Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No longer working #18

Open
leoCorso opened this issue Jun 7, 2022 · 9 comments
Open

No longer working #18

leoCorso opened this issue Jun 7, 2022 · 9 comments

Comments

@leoCorso
Copy link

leoCorso commented Jun 7, 2022

I think this may have been patched.
DOC opens but no payload.
Tell me if I am wrong here.

@deadendweekend
Copy link

Same experience in my testing. I tried with both Windows 10 21H2 (19044.1706) and Windows 11 21H2 (22000.593); Both running "Microsoft 365 Apps for enterprise 16.0.15225.20204"

@Mikusho
Copy link

Mikusho commented Jun 11, 2022

still work for me...
don't forget to turn off windows Defender or any anti virus app

@scamwork
Copy link

@Mikusho does it work when you only launch exploit.html from a browser ? It opens MSDT but with pass key and nothing happens for me ? Do you have an idea about this ? I just lauch the script, go to the link, execute the payload directly or from the word document but either nothing happens either it demands pass key...
Do you have a path ?
Thank you,
Regards

@Mikusho
Copy link

Mikusho commented Jun 12, 2022

@SamuelGaudemer no, you can't run directly from a browser. You need to run it with malDoc, that's how this exploit works. if you open malDoc and nothing happen maybe your malDoc not connected with the server you made.

@scamwork
Copy link

Ok, but my maldoc is connecting and retrieving exploit.html, i have GET requests becoming from the infected PC, but msdt does not open...

@scamwork
Copy link

Ok problem resolved. I had a bad version of Office. Office Deployment Tool version 2019 works perfectly !

@inchumi
Copy link

inchumi commented Jun 15, 2022

Only opens the browser (IE) and show the payload on search bar : "ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenuIT_BrowseForFile=/../../$(calc)/.exe"" (open cal.exe)
What am i doing wrong?

image

@Pwn20wn
Copy link

Pwn20wn commented Jun 18, 2022

I was able to get the script running on a Windows 2019 Server in AWS. I used the Google Chrome Browser to download the attachments from an EC2 hosting the payloads with Microsoft Defender turned off. Below is a screenshot of it working
follina_aws

@XecurBit
Copy link

Hello,
I was trying John POC, but its asking for passkey by MSDT. Is there anyway I can bypass this passkey? I am using windows 10 21H2, build 19044.3086 and office 2016.

Is there any specific OS and office that i can use ? your help will be highly appreciated.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants