Poppin’ shell with MSDT & PowerPoint
I’m assuming if you clicked, you’ve already heard about CVE-2022–30190. I won’t get into the details of it, but it’s a recent zero-day vulnerability where Remote Code Execution is possible through abusing the Microsoft Support Diagnostic Tool in the Office applications. Simple terms: Bad Office Doc makes laptop do bad stuff.
For a good read on the exploit:
⚠️⚠️⚠️
️️I️ wrote this to show what I learned while digging deeper into this exploit, I’m certainly no guru and everything I share is meant for educational purposes. Thanks for your understanding ;)
⚠️⚠️⚠️
Popping shells
Although it is pretty scary to see calculators and notepad pop up left and right, that still didn’t do it for me. Even though it’s only been a few days, there are already some amazing projects out there that make this development way easier (I’m looking at you @chvancooten 👀).
While going through this process, keep in mind that I’m on laptop with Microsoft 365 Apps for enterprise. This means that regular .docx won’t do the trick and I have to use the .rtf format for the exploit to work.
I used the above mentioned creator’s project to generate my payloads. I started with a strong basis of spawning notepad.exe. After confirming my setup was good, I went ahead and started looking for a reverse shell payload. My personal go to is:
I soon came to realise this was not working. Next step was to base64 encode this and then use the -encodedcommand option to hopefully avoid any issues with special characters. Again, no luck.
I wasn’t ready to give up on my shell and quickly used another implementation. I stored the one-liner in a shell.ps1 file on my Kali and instead went for the following payload:
And well…
Exactly what I wanted! Or was it?
Throwing PowerPoint into the mix
As I mentioned before, if you’re a bit up to date with Office, chances are you’ll only be vulnerable to the .rtf format. And even though I’m sure there exist enough people that will open that kind of document, I still didn’t think it was misleading enough. So what about embedded documents?
I started testing with inserting the .rtf malicious doc into a .docx document. No matter how I linked it, it wasn’t triggering the .rtf if you opened it through the .docx document. I followed with testing the same approach for Excel, with the same results. PowerPoint however, had a bit of a different result.
I inserted the .rtf and a very stealthy, transparent window appeared. I closed the PowerPoint presentation, opened it again and clicked the inserted file.
Boom, a shell! Now this transparent windows is way easier to trick someone into clicking on it. You can use the inserted .rtf as an overlay for another file or for the whole slide by putting all other elements in the background. Check the following example:
Although I was pretty skeptical on the use of this exploit, I feel like there’s a lot of potential here that is yet to be uncovered. It really took this experiment for me to open my eyes and see how dangerous it can get. FYI I wasn’t even cheating and an EDR was enabled on my laptop. Kind of scary isn’t it?
Anyways if you made it through here, thanks for reading and be careful out there!
