Skip to content

Instantly share code, notes, and snippets.

View bontchev's full-sized avatar

Vesselin Bontchev bontchev

108 followers · 0 following
View GitHub Profile
@roycewilliams
roycewilliams / badrabbit-info.txt
Last active June 17, 2022 11:18
badrabbit-info.txt
Rough summary of developing BadRabbit info
------------------------------------------
BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside.
Requires user interaction.
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...)
Not globally self-propagating, but could be inflicted on selected targets on purpose.
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye)
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos)
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below).
@evilsocket
evilsocket / magniber_decryptor.cpp
Created October 19, 2017 14:09
Decryptor for Magniber ransomware ( https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/ )
/*
* This tool will decrypt files encrypted by the Magniber ransomware with
* AES128 ( CBC mode ) algorithm.
*
* RE and report by MalwareBytes ( @hasherezade )
*
* https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
*
* Decryptor written by Simone 'evilsocket' Margaritelli
*
@thomhastings
thomhastings / INSTALL.md
Last active September 29, 2022 05:33

Notes on Shadow Brokers EQGRP-LiT

credit: @GossiTheDog: "If you want to setup FUZZBUNCH (the Equation exploit framework) you need Win7 VM + Python 2.6 + Pywin 2.6, then python fb.py for shell"
h/t @x0rz @DEYCrypt @hackerfantastic

HOW 2 SETUP + INSTALL FUZZBUNCH & DANDERSPRITZ

context: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
writeup: https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/
decrypted files: https://github.com/x0rz/EQGRP_Lost_in_Translation

@marcan
marcan / smbloris.c
Last active November 22, 2022 08:32
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@vqhuy
vqhuy / rol-ror.py
Created August 13, 2015 06:15
python rol, ror operation implement
###########################################################################
# Rotating bits (tested with Python 2.7)
from __future__ import print_function # PEP 3105
# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)
# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
@thomaspatzke
thomaspatzke / Kill-Ransomware.ps1
Created November 5, 2019 12:29
Ransomware Killer
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
@wdormann
wdormann / disable_win10_foistware.reg
Created January 2, 2018 23:15
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000
@nathanqthai
nathanqthai / payload_samples.md
Last active March 30, 2023 12:54
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence

Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.

Examples

The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

@CJFWeatherhead
CJFWeatherhead / crontab
Created February 16, 2018 14:20
Automatically redirect Tor traffic to onion (Hopefully efficiently as the if processing isn't intensive)
##Get New Exit Node list ever 6 Hours
57 */6 * * * `curl https://check.torproject.org/cgi-bin/TorBulkExitList.py\?ip\=<yourip> | awk '{print $0" TOREX;"}' > /etc/nginx/includes/torexit.ips && service nginx restart`
@gnremy
gnremy / CVE-2021-44228_IPs.csv
Last active April 26, 2023 07:01
CVE-2021-44228 Apache Log4j RCE Attempts Dec 20th 9:27PM ET
ip tag_name
162.155.56.106 Apache Log4j RCE Attempt
223.111.180.119 Apache Log4j RCE Attempt
213.142.150.93 Apache Log4j RCE Attempt
211.154.194.21 Apache Log4j RCE Attempt
210.6.176.90 Apache Log4j RCE Attempt
199.244.51.112 Apache Log4j RCE Attempt
199.101.171.39 Apache Log4j RCE Attempt
197.246.175.186 Apache Log4j RCE Attempt
196.196.150.38 Apache Log4j RCE Attempt