Skip to content

Instantly share code, notes, and snippets.

View mikedhanson's full-sized avatar
🎯
Focusing

Michael Hanson mikedhanson

🎯
Focusing
7 followers · 16 following
View GitHub Profile
@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@d4rkeagle65
d4rkeagle65 / dsregcmd.ps1
Created November 21, 2020 18:06
Parse dsregcmd.exe output to powershell name/value pairs.
$dsregcmd = dsregcmd /status | Where-Object { $_ -match ' : ' } | ForEach-Object { $_.Trim() } | ConvertFrom-String -PropertyNames 'Name','Value' -Delimiter ' : '
@vinloo
vinloo / Office 365 update channel manager.bat
Created May 1, 2019 10:57
Change your Office 365 ProPlus update frequency as described here: https://bit.ly/2J80Wk0
@echo OFF
echo.
set m="http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60"
set s="http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114"
set mt="http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be"
set st="http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf"
echo Select one of the following update channels:
echo 1: Monthly Targeted (fastest updates)
@NoCheroot
NoCheroot / splunksearch.ps1
Last active May 5, 2020 18:54
Quick and dirty Splunk search in powershell
# powershell 5.1
$AssemblyBuilder = ([AppDomain]::CurrentDomain).DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('IgnoreCerts')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('IgnoreCerts', $false)
$TypeBuilder = $ModuleBuilder.DefineType('IgnoreCerts', 'AutoLayout, AnsiClass, Class, Public, BeforeFieldInit', [System.Object], [System.Net.ICertificatePolicy])
$TypeBuilder.DefineDefaultConstructor('PrivateScope, Public, HideBySig, SpecialName, RTSpecialName') | Out-Null
$MethodInfo = [System.Net.ICertificatePolicy].GetMethod('CheckValidationResult')
$MethodBuilder = $TypeBuilder.DefineMethod($MethodInfo.Name, 'PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask', $MethodInfo.CallingConvention, $MethodInfo.ReturnType, ([Type[]] ($MethodInfo.GetParameters() | ForEach-Object {$_.ParameterType})))
$ILGen = $MethodBuilder.GetILGenerator()
$ILGen.Emit([Reflection.Emit.Opcodes]::Ldc_I4_1)
@marcinantkiewicz
marcinantkiewicz / find-chrome-extensions.ps1
Last active September 9, 2021 11:26
# https://gist.github.com/marcinantkiewicz/9ac20677145f246eb01cd1759cb03f35
# Author: Marcin Antkiewicz
# marcin@kajtek.org
# @deciban
# Use:
#find_chrome_extensions -OutputDir "c:\"
#idea ref: https://www.reddit.com/r/PowerShell/comments/5px71w/getting_chrome_extensions/
#PS 2.o has no convertfrom-json, 2.0 helper from http://stackoverflow.com/questions/28077854/powershell-2-0-convertfrom-json-and-convertto-json-implementation
@halr9000
halr9000 / Export-SplunkSearch.ps1
Created September 18, 2013 04:27
Splunk export search job using PowerShell
# Conversion of http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2Fexport
# example using curl, to PowerShell with Invoke-RestMethod cmdlet
#
# $ curl -k -u admin:changeme https://localhost:8089/services/search/jobs/export
# --data-urlencode search="search index=_internal | stats count by sourcetype"
# -d output_mode=json -d earliest="rt-5m" -d latest="rt"
$cred = Get-Credential
# This will allow for self-signed SSL certs to work