Skip to content

Instantly share code, notes, and snippets.

View aancw's full-sized avatar
Working from home

Aan aancw

Working from home
View GitHub Profile
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
jinschoi /
Last active May 18, 2024 13:42
Python script to generate Flipper RAW .sub files from OOK bitstreams
#!/usr/bin/env python3
from typing import Iterable, Union, Any
# freq: frequency in Hz
# zerolen: length of space bit in μs
# onelen: length of mark bit in μs
# repeats: number of times to repeat sequence
# pause: time to wait in μs between sequences
# bits: string of ones and zeros to represent sequence
jordanwiseman / obsidian-web-clipper.js
Last active February 24, 2023 11:46 — forked from kepano/obsidian-web-clipper.js
Obsidian Web Clipper Bookmarklet to save articles and pages from the web (for Safari, Chrome, Firefox, and mobile browsers)
javascript: Promise.all([import(''), import(''), ]).then(async ([{
default: Turndown
}, {
default: Readability
}]) => {
/* Optional vault name */
const vault = "";
/* Optional folder name such as "Clippings/" */
Check angular version from browser
1. From Browser console:
Newer angular version:
>> getAllAngularRootElements()[0].attributes["ng-version"];
jackullrich / mainc.c
Last active November 3, 2023 17:20
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
nurpabuccu /
Created June 4, 2021 14:44
Cerberus payload base64+rc4 decrypt
# This script can be used for malware samples that used Base64+RC4.
# python3 <key> <base64-ciphertext>
import codecs
import base64
import sys
key = sys.argv[1]
c = base64.b64decode(sys.argv[2])
def KSA(key):
xpn / dotnet_etw.c
Created March 16, 2020 19:25
A demo of how to collect information on basic .NET events from ETW.
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
ahhh / msfconsole.rc
Created February 25, 2020 09:02
example msfconsole.rc from red team planning book
spool /root/.msf4/spool.log
setg ConsoleLogging true
setg verbose true
setg LogLevel 5
setg SessionLogging true
setg TimestampOutput true
setg PromptTimeFormat %Y%m%d.%H%M%S%z
setg PROMPT %T S:%S J:%J
setg ExitOnSession false
setg DisableCourtesyShell true
import binascii
import pefile
import subprocess
import sys
import os
ror = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))