Skip to content

Instantly share code, notes, and snippets.

View chadduffey's full-sized avatar

Chad Duffey chadduffey

41 followers · 20 following
View GitHub Profile
@chadduffey
chadduffey / ms-msdt.MD
Created May 30, 2022 19:53 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@chadduffey
chadduffey / ExploitGuard.md
Last active October 18, 2020 13:43
@chadduffey
chadduffey / windows_hardening.cmd
Created November 6, 2018 04:31 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@chadduffey
chadduffey / msfvenom-reverse-tcp-WaitForSingleObject.md
Created October 3, 2018 02:24 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents: