MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from typing import Iterable, Union, Any | |
# freq: frequency in Hz | |
# zerolen: length of space bit in μs | |
# onelen: length of mark bit in μs | |
# repeats: number of times to repeat sequence | |
# pause: time to wait in μs between sequences | |
# bits: string of ones and zeros to represent sequence |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
javascript: Promise.all([import('https://unpkg.com/turndown@6.0.0?module'), import('https://unpkg.com/@tehshrike/readability@0.2.0'), ]).then(async ([{ | |
default: Turndown | |
}, { | |
default: Readability | |
}]) => { | |
/* Optional vault name */ | |
const vault = ""; | |
/* Optional folder name such as "Clippings/" */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Check angular version from browser | |
1. From Browser console: | |
Newer angular version: | |
— | |
>> getAllAngularRootElements()[0].attributes["ng-version"]; | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo); | |
typedef VOID(__stdcall* Shellcode)(); | |
LPBYTE ShellcodeBuffer; | |
ULONG_PTR PreviousOffset; | |
ULONG_PTR CurrentOffset; | |
ULONGLONG InstructionCount; | |
DWORD dwOld; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This script can be used for malware samples that used Base64+RC4. | |
# python3 rc4_decrypt.py <key> <base64-ciphertext> | |
import codecs | |
import base64 | |
import sys | |
key = sys.argv[1] | |
c = base64.b64decode(sys.argv[2]) | |
def KSA(key): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define AssemblyDCStart_V1 155 | |
#define MethodLoadVerbose_V1 143 | |
#include <windows.h> | |
#include <stdio.h> | |
#include <wbemidl.h> | |
#include <wmistr.h> | |
#include <evntrace.h> | |
#include <Evntcons.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spool /root/.msf4/spool.log | |
setg ConsoleLogging true | |
setg verbose true | |
setg LogLevel 5 | |
setg SessionLogging true | |
setg TimestampOutput true | |
setg PromptTimeFormat %Y%m%d.%H%M%S%z | |
setg PROMPT %T S:%S J:%J | |
setg ExitOnSession false | |
setg DisableCourtesyShell true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import binascii | |
import pefile | |
import subprocess | |
import sys | |
import os | |
ror = lambda val, r_bits, max_bits: \ | |
((val & (2**max_bits-1)) >> r_bits%max_bits) | \ | |
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) |
NewerOlder