korang

## shellcode_exec_workerfactory.c
#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff

typedef struct _UNICODE_STRING {

## ms-msdt.MD

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                korang
                / ms-msdt.MD
            
            
              Created
              May 30, 2022 17:09
                — forked from tothi/ms-msdt.MD
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
	#include <Windows.h>
	#include <stdio.h>


	#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
	#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

	#define WORKER_FACTORY_FULL_ACCESS 0xf00ff

	typedef struct _UNICODE_STRING {