y11en y11en

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              154 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

## ida_get_guid.py
import ida_bytes
import binascii

def get_guid(address):

    data1 = ida_bytes.get_dword(address)
    data2 = ida_bytes.get_word(address + 4)
    data3 = ida_bytes.get_word(address + 6)
    data4 = ida_bytes.get_bytes(address + 8, 8)

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

## rpc_dump_rs4.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64

Interfaces :
Endpoints :

## luavm.c
#include <lua.h>
#include <lualib.h>
#include <lauxlib.h>
#include <stdarg.h>
#include <string.h>

#define ERRLOG 1
#define MSGTABLE 2
#define RETOP 2

## WCTF_2018_searchme_exploit.cpp
// WCTF 2018 "searchme" task exploit
//
// Author:    Mateusz "j00ru" Jurczyk
// Date:      6 July 2018
// Tested on: Windows 10 1803 (10.0.17134.165)
//
// See also:  https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>

## fakewebdav.py
import os, binascii
from flask import Flask, Response, abort

def random_etag():
    return "1000-" + binascii.b2a_hex(os.urandom(6))

app = Flask(__name__)
PORT = 80
DLL_ETAG = random_etag()

## pwn.js
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//

//

## download_pdb_database.py
import os
import re
import sys
import logging
import argparse
import subprocess

import requests
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace DinjectorWithQUserAPC
	{


	public class Program
	import ida_bytes
	import binascii

	def get_guid(address):

	data1 = ida_bytes.get_dword(address)
	data2 = ida_bytes.get_word(address + 4)
	data3 = ida_bytes.get_word(address + 6)
	data4 = ida_bytes.get_bytes(address + 8, 8)
	filter Expand-DefenderAVSignatureDB {
	<#
	.SYNOPSIS

	Decompresses a Windows Defender AV signature database (.VDM file).

	.DESCRIPTION

	Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
	64

	Interfaces :
	Endpoints :
	#include <lua.h>
	#include <lualib.h>
	#include <lauxlib.h>
	#include <stdarg.h>
	#include <string.h>

	#define ERRLOG 1
	#define MSGTABLE 2
	#define RETOP 2
	// WCTF 2018 "searchme" task exploit
	//
	// Author: Mateusz "j00ru" Jurczyk
	// Date: 6 July 2018
	// Tested on: Windows 10 1803 (10.0.17134.165)
	//
	// See also: https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
	#include <Windows.h>
	#include <winternl.h>
	#include <ntstatus.h>
	import os, binascii
	from flask import Flask, Response, abort

	def random_etag():
	return "1000-" + binascii.b2a_hex(os.urandom(6))

	app = Flask(__name__)
	PORT = 80
	DLL_ETAG = random_etag()
	//
	// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
	// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
	//
	// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
	//
	// Copyright (c) 2018 Samuel Groß
	//

	//
	import os
	import re
	import sys
	import logging
	import argparse
	import subprocess

	import requests