Share
## https://sploitus.com/exploit?id=7FAB36AD-345E-5C1B-B259-20BF0E7DE97A
# CVE-2022-30190 (Follina)

Proof of concept (PoC) for CVE-2022-30190 (Follina).

## Requirements

### Victim

- Windows 10 21H1 (equivalent/earlier)
- Security update KB5016616 uninstalled

### Attacker

- [Microsoft .NET SDK](https://dotnet.microsoft.com/en-us/download)
- Python 3.9 or later

## Configuration

Edit `config.xml` to modify the attacker's server hostname and port number.

```xml
<host>
  <name>{ hostname }</name>
  <port>{ port }</port>
</host>
```

## Usage

### Trojan

The following Python script will build the `trojan.docx` file and initialise the attacker's server.

```bash
python init.py
```

### Payload

Build the payload and remove all unnecessary binaries with the following batch script.

```ps1
.\build_payload.bat
```

### Clean

Run the following batch script to permanently delete this directory and everything in it.

```ps1
.\destroy_all.bat
```

## Important Notes

- To execute complex PowerShell commands, like this PoC, these commands **must** be Base64 encoded.

- [index.html](build/index.html) must contain at least 4096 bytes of data within the `<script>` tag.

- All arguments must be used as described within [href.txt](build/href.txt).

- Microsoft Word cannot use the [index.html](build/index.html) file to execute JavaScript. But for whatever reason, `location.href` works.

- For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.