Want to become a HACKER? ITProTV has you covered: ntck.co/itprotv (30% off FOREVER) *affiliate link 🧪🧪Try it yourself!! (Links, docs, and walkthrough): ntck.co/follinalinks SPECIAL THANKS to John Hammond (go check him out!!) --------------------------------------------------- -TH-cam: th-cam.com/users/JohnHammond010 -Twitter: twitter.com/_JohnHammond -his amazing article on Follina: www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug 🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy **Sponsored by ITProTV 0:00 ⏩ Intro 1:58 ⏩ How does CVE-2022-30190 work?? 6:33 ⏩ What happens when you open the file? 9:23 ⏩ Let’s set up our zero-day vulnerability lab! 17:29 ⏩Time to test the Malware! 20:00 ⏩ Outro
Definitely would like to see more of these type of videos. As a user of the 365 support and recovery tool for troubleshooting tenant issues I’m wondering how vulnerable the program is to being exploited, especially not knowing how superficial endpoint scanning is…
@NetWorkChuck Yes, you should keep doing vids like this. The good thing to this would be your growing along the way AND bringing others with you as they learn these things too!
Hey Chuck , ive actually come across the exact same thing yesterday except it wasnt a word document. It was a whole installation ISO of Windows 11 Pro , which my brother downloaded from the Pirate Bay. it triggered instantly once the installation was completed , and had some more effects to it whereby it damaged hardware so bad that the bios was messed up as well.
An ISO that you use at boot has basically full access to your system, not a good idea to download that from a pirate site without checking it in a VM first at least, msdt is the least of your issues when it comes to that lmao
Thanks for you work I love it. Tested it out and got it working. I wonder if the company I work for would have to worry about this. Sure they have it blocked already but you never know. Company is world wide
34 is not a “weird obfuscation” but just “ required so the Base64 receives payload string and decodes it and executes it, like a normal function call where the argument is a string, in this case, a base64 encoded payload
Man I just can hear you talking for hours 😂 I'm french but I just so easily understand what you say without paying attention. I admire your eloquence buddy 👏😎
Opatch just released an unofficial patch that doesnt disable the MSDT URL protocol handler, and instead sanitizes the user-provided path. It’s free if you register an Opatch account.
I used netcat before to emulate a postscript printer so that I could use an older printer with windows. Windows used it as a network attached postscript printer that linux used netcat to get the file and convert it to pdf then print using a driver available in linux.
Super interesting! I don't know if any solution has been found yet. If anyone is interested , there is properly some workarounds, but the one I know about is to disable 'MSDT URL Protocol'. Always amazing to see which ways hackers are getting into people's systems. Thanks for another great video Chuck!
@@Mainstayjay I just wrote an batch file for doing this, also included a way to back up the registery key that must be "deleted" so i can restore it when this has been patched.
12:18 Saying: "CMD", typing: "mcd"... 13:47 You call the file manager in Kali (I don't know exatly which is installed there...) "Explorer or whatever" and then call the *M$ Windows Explorer* "Finder" (which is the iMac's file manager)... Nice video!
i followed the steps of opening the microsoft word document, it prompts a message upon open the follina document which says "enter the passkey provided by your support professional". any idea?
I have the same thing. The Windows 11 Development environment has a MSDT version patched for this exploit. Seems like we need to create a virual machine from scratch !
Having the same thing. :( I use Windows 10 21H2 64 bit + Microsoft Office 2019 Enterprise (ODT). Do anyone have the right combination of OS and Office version that reproduce the vulnerable environment successfully?
Hey Chuck, really need your help here, I tried and followed the steps exactly but for some reason the microsoft word app in the virtual machine just shows me a white blank window, like you literally see the window outline but you all you see is white. Do you or anyone knows what could possibly be happening? I've also tried using the 2019 version that was extracted from the deployment tool file, it word works but the exploit doesn't. Can anyone help me with this please?
1) Will using an Windows 11 iso image but not for the development environment make any difference because I launched the attack and everything is fine and the word document was communicating with my malicious script on port 8000 and the IP of my linux machine as it was trying to fetch the index.html file but when I wait for the loading to end and try to open the malicious file again nothing happens does that have something to do with the image ? 2) Can you suggest remediation techniques for this CVE ? (other than firewalls, threat detectors, Windows defender, and AVs).
@@axa897That’s true for this one. But there are 0click 0days out in the wild too. Take for example the pegasus spyware that got installed by just your phone receiving a message/gif and you not doing anything with it.
Hello there. I hope I am not intruding on your busy schedule. I was just wondering if you knew whether someone found a fix to this that doesn't involve the removal of the new text file option? I followed the official guide to fix it and I just reversed it back to before the fix because I can't bear having to open notepad to created a text file.
Very interesting video. I've been playing with python for the last 5 or 6 months, but never knew you could make a webserver like that. Great content!!!
![The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]](http://i.ytimg.com/vi/mj-FObYH7fQ/mqdefault.jpg)
![The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]](/img/tr.png)
Want to become a HACKER? ITProTV has you covered: ntck.co/itprotv (30% off FOREVER) *affiliate link
🧪🧪Try it yourself!! (Links, docs, and walkthrough): ntck.co/follinalinks
SPECIAL THANKS to John Hammond (go check him out!!)
---------------------------------------------------
-TH-cam: th-cam.com/users/JohnHammond010
-Twitter: twitter.com/_JohnHammond
-his amazing article on Follina: www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy
**Sponsored by ITProTV
0:00 ⏩ Intro
1:58 ⏩ How does CVE-2022-30190 work??
6:33 ⏩ What happens when you open the file?
9:23 ⏩ Let’s set up our zero-day vulnerability lab!
17:29 ⏩Time to test the Malware!
20:00 ⏩ Outro
Omg, your hair looks extremely good today. I like the side parting 🙀❤️
Ohh, and a Big thanks for your Videos. I Watched Them *all* ❤️🌹~
could it be that you got the t-shirt for father's day? xD if so, then that was a cool idea of theirs
we follow your work in Brazil 🇧🇷✨ .this encourages me !! thank you brother.
Love the way you talk 🥰
you typed mcd
It was amazing seeing Chuck test a real vunerability, this could be a very interesting series on your channel!
HUGE thanks for letting me come crash the party, NetworkChuck!! Looking forward to all the crazy cool stuff we can do in the future 😎
Ooohhhhh yeaaaaah
hi
I was so scared to 'click' this thread😰
fast video on this hot topic, gj
Hello there !!
Thanks for keeping the “mistakes” in the video. It reinforces the information sooo much better !
Definitely would like to see more of these type of videos. As a user of the 365 support and recovery tool for troubleshooting tenant issues I’m wondering how vulnerable the program is to being exploited, especially not knowing how superficial endpoint scanning is…
Chuck definitely do more stuff like that!!
Will do!
@NetWorkChuck
Yes, you should keep doing vids like this. The good thing to this would be your growing along the way AND bringing others with you as they learn these things too!
12:53 was expecting him to say to take another coffee break lolol
Hey Chuck , ive actually come across the exact same thing yesterday except it wasnt a word document. It was a whole installation ISO of Windows 11 Pro , which my brother downloaded from the Pirate Bay. it triggered instantly once the installation was completed , and had some more effects to it whereby it damaged hardware so bad that the bios was messed up as well.
You mean it ran this diagnostic tool window once installation was finished?
@@AnotherSkyTV yes once instalation was finished , pc rebooted , once signed in diagostic popped up
An ISO that you use at boot has basically full access to your system, not a good idea to download that from a pirate site without checking it in a VM first at least, msdt is the least of your issues when it comes to that lmao
Thanks for you work
I love it. Tested it out and got it working.
I wonder if the company I work for would have to worry about this. Sure they have it blocked already but you never know. Company is world wide
Networkchuck & John Hammond content love to see that! Thank you chuck for the great content
34 is not a “weird obfuscation” but just “ required so the Base64 receives payload string and decodes it and executes it, like a normal function call where the argument is a string, in this case, a base64 encoded payload
its really awesome that this video references what you learn in the Hack the box course.
More of these videos please!
I often wonder if you record your Voice and Video at Normal speed and then speed it up before uploading? If not Kudos to you, pretty amazing.
Always loved the fascinating coding style of Zer0-Day since the mid 90's.
Man I just can hear you talking for hours 😂
I'm french but I just so easily understand what you say without paying attention. I admire your eloquence buddy 👏😎
Everytime I watch one of your videos about Linux I learn something new and want to learn more. Great video.
I'm 12 and learn so much from this channel. Thanks!
Imma send this to my friends and add something saucy to their browser history file lol
TH-camr Dave Plummer posted a registry deletion to prevent the word doc hack. Do you agree? Thanks, enjoyed watching you work at light speed. Cheers
amazing video! Great work!
Defo a cool video, great to see first hand in a really easy flowing way how to create a lab like this.
I just got me AWS and love the Channel and education
Opatch just released an unofficial patch that doesnt disable the MSDT URL protocol handler, and instead sanitizes the user-provided path. It’s free if you register an Opatch account.
MS troubleshooter disabled, checked. Thank you for the video.
Really great video. I loved how you showed troubleshooting and set up that Python web server to share that file. Great content as always.
this content is amazing!! keep it up this way :)
Always make sure to follow instructions correctly, coffee breaks at the correct times are absolutely critical
I used netcat before to emulate a postscript printer so that I could use an older printer with windows. Windows used it as a network attached postscript printer that linux used netcat to get the file and convert it to pdf then print using a driver available in linux.
VERY interesting! Please do more videos like this!
Nice demo Chuck.
John I see you’re still doing your thing.
Subscribed!
Super interesting!
I don't know if any solution has been found yet. If anyone is interested , there is properly some workarounds, but the one I know about is to disable 'MSDT URL Protocol'.
Always amazing to see which ways hackers are getting into people's systems.
Thanks for another great video Chuck!
this is what I did through cmd.
@@Mainstayjay I just wrote an batch file for doing this, also included a way to back up the registery key that must be "deleted" so i can restore it when this has been patched.
@@godsman271 you fancy man you. Very cool!
YES! More of this!
Thanks for your sharing
Marty Robins - El Paso Follina would whirl
this is such a great video! thank you for your work!
Doing a simple wget to the index.html file from a few PowerShell versions also triggers the exploit!
Wow nice video, especially liked the part with the python server, I didn't know you can do this it so cool
As far as i saw and read u are on a safe track if u only open the doc in Save Mode, right?
"once you've waited 3 years for everything to download...."
That Line tho..
12:18 Saying: "CMD", typing: "mcd"...
13:47 You call the file manager in Kali (I don't know exatly which is installed there...) "Explorer or whatever" and then call the *M$ Windows Explorer* "Finder" (which is the iMac's file manager)...
Nice video!
Please tell me the windows exact version affected this and where can I get that to test for my university assignment I must do it 😥😥
Absolutely crazy. Great quality content. And scaaaary exploit.
great video, I love your content, greetings from Mexico
How to download all ms office in HP laptop
What happens if the user clicks "cancel" from the diagnostic tool? or force closes word
Keep up the excellent work folks!
oh yeah this one is freaking crazy
I have a question for you sir, macbook is best for programming/hacking or windows??????
If u are comfortable with windows then stick with it! U just need 16gb ram 1tb hard disk and a decent processor for that!!
linux is best generally, but out of those two mac is better, windows sucks for everything technical
Windows is definitely not a good OS for hacking, but it's the best to get hacked 😂👍
@@KDE666 yes, definitely
Mac kinda sucks, use whatever OS you want for your personal computer and then use a linux VM + windows VM for security testing like this.
Love your beard and love your videos pls keep up your awesome videos coming. Thanks a lot
The way you talked walking through this reminded me of my brain 😂
What the hell! You may like to play with a scorpian to, but I only want to know how to prevent and kill this and keep it off my computer. Thanks.👍🏻
.rtf files don't even have to be opened, just viewed in the explorer
thank you!
awesome work thanks for the quick response!
You watch along and everything looks fine, then shows the ms-msdt: url with arguments skip, force and you instantly realize something is wrong
how do I run multiple commands with it. also, why is reverse shell not working. it was working before but suddenly stopped
i followed the steps of opening the microsoft word document, it prompts a message upon open the follina document which says "enter the passkey provided by your support professional". any idea?
I have the same thing. The Windows 11 Development environment has a MSDT version patched for this exploit. Seems like we need to create a virual machine from scratch !
Having the same thing. :(
I use Windows 10 21H2 64 bit + Microsoft Office 2019 Enterprise (ODT).
Do anyone have the right combination of OS and Office version that reproduce the vulnerable environment successfully?
Hey Chuck, really need your help here, I tried and followed the steps exactly but for some reason the microsoft word app in the virtual machine just shows me a white blank window, like you literally see the window outline but you all you see is white. Do you or anyone knows what could possibly be happening? I've also tried using the 2019 version that was extracted from the deployment tool file, it word works but the exploit doesn't. Can anyone help me with this please?
Thanks for the video.
love the hair down
Basic Security: Admin prevents users from downloading files, or 'opening' files!
Then all company productivity comes grinding to a halt lol
@@buttdog420 in the security business it's called: relationship of security to convenience!
Dang, you showed the real experience. :)
Damn coffee hits hard
What John Hammond!!! Please collab more
I'm interested in using this exploit to rickroll people.
Any help?
Do more videos like this please!!!
Ow thank you and thanks to John 😊
Hey Chuck can you make a full video of gophish please.
Thanks so much...❤!!!
gophish is easy framework, you should create a simple mail server (smtp), it’s not hard. After, you should install gophish and run them.
1) Will using an Windows 11 iso image but not for the development environment make any difference because I launched the attack and everything is fine and the word document was communicating with my malicious script on port 8000 and the IP of my linux machine as it was trying to fetch the index.html file but when I wait for the loading to end and try to open the malicious file again nothing happens does that have something to do with the image ?
2) Can you suggest remediation techniques for this CVE ? (other than firewalls, threat detectors, Windows defender, and AVs).
I can't make it work. When I open the word document nothing happens. :( On my Kali I get a code 501 error.
18:21 Me using Windows every day.
Very helpful lesson
Sir how to find zero day bug
so..if you dont disable windows defender, it still doesnt work, yes?
that windows defender still helps
DO MORE OF THIS !
Currently getting prompted to provide a MSDT passkey, is this a mitigation introduced by Microsoft to prevent the exploit?
Awesome
A Zero Day vulnerability with no fix, that's a bad sign. Though there's a lesson from this.
Easy to mitigate with GPOs in an Enterprise environment.
I thought Windows 11 wouldn't run on Virtualbox because of the TPM requirements.
What to do when you get Options method is not supported
I hope this Video wont be deleted.
Im from Germany and a It-TH-camr here lost a video for litterally nothing
Virtualbox dark mode please
Could we do this outsite the network sir ? if it works outsite , How to do it ?
Yes, but why would we teach you how to hack?
john hammond pogging and me getting rickrolled nice
Is this only in Word or in other Office Products?
Its currently known to affect Office 2013, 2016, 2019, 2021, Office ProPlus and Office 36
Cool Video, more pls
Hey I was wondering what @NetworkChuck uses to draw on screen
Glad to be a mac user lol
Mac is nice really secure some security features of mac would nice in linux
Now i got me more trust issuses
Every school student after watching: Avengers assemble!
plan b just keep using MS office 2007 blue edition LOL
Zero-day vulnerability is scary and should be consider to learn with caution. Thank you for the information and keep it up!
Its not scary do not open any files from email and you 100% safe 🤷😂
Do not open .docx or .doc anymore that's it.
Use a trial vps instead to open if you really need to see what's inside document.
@Hòmè Ďeçoŕè hmmmmmmmmm
@@axa897That’s true for this one. But there are 0click 0days out in the wild too. Take for example the pegasus spyware that got installed by just your phone receiving a message/gif and you not doing anything with it.
As an ethical hacker in making, I really appreciated this video, very informative as always, thanks, Chuck!
Can you please hack my old inactive instagram account?
Hello there. I hope I am not intruding on your busy schedule. I was just wondering if you knew whether someone found a fix to this that doesn't involve the removal of the new text file option? I followed the official guide to fix it and I just reversed it back to before the fix because I can't bear having to open notepad to created a text file.
@@timeismore7239 Hahaha you think that easy?
Very interesting video. I've been playing with python for the last 5 or 6 months, but never knew you could make a webserver like that. Great content!!!
Microsoft be like: it’s not a bug, it’s a feature
Thank you for this video, relateable content as im in the cyber security field. Would definatly be intersted in more content like this.
Super Video Chuck Your videos are awesome And informative