MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
/* | |
RunPE for x64 - classic RunPE for 64-bit executables | |
Copyright (C) 2020 Valentin-Gabriel Radu | |
This program is free software; you can redistribute it and/or modify | |
it under the terms of the GNU General Public License as published by | |
the Free Software Foundation; either version 2 of the License, or | |
(at your option) any later version. | |
This program is distributed in the hope that it will be useful, |
const simulated_latitude = 48.8534 | |
const simulated_longitude = 2.3488 | |
Java.perform(function(){ | |
const Location = Java.use('android.location.Location') | |
var location = Location.$new("gps") | |
location.setLatitude(simulated_latitude) | |
location.setLongitude(simulated_longitude) |
This is my guide for a successful PCI-Passthrough from Linux (Arch Linux) to QEMU/KVM via virt-manager and libvirtd into a Windows 10 Home guest.
NOTE: This is a guide for Intel only. I do not own an AMD machine, and will not add AMD information this guide until such time that I do, which could be never.
Device Type | Device |
---|---|
CPU | Intel Core i7 7700K Quad-Core, Hyperthreading |
Motherboard | Gigabyte Z270X-Gaming 5 |
Filter | Description | Example |
---|---|---|
allintext | Searches for occurrences of all the keywords given. | allintext:"keyword" |
intext | Searches for the occurrences of keywords all at once or one at a time. | intext:"keyword" |
inurl | Searches for a URL matching one of the keywords. | inurl:"keyword" |
allinurl | Searches for a URL matching all the keywords in the query. | allinurl:"keyword" |
intitle | Searches for occurrences of keywords in title all or one. | intitle:"keyword" |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
Annoyingly, you can't click these links in this gist because github doesnt recognize them as actual valid links. You cant paste it into a browser address bar either, so create a bookmark with the link and then click that!
Opens Minecraft in Edu Mode. This is the real Education Edition!
Link: minecraft:?edu=1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
{ | |
"cmd": ["vcvars32.bat", "&&", "cl", "/EHsc", "/Za", "${file}"], | |
"file_regex": "^(..[^:]*):([0-9]+):?([0-9]+)?:? (.*)$", | |
"working_dir": "${file_path}", | |
"selector": "source.c, source.cpp, source.c++", | |
// By default cl is not in your PATH, so add it to your path (preferably) | |
// or uncomment "path" and check that it has correct value | |
//"path": "%PATH%;path:/to/folder/where/cl.exe/located", | |
// e.g. "path" : "%PATH%;C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\bin\\", | |
// this also will set path for vcvars32.bat |