Skip to content

Instantly share code, notes, and snippets.

View miko550's full-sized avatar

miko550

25 followers · 25 following
View GitHub Profile
@miko550
miko550 / ms-msdt.MD
Created May 30, 2022 16:05 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@miko550
miko550 / detection.yml
Created May 30, 2022 13:22 — forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@miko550
miko550 / kernelcallback.cs
Created May 11, 2022 03:07
using System;
using System.Runtime.InteropServices;
using System.Text;
namespace SendMessageKernelCallback
{
/*References:
* 1. https://t0rchwo0d.github.io/windows/Windows-Process-Injection-Technique-KernelCallbackTable/
* 2. https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/
*/
@miko550
miko550 / findhooks.cs
Created May 11, 2022 03:07
Find hooked API's using C#
using System;
using System.Runtime.InteropServices;
/* References
* 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
* 2. https://github.com/Mr-Un1k0d3r/EDRs
*/
namespace SharpHookCheck
{
@miko550
miko550 / DInvokeVanillaPInjection.cs
Created May 11, 2022 03:07
Vanilla Process Injection using D/Invoke with some obfuscation
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
namespace DInvokeSimpleProcessInjection
{
public class Program
@miko550
miko550 / api_hashing.cs
Created May 11, 2022 03:06
Windows API Hashing in C#
using System;
using System.Runtime.InteropServices;
namespace API_Hashing
{
class Program
{
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
@miko550
miko550 / threadcontextinjection.cs
Created May 11, 2022 03:06
Process Injection via Thread Execution Hijacking in C#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ConsoleApp
{
class Program
@miko550
miko550 / EventLogInject.cs
Created May 9, 2022 12:19
POC to inject and extract shellcode from Windows Event Logs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace HiddenEventLogs
{