## https://sploitus.com/exploit?id=7FAB36AD-345E-5C1B-B259-20BF0E7DE97A
# CVE-2022-30190 (Follina)
Proof of concept (PoC) for CVE-2022-30190 (Follina).
## Requirements
### Victim
- Windows 10 21H1 (equivalent/earlier)
- Security update KB5016616 uninstalled
### Attacker
- [Microsoft .NET SDK](https://dotnet.microsoft.com/en-us/download)
- Python 3.9 or later
## Configuration
Edit `config.xml` to modify the attacker's server hostname and port number.
```xml
<host>
<name>{ hostname }</name>
<port>{ port }</port>
</host>
```
## Usage
### Trojan
The following Python script will build the `trojan.docx` file and initialise the attacker's server.
```bash
python init.py
```
### Payload
Build the payload and remove all unnecessary binaries with the following.
```bash
dotnet publish LocalEXF
```
### Clean
Run the following batch script to permanently delete this directory and everything in it.
```ps1
.\destroy_all.bat
```
## Important Notes
- To execute complex PowerShell commands, like this PoC, these commands **must** be Base64 encoded.
- [index.html](build/index.html) must contain at least 4096 bytes of data within the `<script>` tag.
- All arguments must be used as described within [href.txt](build/href.txt).
- Microsoft Word cannot use the [index.html](build/index.html) file to execute JavaScript. But for whatever reason, `location.href` works.
- For commands that invoke long running tasks, a troubleshooter will appear when the victim loads the document. The victim can inadvertently deny the attack by cancelling the troubleshooter. Ensure that the command runtime is short.