Share 
## https://sploitus.com/exploit?id=D0B71389-3DF9-5050-B950-FFA70C04D9AD
CVE-2022-30190 (Follina)
  Educational Malware Development, Exploitation, Analysis and Mitigation
  A fully documented proof-of-concept demonstrating the Follina vulnerability - from social engineering delivery through to exploitation, forensic analysis, and patch development.



---

> โš ๏ธ **Educational Use Only.** All activities in this repository were conducted exclusively within an isolated virtual machine lab environment as part of the IE4012 Offensive Hacking Tactics & Strategies module at SLIIT. Nothing here should be used outside a controlled lab. Do not test against real systems or networks.

---

## ๐Ÿ“‹ Overview

**CVE-2022-30190**, nicknamed **Follina**, is a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT). It was publicly disclosed on 30 May 2022 and assigned a CVSS score of **7.8 (High)**. The exploit fires when a victim opens a specially crafted Microsoft Office document - no macros required. The document fetches an HTML payload from an attacker-controlled HTTP server, which invokes the `ms-msdt:` URI protocol handler and passes arbitrary commands to the system through the PCWDiagnostic argument.

---

## ๐Ÿ—‚๏ธ Repository Structure

```
SourceCode.zip/
โ”œโ”€โ”€ PoC.py                                  # Main exploit script
โ”œโ”€โ”€ patch.py                                # Mitigation patch script
โ”œโ”€โ”€ Invoice_FS-2026-8821_OVERDUE.docx       # Generated malicious Word document
โ””โ”€โ”€ doc/                                    # Internal XML files extracted from the docx
    โ”œโ”€โ”€ word/
    โ”‚   โ”œโ”€โ”€ document.xml                    # Main document body
    โ”‚   โ””โ”€โ”€ _rels/
    โ”‚       โ””โ”€โ”€ document.xml.rels           # External OLE reference pointing to attacker server
    โ””โ”€โ”€ [Content_Types].xml
```

---

## ๐Ÿš€ How It Works

### Phase 1 - Social Engineering Delivery

The lure is a phishing email impersonating a billing platform called FinanceSync, claiming an invoice is overdue. The attachment is a **password-protected zip archive** (`Invoice.zip`) containing the malicious Word document. Using an encrypted archive bypasses most email gateway scanners since the contents cannot be inspected.

### Phase 2 - Exploit Chain

* **PoC.py** generates `Invoice_FS-2026-8821_OVERDUE.docx` and starts an HTTP server on port 8000
* The document contains an external OLE reference in `word/_rels/document.xml.rels` pointing to `http://:8000/index.html`
* When the victim opens the document, **Word automatically fetches the HTML payload** - no user prompt, no macros
* The HTML payload contains a **JavaScript date check** against a hardcoded trigger date (`2026-03-25`). If the date condition is not met, nothing executes
* Once the condition passes, the `ms-msdt:` URI is fired with a `PCWDiagnostic` argument containing a **cmd.exe command**
* The process chain `WINWORD.EXE โ†’ msdt.exe โ†’ cmd.exe` executes and writes `sys_cache.dat` to `C:\Users\Public\` as proof of compromise

### Phase 3 - Patch

**patch.py** removes the `ms-msdt` URI protocol handler from the Windows registry, breaking the exploit chain at the URI resolution stage before any attacker-controlled arguments can reach MSDT.

---

## โš™๏ธ Usage

### Prerequisites

**Attacker machine (Kali Linux)**
* Python 3

**Victim machine (Windows 10)**
* Microsoft Office installed (unpatched build)
* `ms-msdt` registry key present under `HKEY_CLASSES_ROOT`
* System date set to `2026-03-25` or later

### Running the PoC

```bash
# On the attacker machine
python3 PoC.py
```

The script generates the Word document and starts the HTTP server. Transfer the document to the victim VM and open it. The attacker terminal will log the incoming request from Word.

### Running the Patch

The patch script must be run as **Administrator** on the Windows victim VM.

```bash
# Check current status
python patch.py --status

# Apply the patch (removes ms-msdt registry key)
python patch.py --apply

# Roll back to vulnerable state (for re-testing)
python patch.py --rollback
```

---

## ๐Ÿ”ฌ Vulnerability Details

| Field | Detail |
|---|---|
| CVE ID | CVE-2022-30190 |
| Common Name | Follina |
| CVSS Score | 7.8 (High) |
| CVSS Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Component | Microsoft Support Diagnostic Tool (MSDT) |
| Affected Versions | Windows 7 - 11 / Server 2008 R2 - 2022 |
| Disclosed | 30 May 2022 |
| Official Patch | KB5014697 (June 2022 Patch Tuesday) |

---

## ๐Ÿ›ก๏ธ Patch Effectiveness

| Test | Pre-Patch | Post-Patch |
|---|---|---|
| ms-msdt registry key present | Yes (VULNERABLE) | No (MITIGATED) |
| HTTP request made by Word | Yes | Yes (unchanged) |
| msdt.exe launched | Yes | No |
| cmd.exe launched | Yes | No |
| sys_cache.dat created | Yes | No |
| Exploit successful | Yes | No |

---

## ๐Ÿง  Lab Environment

| Machine | Role | IP Address |
|---|---|---|
| Kali Linux VM | Attacker - runs PoC.py | 192.168.56.10 |
| Windows 10 VM | Victim - opens the document | 192.168.56.20 |

Both VMs were connected via a **VirtualBox Host-Only network** with no internet access.

---