Bennet Ranft bennetrr

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              154 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## tunejack.sh
#!/bin/bash

# tunejack.sh uses the TuneIn public API (at opml.radiotime.com) to search for
# a radio station, print out its details and try to play it somehow.

if [ "$#" -eq 0 ]; then
	echo "$0: search for a radio station using the TuneIn API"
	echo "Usage: $0 PATTERN"
	exit 1
fi
	#!/bin/bash

	# tunejack.sh uses the TuneIn public API (at opml.radiotime.com) to search for
	# a radio station, print out its details and try to play it somehow.

	if [ "$#" -eq 0 ]; then
	echo "$0: search for a radio station using the TuneIn API"
	echo "Usage: $0 PATTERN"
	exit 1
	fi