Rich Warren rxwx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import sys | |
| import re | |
| HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"} | |
| if len(sys.argv) != 2: | |
| print " Usage: python pulseversion.py <target ip/domain>" | |
| sys.exit(1) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" /> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import AES | |
| from Crypto.Protocol.KDF import PBKDF2 | |
| import sqlite3 | |
| import os | |
| import shutil | |
| def clean(x): | |
| return x[:-ord(x[-1])] | |
| # Make a copy of the cookie file |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import sys | |
| versions = { | |
| 0x00: 'Excel 97', | |
| 0x01: 'Excel 2000', | |
| 0x02: 'Excel 2002', | |
| 0x03: 'Office Excel 2003', | |
| 0x04: 'Office Excel 2007', | |
| 0x06: 'Excel 2010', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import sys | |
| import struct | |
| import binascii | |
| from Crypto.Cipher import AES | |
| IV = binascii.unhexlify("0A254C2FE7AE0B7047028D6B4B2E6944") | |
| AES_KEY = binascii.unhexlify("FE4C8C32FBAE1AF3C4A0ABC8E1866CAD") |
rxwx
/ loadBundle.js
Last active
December 18, 2024 01:45
Mach-O Loader in Node.js (work in progress)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const ffi = require('ffi-napi'); | |
| const ref = require("ref-napi"); | |
| const Struct = require("ref-struct-di")(ref); | |
| const fs = require('fs') | |
| const ArrayType = require('ref-array-napi') | |
| var Union = require('ref-union-napi'); | |
| /* | |
| Dependencies: | |
| $ npm install ffi-napi |
rxwx
/ Generator.cs
Created
November 11, 2022 18:58
Generate ApprovedApplication BinaryFormatter payload
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Globalization; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.Threading; | |
| using Microsoft.Exchange.Data.Directory.SystemConfiguration; | |
| namespace ApprovedAppGenerator | |
| { |
rxwx
/ GetSxsPath.cs
Created
July 3, 2023 12:43
Determine redirection path for SxS DotLocal DLL Hijacking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using static GetSxsPath.NativeMethods; | |
| namespace GetSxsPath | |
| { | |
| internal class NativeMethods |
rxwx
/ trac-decode.py
Created
September 7, 2023 17:54
Decode "Obscured" Check Point Trac.config files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import io | |
| import sys | |
| import string | |
| KEY_STR = 'ModifiedFwPropertySheetWithOKTheSheetIDS_LDAP_AU_PROPERTIESNULL0FW_WP_OBJECTS' | |
| def get_byte(x): | |
| c = ord(chr(x).lower()) | |
| if ((c - 0x30) & 255) < 10: | |
| retval = c - 0x30 |
rxwx
/ dump_beacon_datastore.py
Last active
September 25, 2023 19:34
Dump items (BOFs, assemblies, files etc.) from the CobaltStrike 4.9+ beacon datastore (stored with BeaconDataStoreProtectItem / data-store load)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import wintypes | |
| import argparse | |
| import ctypes | |
| import yara | |
| import hexdump | |
| """ | |
| .text:0000000180010840 ; char __fastcall BeaconDataStoreUnprotectItem(unsigned __int64) | |
| .text:0000000180010840 BeaconDataStoreUnprotectItem proc near ; CODE XREF: sub_1800100F8+9E↑p | |
| .text:0000000180010840 ; sub_1800102E8+AD↑p |