Discover gists

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

	1a:0d:78:24:96:30:e4:91:ee:1c:48:b6:1c:ca:c2:c7	455170
	d8:0e:4d:d3:d7:00:d7:aa:8f:69:9f:ec:af:90:b3:16	132730
	2f:1c:34:c9:4c:56:12:6c:ce:f2:10:ee:0f:3e:41:fe	44924
	6d:d5:3a:e0:17:75:7a:61:8f:85:c0:fc:b2:59:69:db	38746
	8b:75:88:08:41:78:11:5b:49:68:11:42:64:12:6d:49	31444
	78:e3:c6:d0:2d:4c:f8:3e:87:8c:bf:34:d6:72:6f:46	20839
	c4:7a:4e:5c:36:d0:12:42:1b:3f:2d:96:28:ec:4e:5d	17815
	3e:75:5f:41:69:d1:67:42:5e:d1:03:db:c8:04:90:84	17149
	e5:f0:4b:35:d1:61:e4:c1:4d:6c:76:41:30:fb:53:ff	16576
	18:f1:bf:c6:bd:54:0c:d6:8d:5c:d8:88:9a:76:81:24	15983

FOREWORDS

I don't mean the snippet at the bottom of this gist to be a generic plug-n-play solution to your search needs. It is very likely to not work for you or even break things, and it certainly is not as extensively tested and genericised as your regular third-party plugin.

My goal, here and in most of my posts, is to show how Vim's features can be leveraged to build your own high-level, low-maintenance, workflows without systematically jumping on the plugins bandwagon or twisting Vim's arm.

Instant grep + quickfix

Overview

This is a solution of a common problem with Nexus Docker repositories. The administrator has to expose port for "pull", another port for "push", other ports for each hosted repository. This solution is about leveraging Nginx reverse proxy to avoid using these ports.

How it works ?

Given :

Nexus hostname is "nexus.example.com"
Nexus web port is 8081

	#!/bin/bash
	# The following commands should install openvpn3 successfully on Kali Linux as of 2023-10-11
	# Please check libssl1.1 version is newest at https://packages.debian.org/bullseye/amd64/libssl1.1
	# PM me if broken and I will update

	# Thanks to the following for bug reports / additions
	# asingh-lp, Pyr0technicien

	# update packages
	sudo apt update

	<script>
	// For a HighLevel webpage (funnel or website) that is meant to be a dedicated chatting area.
	// Copy all of this and paste into your custom code, such as in the Footer Tracking area.
	// This snippet: https://gist.github.com/cliffordp/1428be81a842d5b93c793d2d5b967007
	// Source demo: https://10xmarketing.ai/10x-chatbot-widget
	function openChatWidget() {
	// Check if Chat Widget exists.
	if (window.leadConnector && window.leadConnector.chatWidget) {
	// If it exists, open it.
	window.leadConnector.chatWidget.openWidget();

	export type PusherEvents = {
	// 'channel.id';
	channel: {
	FollowersUpdated: {
	followersCount: string \| number
	channel_id: number
	username: unknown
	created_at: number
	followed: boolean
	}

	You appear to be advocating a new:
	[ ] functional [x] imperative [ ] object-oriented [x] procedural [ ] stack-based
	[ ] "multi-paradigm" [ ] lazy [x] eager [x] statically-typed [ ] dynamically-typed
	[ ] pure [x] impure [ ] non-hygienic [ ] visual [ ] beginner-friendly
	[ ] non-programmer-friendly [ ] completely incomprehensible
	programming language. Your language will not work. Here is why it will not work.

	You appear to believe that:
	[ ] Syntax is what makes programming difficult
	[ ] Garbage collection is free [ ] Computers have infinite memory

	--------------------------------------------- HOW TO USE ---------------------------------------------
	--- This script comes with 2 modes, Pattern Profiles and Variable Recoil.
	--- 1. Pattern Profiles: This mode allows you to set a pattern with a name and specific recoil values.
	--------------------- name: The name of the pattern. This is what you will use to switch between patterns.
	--------------------- stages: The recoil stages contain the recoil values for each stage of the pattern.
	----------------------------- Horizontal: The horizontal recoil value for the stage.
	----------------------------- Vertical: The vertical recoil value for the stage.
	----------------------------- fire_delay: The delay between each shot in the pattern.
	----------------------------- end_after: The amount of time in ms to use the current stage for before moving to the next stage. If not set, or no next stage, the pattern will loop.
	--------------------- <Example>: {name = "test", stages = {{horizontal = 0, vertical = 1, fire_

	#include "stdafx.h"
	#include <sensorsapi.h>
	#include <sensors.h>
	#pragma comment(lib,"sensorsapi.lib")


	int main()
	{
	ISensorManager* sensorManager = 0;
	HRESULT hr = 0;