Dustin Van Tate Testa dvtate

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              154 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## pcbooter.s
; vi:ft=nasm

cpu 8086
org 0x0

	jmp start
	rulz db 'seg rulz ok ',0

start:	cli ; disable interrupts because lolbugs
	mov ax,0x7c0 ; BIOS loads code at 0000:7C00

## rotate.py
def fast_rot(width, height, raster):
    for j in range(0, width):
        for k in range(0, height):
            to = width * height - (height * j + k + 1)
            i = (width - j - 1) + width * k
            if i != to:
                while i > to:
                    i = width * (height - (i % height) - 1) + ((i - (i % height)) / height)
                buffer = raster[int(i)]
                raster[int(i)] = raster[int(to)]

## nonsense.v
(* mostly cribbing from https://golem.ph.utexas.edu/category/2021/02/native_type_theory.html and nlab *)
(*
A topos has has finite limits, is cartesian closed, and has a subobject classifier. I guess ? *)

(* FIXME cleanup notation levels *)
Inductive object : Set :=
| terminal
| tuple (_ : object) (_: object)
| fn (_ : object) (_: object)

## somethinglikebidi.v
Section s1.
Variable v : Set.

Inductive term : Set :=
| var : v -> term -> term
| typ : term
| set : term
| app : term -> term -> term
| all_ : term -> (v -> term) -> term
| lam_ : term -> (v -> term) -> term

## executionplan.v
Inductive expr : Set :=
| lit : nat -> expr
| add : expr -> expr -> expr.

(* Define the type of big step semantics *)
Inductive big : expr -> nat -> Prop :=
| big_lit : forall x, big (lit x) x
| big_add : forall x y a b, big x a -> big y b -> big (add x y) (a + b).

(* A step maps a state to a state *)

## hoas.makam
%open syntax.

%extend kz.

obj : type.
terminal : obj.
fn : obj -> obj -> obj.
tuple : obj -> obj -> obj.

typ : type.

## kappa.makam
%open syntax.

expr : type.

id : expr.
compose : expr -> expr -> expr.

bang : expr.

v : (_ : string) -> expr.

## sequents.pro

:- use_module(library(clpfd)).
:- use_module(library(dcg/basics)).

:- op(1150, xfy, user:(———————————————————————————————————)).
:- op(980, xfy, user:(~~>)).
:- op(980, xfy, user:(~>)).
:- op(980, xfy, user:(*~>)).

:- op(950, xfx, user:(⊨)).

## kappacesk.hs
{-# LANGUAGE DataKinds #-}
{-# LANGUAGE FlexibleInstances #-}
{-# LANGUAGE GADTs #-}
{-# LANGUAGE KindSignatures #-}
{-# LANGUAGE PolyKinds #-}
{-# LANGUAGE QuantifiedConstraints #-}
{-# LANGUAGE RankNTypes #-}
{-# LANGUAGE Strict #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
	; vi:ft=nasm

	cpu 8086
	org 0x0

	jmp start
	rulz db 'seg rulz ok ',0

	start: cli ; disable interrupts because lolbugs
	mov ax,0x7c0 ; BIOS loads code at 0000:7C00
	def fast_rot(width, height, raster):
	for j in range(0, width):
	for k in range(0, height):
	to = width * height - (height * j + k + 1)
	i = (width - j - 1) + width * k
	if i != to:
	while i > to:
	i = width * (height - (i % height) - 1) + ((i - (i % height)) / height)
	buffer = raster[int(i)]
	raster[int(i)] = raster[int(to)]
	(* mostly cribbing from https://golem.ph.utexas.edu/category/2021/02/native_type_theory.html and nlab *)
	(*
	A topos has has finite limits, is cartesian closed, and has a subobject classifier. I guess ? *)

	(* FIXME cleanup notation levels *)
	Inductive object : Set :=
	\| terminal
	\| tuple (_ : object) (_: object)
	\| fn (_ : object) (_: object)
	Section s1.
	Variable v : Set.

	Inductive term : Set :=
	\| var : v -> term -> term
	\| typ : term
	\| set : term
	\| app : term -> term -> term
	\| all_ : term -> (v -> term) -> term
	\| lam_ : term -> (v -> term) -> term
	Inductive expr : Set :=
	\| lit : nat -> expr
	\| add : expr -> expr -> expr.

	(* Define the type of big step semantics *)
	Inductive big : expr -> nat -> Prop :=
	\| big_lit : forall x, big (lit x) x
	\| big_add : forall x y a b, big x a -> big y b -> big (add x y) (a + b).

	(* A step maps a state to a state *)
	%open syntax.

	%extend kz.

	obj : type.
	terminal : obj.
	fn : obj -> obj -> obj.
	tuple : obj -> obj -> obj.

	typ : type.
	%open syntax.

	expr : type.

	id : expr.
	compose : expr -> expr -> expr.

	bang : expr.

	v : (_ : string) -> expr.

	:- use_module(library(clpfd)).
	:- use_module(library(dcg/basics)).

	:- op(1150, xfy, user:(———————————————————————————————————)).
	:- op(980, xfy, user:(~~>)).
	:- op(980, xfy, user:(~>)).
	:- op(980, xfy, user:(*~>)).

	:- op(950, xfx, user:(⊨)).
	{-# LANGUAGE DataKinds #-}
	{-# LANGUAGE FlexibleInstances #-}
	{-# LANGUAGE GADTs #-}
	{-# LANGUAGE KindSignatures #-}
	{-# LANGUAGE PolyKinds #-}
	{-# LANGUAGE QuantifiedConstraints #-}
	{-# LANGUAGE RankNTypes #-}
	{-# LANGUAGE Strict #-}
	{-# LANGUAGE StrictData #-}
	{-# LANGUAGE TypeFamilies #-}