulnerability affecting Microsoft Office (Word) on Windows. The exploit generates a malicious Word (.docx) document that, when opened, causes Microsoft Word to fetch an external OLEObject from an attacker-controlled HTTP server (configurable via --host and --port). The OLEObject reference in the document triggers the ms-msdt protocol handler, which executes arbitrary attacker-supplied commands (such as launching calc.exe) on the victim's system via a crafted PowerShell payload. The repository includes Go source code for document generation (main.go, compile.go, etc.), embedded document resources (res/docx/*), and a minimal HTTP server to deliver the payload. The exploit is operational as a PoC and does not include advanced features such as payload customization beyond the supplied command. The main entry point is main.go, and the exploit is not part of a larger framework.

This repository is a proof-of-concept exploit for CVE-2022-30190 (Follina), a critical remote code execution vulnerability in Microsoft Windows via the MSDT protocol handler, typically triggered through a malicious Word document. The main script, Deathnote.py, automates the creation of a malicious Word document by modifying a template and embedding an external OLE object that references an attacker-controlled HTTP server. The server hosts an HTML payload that, when accessed by Word, triggers the ms-msdt protocol to execute arbitrary commands on the victim's system. The payload can be customized to run any command, and the script supports an option to deliver a reverse shell by downloading a netcat binary to the victim and connecting back to the attacker's server. The repository includes the necessary Word document skeleton files under the 'doc/' directory, which are used as a base for the malicious document. The exploit requires the victim to open the generated document, after which code execution occurs with the privileges of the user. The exploit is operational and demonstrates real-world impact, including the ability to gain a reverse shell on the target system.

This repository is a proof-of-concept (POC) exploit for CVE-2022-30190, also known as 'Follina', a vulnerability in Microsoft Windows and Office that allows remote code execution via the ms-msdt protocol handler. The repository contains two files: a README.md with usage instructions and an 'exploit.html' file. The exploit works by hosting 'exploit.html' on a web server and crafting a Word document that references this file via its relationship XML. When the document is opened, the HTML triggers a redirect to a specially crafted ms-msdt URI, which abuses the protocol handler to execute arbitrary code (demonstrated by launching calc.exe). The exploit is a POC and does not include weaponized features or advanced payload customization. The main attack vector is network-based delivery of a malicious document, with the endpoint being the ms-msdt protocol handler on Windows systems.

This repository is an operational exploit for the Follina (CVE-2022-30190) MS-MSDT remote code execution vulnerability in Microsoft Office. The main script, 'follina.py', automates the creation of a malicious Word document that, when opened, triggers the ms-msdt protocol to execute arbitrary code on the victim's Windows system. The exploit supports two modes: executing a specified binary (local or remote) or running an arbitrary PowerShell command. The script also sets up a local HTTP server to serve the HTML payload required for exploitation. The repository includes template files for the document relationship and HTML payload, as well as a sample generated payload. The exploit is not part of a framework and is written in Python, with supporting HTML templates. It is a practical, operational exploit that can be used for red teaming or security testing against unpatched Microsoft Office installations.

This repository is a proof-of-concept (PoC) exploit for CVE-2022-30190 (Follina), a critical remote code execution vulnerability in Microsoft Office via the MSDT protocol. The project is implemented in Java using Spring Boot and provides a web interface (on http://localhost:8080) for generating malicious Office documents. Users can specify an IP address and upload a shellcode file, which is then embedded into a crafted Word document. When a victim opens this document, it triggers the MSDT protocol to execute arbitrary code (the provided shellcode) on the victim's Windows machine. The exploit works by staging a malicious HTML payload at /exploit and serving the shellcode at /download. The repository includes Java source code for the web server, JSP files for the web interface, and Office document templates. The exploit is operational as a PoC, requiring manual interaction and a reachable staging server, but does not include advanced weaponization or automation features.

This repository is a Python-based exploit tool for CVE-2022-30190 (Follina), a critical Microsoft Office/Windows MSDT vulnerability. The main script, 'follinaExploiter.py', provides a CLI for generating malicious Office documents (doc, docx, rtf) that exploit the vulnerability. The tool allows the attacker to specify a command to execute on the victim's machine or to set up a reverse shell using Netcat. The exploit works by embedding an OLE object in the Office document that references an external HTML payload hosted by the attacker's HTTP server. This HTML payload uses the 'ms-msdt:' protocol handler to trigger code execution via MSDT on the victim's system. The repository includes a payload template in the 'Assets/payload' directory, which is used to generate the malicious documents. The tool is operational and automates both payload generation and hosting, making exploitation straightforward for an attacker. No hardcoded IPs or domains are present; the attacker supplies these at runtime. The exploit targets Microsoft Office on Windows systems vulnerable to CVE-2022-30190 and can be used for arbitrary command execution or to obtain a reverse shell.

This repository is a proof-of-concept (PoC) exploit for CVE-2022-30190 (Follina), targeting Microsoft Windows systems via a malicious Word document. The exploit chain involves generating a specially crafted .docx file that, when opened, triggers the Follina vulnerability to execute a PowerShell command. This command downloads and runs a .NET payload (LocalEXF) on the victim's machine. The payload searches the victim's Desktop for a range of document and image file types, copies them to a hidden folder, compresses them, and uploads the archive to an attacker-controlled HTTP server. The server is implemented in Python and saves the exfiltrated files. The repository includes scripts for building the payload, generating the malicious document, and cleaning up artifacts. The exploit is operational as a PoC, with clear instructions for both attacker and victim environments, and is not part of a larger exploitation framework.