tothi

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

tothi

#!/usr/bin/env python3
#
# inputs: nmap.xml (nmap scan xml output), subdomains.csv (optional virtualhost info, hostname + ip address csv file)
# output: url listing (useful for tools like EyeWitness)
#
# sample usage: ./nmap-http-url.py nmap.xml subdomains.csv | sort -u | gowitness file -f -
#

description = '''
Generate HTTP URLs from Nmap XML (and optionally additional VirtualHost listing, taken from e.g. subdomain enumeration).

byt3bl33d3r

#! /usr/bin/env python3

'''
    Needs Requests (pip3 install requests)

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)

    
    This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

dmchell

using System.IO;
using System;

namespace GetNamedPipes
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("[*] Found the following pipes:");

daddycocoaman

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum

AndrewKvalheim

Personal Mastodon instance

Effective total cost: $3–5/mo

Setup

Decide on an EC2 instance type:

1. At AWS Console → EC2 → Instance Types, filter for ≥1 GB RAM and sort by price.

• t4g.micro is lowest.

rvrsh3ll

using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Net;
using System.IO.Compression;

    public class Payload
    {

rvrsh3ll

using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;

public class Payload
{
    public Payload()

3xpl01tc0d3r

# Command to generate HTA code using GadgetsToJScript
GadgetToJScript.exe -w hta

# Command to generate JS code using GadgetsToJScript
GadgetToJScript.exe -w js

# Command to generate VBS code using GadgetsToJScript
GadgetToJScript.exe -w vbs

# Command to generate VBA code using GadgetsToJScript