MSisfuckedupmanimaginepayingtogetRCEd wrote:Īnd indeed, after further inspection, Cas confirmed that :Īpparently, ( which honestly makes a lot of sense now), when regenerating an RTF file containing a hyperlink to a remote template, an OLE object is generated by Office -Actually, 2 objects are generated, but only one of those two is needed. This issue was raised regarding the RTF generation feature I contributed. This error, which I totally missed as I did not test the POC properly, prompted a person with very creative user handles to raise an issue on GitHub for Cas’s POC.
MP4 TEMPLATE FOR 010 EDITOR WINDOWS
Honestly, the assumption I initially had about this implementation was due to my laziness and wishful thinking that implementing this within Windows would be THAT easy. This was right, as long as the last field – objdata – was loaded with a proper OLE object.
If we take a simple look at how an RTF file can be loaded with a malicious hyperlink, we can apply the method specified in this article regarding CVE -2017-0199. What if I don’t have MS Word? What if I’m lazy? Well, I thought to myself – “How hard could it be automating this?” I opened the RTF file, saw where my payload was saved in plain text, replaced it, and there we go. The problem was that every time I wanted to generate a valid RTF file, I had to first generate a DOCX file and then regenerate an RTF file from within Microsoft Word. This would create a valid RTF file weaponized with the exploit.
MP4 TEMPLATE FOR 010 EDITOR CODE
To generate RTF files containing the exploit, I have used Cas Van Cootens POC code to generate a DOCX file and then create a new copy of the same document just in RTF format. In contrast, the payload does not execute on all Windows versions when loaded from DOCX files. Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190 (Follina) exploit.īecause the payload with RTF files will deliver on (probably) all Windows versions (to the date of writing this report) and can execute by just enabling the preview pane and viewing the RTF document from File Explorer.
0 kommentar(er)
