Skip to content

Instantly share code, notes, and snippets.

tothi / ms-msdt.MD
Last active Sep 12, 2022
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
View log4j-keywords
Neo23x0 /
Last active Oct 4, 2022
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
byt3bl33d3r /
Created Dec 10, 2021
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (
#! /usr/bin/env python3
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
honoki /
Last active May 28, 2022
Create new BBRF programs from your private and public HackerOne programs.
# Initiate new BBRF programs from your public and private HackerOne programs
while [ "$next" ]; do
import xml.etree.ElementTree as ET
import urllib
import base64
import math
import sys
import re
# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file.
# python burprequests.xml
# output is saved to wordlist.txt
BlackFan /
Last active Sep 24, 2022
Bootstrap XSS Collection


Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

Requires user interaction

Requires $('[data-toggle="tooltip"]').tooltip();

stypr /
Last active Oct 10, 2020
Harekaze CTF 2019 WEB Writeup (Yokosuka Hackers)


Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)
tomnomnom / alert.js
Last active Sep 20, 2022
Ways to alert(document.domain)
View alert.js
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
View open_redirect_wordlist.txt