let’s play with a ZERO-DAY vulnerability “follina”

Video Notes:

What I use to learn (the BEST IT training): https://ntck.co/itprotv (30% off FOREVER) *affiliate link

In this video NetworkChuck is going to teach you about a new dangerous Windows Zero-day vulnerability called “follina” and he is even going to show you how to test it out in your own Zero-day lab using VirtualBox!

🧪🧪Links and Walkthrough: https://ntck.co/follinalinks

0:00 ⏩ Intro
1:58 ⏩ How does this attack work?
6:33 ⏩ What happens when you open the file?
9:23 ⏩ Let’s set up our zero day lab!
17:29 ⏩Time to test the Malware!
20:00 ⏩ Outro

All right. So fingers crossed. Let’s see if this works. This is CDE 20 22 3 0 1 9 0. AKA Felina. Now I don’t normally do videos like this, but this was just too crazy. What you just saw was a zero day vulnerability, a hack that has no fix no
Patch. Yeah. It’s kind of crazy. Uh, there’s honestly, no patch available right now. And it’s a remote code execution, right? So that’s Hey, the crown jewel that’s high critical
Severity. Like John said, this vulnerability is brand new, pretty scary high severity. Like the hacking researching community just became aware of this over the weekend. So we have to look at it. Right? In fact, I want you to play with this. I’m gonna walk you through how to set up this vulnerability in your own lab. So you can see what this is like a current zero day that has no fix. That’s kind of cool. But before we do that, I do wanna talk about how this thing works because it doesn’t work like you think it might now to do this. I do need some help. So I called him my good buddy and hacking researcher, John Hammond. He graciously shared his time with me, despite being like totally sleep deprived from staying up all night with his team to research this thing, this attack, but he had some coffee.
So we’re good. Now real quick, future, Chuck is going to jump in and tell us about our sponsor it pro TV. So go ahead, future. Chuck it pro TV is what I used to learn and study it stuff from Python to Linux, to you guest at hacking. So if you’re watching this video and thinking, man, this stuff is really cool. I wanna learn more about this. I wanna dive deeper it pro TV. They’ve got all the courses, hands on labs, pretty much everything. You need to become a hacker or pick your poison, whatever you wanna be. Network engineer, system admin. And I don’t care if you’re just getting started or you’re more advanced in your career and you wanna learn a new skill. They got you covered. So check ’em out. Link below it. pro.tv/network. Chuck, if you use the code network, Chuck you’ll get 30% off forever.
So check them out. Now the scariest thing about this attack is that it’s pretty simple. Let’s say I receive an email, a phishing email. And inside that email is a harmless looking word document that of course I have to download, but as you may have guessed, this is not any normal word document you see when I open this thing first, okay. It’s blank, nothing there, but then they get this strange popup, this troubleshooting message. Now remember this thing, it’s the key. We’ll come back to it here in a bit. Now, while this thing is running, something else is happening. I’m not aware of it. You see the hacker. He already has me. At this point. He has a reverse shell to my system. He has control of my system and I have no idea what’s going on. I’m just sitting here, sipping coffee, trying to wake up.
So clearly something happened here and it had something to do with that word document and Microsoft word. But it’s not what you think because typically in Microsoft office hacking scenarios, it comes down to macros. Macros are fantastic. There’s scripts that allow you to automate a lot of the tasks in Microsoft office. And of course, hackers use that to do nefarious things, but by default, in most situations, macros are disabled. And that’s what makes this hack. So interesting. Hackers found another way, another path that a path that is still unblocked, it all comes down to this thing right here, the Microsoft support diagnostic tool or MSD T for short, for some reason, this tool, which is meant to help you troubleshoot issues. When you, when it’s invo, when it’s run, it allows you to run commands. And when I say you, I mean the attacker, the hacker,
Yes. So Microsoft word will kind of open or reach out to an external reference. And then that is staged with an HTML payload, which is kind of crazy to open up like a file protocol handler. Uh, and that will just kick off code. Like you can run PowerShell commands or command prompt commands, uh, and do whatever nefarious stuff a hacker might do.
I’ll dive a bit deeper into how that works here in a moment. But I mean, watch this using this amazing script written by John Hammond, which I’ll cover here in a moment, I can do anything like something simple, like launching calculator, harmless, not scary, or I can do a reverse shell giving L giving me the attacker, the hacker complete control, remote control of the user system. And this is just baby stuff. And the hands of a skilled hacker, sky’s the limit lateral movement to other systems privilege. Escalation, you can do pretty much whatever you want.
So when we were exploring the actual malicious payload, uh, they had done some interesting stuff. If we were to go ahead and decode that base 64, uh, that we would’ve seen in that payload, they opened the command prompt, CMD do XE, and they kill any previous Ms. D T in vocations, probably just to, Hey, let this thing run cleanly alongside that they move into just, Hey, a public user’s directory and loop through what is probably a raw file, like a zip archive or any compressed file size that, uh, I’m assuming we can presume is where and how this original document got on the machine. But included in that raw file is a cab file. And that’s a cabinet file for some Microsoft, uh, storage stuff. Uh, but ultimately they have this strange RGB dot exc or more am malware, their final stage here. That would be even more malicious. Maybe that’s a remote access Trojan, maybe that’s Hey, a cryptocurrency minor, maybe that’s ransomware, truthfully. We don’t quite know yet.
Now how can researchers only know about this vulnerability? Because they found this document, this word, doc, that’s doing some crazy weird things. This is the, the bomb as, uh, John Hammond would
Say Python script, this build script that I’m kind of showcasing is more just for the convenience of making the detonator so to speak. Mm-hmm , uh, all that would’ve been found on the victim or the target is the document. Um, and then the commands that would’ve ran following
It, what we don’t have is the detonator, the actual hacking malicious software that is creating this word document and sitting on the side, doing nefarious things. And that’s where hacking researchers like John Hammond come into play. They’re so smart. They’re basically wizards. And they’re able to look at things like this, the word document, the bomb, and they can recreate the detonator, the, the malicious script that can take advantage of this vulnerability. And that’s how we’re able to play with it right now. In fact, here’s John’s script and it’s just amazing. It’s written in Python and it can take full advantage of this vulnerability. Now we’re almost there. We’re about to play with it. I know you’re itching, but I do wanna show you a few more things under the hood of how this thing’s like working. What’s actually happening when you’re clicking that document. Actually, John’s gonna tell us, go ahead, John.
So I wanna show you a little bit of behind the scenes as to how the heck this thing works. Uh, we’ll go ahead and open up the Python script way, way down at the bottom. I kind of chat about in the comments here, what this is all doing. Uh, I take an original Microsoft word skeleton. Like what we knew was, oh, the malicious payload. And then I sort of massage it and rework it into the code that we wanna run. Uh, it tracks down, okay, this is where we’re going to end up placing our actual server to call back to mm-hmm and just plop it into an external location. We build out the office file after we recreate it. And we slap in some strange looking code, but I want to go ahead and grab this whole thing here.
So this looks fun, a lot, lot of stuff going on here.
So bear with me. I know this looks pretty wild, but if you kind of press the, I believe button, I’ll walk through some of the points here. Uh, we end up changing in this HTML file, kind of the location of our address bar, like, Hey, at the very top of the web browser, if you were invoking this thing, naturally, you tell it rather than an HTTP schema, like a URL, right, or a website, right? You say, I want to go to this weird S D T colon, uh, rather than HTTP colon. And for some reason we can pass that arguments and parameters, and we can tell it to do stuff like browse for a file that just happens to have some spooky, scary PowerShell syntax in here. That’ll take a base 64 payload and then decode it and it’ll just run it. it’ll blindly, go ahead and allow that code to execute. It uses some weird obfuscations in here that we don’t need to dive into. Right. Uh, but our payload is some that we can go ahead and kick off.
Now, I’m not going any deeper on this here in this video, because honestly, I’m anxious to show you how to play with this. I’m gonna do it like right now. But if you do want a deeper dive and kind of a timeline on how this thing’s being discovered and, and what we’re still learning about it, because you, you should want to know that, go check out John Hammond’s YouTube channel. In fact, he just released a video on how this thing was discovered and how it’s working kind of a deeper mechanic look at it. And also he has this fantastic, that details. A lot of what happened. And that article is constantly growing and being updated. And again, a massive shout out to John Hammond for jumping on this call with me, despite being super, super tired and a shout out to all the hacking researchers out there that are helping us discover and learn what this thing is, and ultimately helping keep everyone safe.
So anyways, now we’re gonna jump over to an over caffeinated Hawaiian shirt. Chuck, who’s going to manically show you how to set this up in your own lab and play with a zero day vulnerability, which I think that’s pretty cool. Anyways, go ahead. So here’s what you need to do this, and it’s completely free and completely fun. First, you will need a hypervisor like virtual box, which is what I’m gonna be using is free. Go ahead and download it right now. And then you’ll need two things. A call Lennox box, or really any Lennox box that can install Python or run Python. And then the machine you’re attacking, which will be windows. I’m going to be demoing the latest and greatest windows 11. And on that windows 11 box will also install Microsoft office. Again, no license keys, no fees. We can do this all for free right now did that rhyme.
I’m gonna go with it. Sip a coffee for rhyming. Now again, your first stop is to go out and download virtual box from virtual box.org. Download that sucker, install it. Virtual box will allow you to create virtual machines right here on the computer you are using. Now I’m not gonna go through all the details of setting up virtual box and making sure it runs well. I do have a video right around here, somewhere that already covers that. So if you hit a roadblock while you’re doing this, check out that video, I probably address your issue. And while you’re getting virtual box installed, we’re gonna go ahead and download call Linux and windows 11, all links below. And for me, I’m gonna download the virtual box 64 bit ova by clicking that button right there. And then we’ll also download the windows 11 development environment and we’ll download it for a virtual box, a fair warning.
This thing’s pretty beefy, 18 and a half gigs. If that’s too much for you, you can download the windows love and ISO from windows and just install it that way. This is by far the easiest way though. Now once you’ve waited three years for everything to download and you’ve had a little bit of coffee, we can create our virtual machines, our hacking environment here in virtual box. And it’s actually pretty simple. First we’ll click on import right here at the top. We’ll locate our ova by clicking on the folder, icon, click on that and then go to that. Download for Callie Linux. Mine is right here. Click on that. Open it. Feel free to adjust your settings like I’ll rename mine and then click on import. And yes, I agree. Go, go, go, go give it a minute, two minutes. Make up your mind and take a quick coffee break.
And once the import finishes, we’ll go ahead and do it one more time. Let’s import windows, click on import at the top. Let’s go find that windows file. We downloaded the windows ova. Here’s mine right here. And again, feel free to change some information here and click on import import. Why did I do emphasis like that import? There we go. That might take a minute, but once it’s done, let’s go ahead and boot up Cali, click on that sucker. Start it. We’ll get logged in with Cali, Cali, Kali Kelly. Excellent. And then we’ll go ahead and boot up our windows 11 box. Go ahead and start that sucker. And we are in now. We’re almost ready to hack, but now we have to install Microsoft’s office on our windows. 11 box. Very simple, very easy. Check this out. Go ahead and fire up the web browser and Microsoft windows 11.
I don’t know why I said Microsoft before that and link below. We’re gonna navigate out to actually I can’t copy and paste. I’m gonna enable that real quick settings advanced by directional drag and dropping enabled. Now I can paste. There we go. We’re gonna download the office deployment tool for Microsoft. Gonna click on this right here, and then we’ll execute that sucker when it’s done. Now, I feel like I have to say this. Yes, we’re doing this in a virtual environment boxes that I don’t mind destroying. You should do that too. Don’t do this on live environments that you need or your family or friends. Don’t do that to them. Anyways. Continue, blah, blah, blah. Accept all things blindly. I’ll put it in my user folder, click. Okay. And done. Then one more thing. We’re gonna launch our command prompt, CMD and making sure we’re in our user folder, we should be by default we’ll type in set up dot exc spaceport slash configuration.
And we’ll specify this configuration file. Let me go find it real quick. Yours should be the same as mine. So you can just copy and paste what I do here. It’ll be the configuration office 2021 enterprise to XML, easier for me to say, and that’s it hit enter and it will install office for you right now. Oh wait. No, it’s supposed to be configure, not configuration. So fix that real quick and then run it. There we go. See mistakes happen. Coffee break for mistakes hit. Yes. And it’s getting things ready again. Take a little coffee break. It’ll take just a moment. And actually, while that’s doing that, let’s go ahead and go over here to our Linux box. Kelly, Lennox, go ahead and launch a terminal. Our favorite place. The first thing we have to do is download John Hammond’s amazing, uh, program that he wrote reverse engineered that malware.
It’s right here. We’re gonna type in get clone and we’ll paste that sucker paste. The link to that and hit enter get is cloning. It clone hit LS. There it is right there. SDT dash Lina. Let’s jump into that directory real quick CD, Ms. Blah, blah Lina. There we go. We’re in type in LS once more and we see all the files clear my screen now to make this happen. It’s one simple command we’re gonna type in Python three and then Felina dot pie referencing John’s script. When we hit enter that’s it. Now, if we open up our file Explorer or folder, whatever you wanna call it, Lennox and jump into the MSDT Felina folder. We have a new file there. Felina dot dock. This is the document. This is the document they have to open to get hacked. So over here in windows, let’s see if we can do this real quick.
We may not be able to I’ll open up, find her, go to my desktop. And I’ll Dr. See if I can drag this file over there. Felina come on over up. Virtual box is not like that. No worries. We can do a quick Python web server to copy that over. Watch this open up another terminal. First let’s figure out what our IP address is. IP address. 10 0 2 15. Remember that I’ll set up a quick web server S will jump into our MSTT directory once more CD MSDT dash Felina. Make sure you do this. Don’t skip it. And then we’ll launch our Python web server from this directory Python space dash M and then HTP dash or not dash dot server. And then we’ll specify port 80, 80, bam Python, web server running. Now we’re here in windows. So we’re gonna launch our web browser and we’re gonna navigate out that IP address.
10 0 2. What is it again? 15. And we’ll specify port 80, 80 now, right now it looks like my virtual box machines cannot access each other. We gotta change that real quick. There’s a few ways to do this, but I’m gonna do it this way. First of we’ll create a new network. Don’t worry. It’s very quick. Go up here to the top. Click on file. My arrow’s covering that. I’m sorry. Go file preferences. And then we’ll click on network and then we’ll create a new network right here on that plus icon there. We’ll name it. Whatever you wanna name it, you can keep everything else as default click. Okay. And okay. And then we’ll change our virtual machines to actually use that network we created. So we’ll jump into our windows machine real quick, click on settings, go to network and we’ll change the attached to right here from NA to Nat network and we’ll change it to our new one.
We created hacking fun is what I name mine. And then under advanced we’ll change the promiscuous mode from deny to allow all and click, okay. Let’s do the exact same thing to our Kelly Lenux box settings network. Change that to net network. Our new network net advanced promiscuous mode will be allow all and okay, now things should be working. Great. I’ll see what my Newp addresses here on my Kelly Lenox box 10 0 24. Perfect. I’ll go ahead and run that command. One more time. Python dash M HTB server 80 80, and then I’ll check it over here. 10 do zero two, do four port 80, 80, bam. I just access to web server. I created at a thin air. It’s fun. Now what we’re gonna do here is click on the full dot doc. We see right there, click on that and it will download excellent.
Now at this point, we’re almost ready. Now. My office installation is complete close. We’re good there. I’m gonna close my web browser. In fact, I’ll close everything to get ready for the attack to see it happen. It’s gonna be awesome. And back on my Kelly Len box, I’m gonna go ahead and stop with my web server with control C. Cool. And looking back at my other terminal, I still have Felina running. Now. Let’s want launch that word document over here in windows. I’ll launch my, uh, windows Explorer here. Go into my downloads folder where I know Felina is there’s Felina. Okay. Felina. See what you got. Let’s launch that document. Okay, here we go. What’s gonna happen. Now it’s opening and protected view. Okay. Let’s see what happens. I accept the agreement, whatever. Okay, whatever, whatever. Now I know that we do have to enable editing.
You should have that protected view thing up at the top here, which I don’t know about you. I always do. When I’m opening up a, a word document I’m looking at, I’m like, just get outta my way. So enable editing. Let’s see what happens. Oh, you know what interesting. Interesting you see, which just happened there. It’s trying to contact my server, but it’s using the old IP address. We need a new word document. So let’s go ahead and stop this. Close everything on windows. I’m going to delete the existing full document. See things happen in real time. We gotta just test things out. I’m gonna go back over here to my Kelly Lenox box. Now what happened here was that when I launched my Felina script here, it created that word document to reach back out to this server with the previous IP address, the old IP address I noticed we did change the network.
So let’s just actually run the script. One more time, do an up arrow Python, three Fe dot pie. And that should recreate the file. And now we have to redownload it. So I’ll launch my terminal. Once more, jump into our MSTT folder, launch my Python web server on port 80, 80, once more go over here to my windows box and download that file. Keeping in mind this, uh, the situation might be that they’re just receiving an email, a phishing attempt. I’ll go to 10 zero. There it is for 80, 80 there’s uh, Felina. Do doc download that. There it is. My downloads. Now everything should work. Cali is patiently waiting for this attack to occur. Let’s launch Felina. Okay, cool. So far so good. Let’s click on enable editing and see what happens. Oh, look at all the stuff happening in Cali. Oh, okay. Interesting.
Here. Windows defender found it. And I heard about this windows detected it as mess dead. Now I’m sure John already has a video on this. And if he doesn’t, he will later, there is a way around that windows detected it that way. This is also keeping in mind that this is not the actual malware, the actual virus running the real one can totally bypass this MSDE MSDE, which is actually an older CVE. But anyways, check out John’s stuff for that. But right now that’s kind of a bummer. I wanted to see it happen. So all we have to do is just disable windows defender to, um, appease the lab gods. So let’s just do that real quick, right here. As we’re analyzing our virus and threat protection, I can go to manage settings right here and I can turn off real time protection. It hates it.
When you do that, whatever, disabling it. Now let’s try it again. And it sends me a little warning. Like, dude, why’d you do that? Cuz I want to, I’m dangerous. now let’s try and launch Fe once more launch it. Things are happening, dude. Bam. So by default John’s script, we’ll simply launch the calculator app, which is crazy, but John’s script does more than that. Let’s go ahead and close everything. Close it once more. Let’s um, stop our script from running over here in Cali. If I do Python fully in dot pie and I do a space dash H for help, we’ll see all the available options we have with the dash C command. You can pretty much run anything you want to. So if I did want to just instead of opening calculator, open notepad, I can do that. Notepad. DOTC run that command.
Notice that I’m changing this in real time. I don’t have to have them redownload it. The file’s already there. Let’s launch it real quick. And it launch notepad that time. Dude. That is insane. Now let’s do the reverse shell. John had an option for that in a script too. Again, keeping in mind. I know I keep saying this, but we don’t know what the original ware is doing. This is just what John was able to do. I’m sure in like an evening in moments. So I do Python or three filling it up pie. Now I do a dash R and I’ll specify a port 99 99 hit enter. This is actually launching Netcat and we’re waiting on a reverse shell. So check this out. Now, when I launch Felina, go ahead and launch her. I just kinda reverse shell and Callie to that windows box vulnerability.
That’s a zero day. That’s crazy. And I can do things like type in who? Amp? Nah, show my who? No do it again. Who am I? It’s the windows box dude type endure. I can move around. Let’s go to, uh, we’ll see the see users go to the user folder. Ah, I gotta type it. Right. I can look at all my stuff here. I mean the, the options to exploit this, to do some lateral movement or some privileged escalation. I mean they’re all there. Once you’re in, you’re in, this is insane. This is crazy. Um, I hope you got a chance to try this. Like yeah, we had to jump through a few hoops, get the environment set up. It wasn’t too bad. It’s all free. And it’s all pretty scary and pretty fun. Let’s be honest. That was fun. Now again, a massive shout out to Mr.
John Hammond for jumping on the, uh, call with me to show me this amazing exploit to, uh, show me how we reengineered it. And thank you, John, for doing that. Also shout out to all the researchers right now who are working like tirelessly to figure this thing out and to help us mitigate this. Now of course, the greatest mitigation for situations like this is don’t open, weird stuff, teach your users not to open up weird emails or to download weird documents. All the best practices that we always or should always follow will prevent us from falling for this, this hack. Now, again, to learn more about this, because it’s still evolving, we, we, we’re just now discovering this to learn more and follow along. Check out John Hammond’s YouTube channel link below. I also have links to some blogs and more research on this particular issue. If you wanna dive deeper. Yeah. That’s about it. Um, let me know what you think. This is my first kind of like on the ground first, uh, realization of a, an issue and talking about it a little stressful to get it out this fast, but I thought it was pretty fun. Let me know if you want me to do more of this anyways. That’s all I have today. I’ll catch you guys next time.

Check Out Network Chuck's Coffee and MERCH Shop