Eric Schulman clouded-eas

## keybase.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                clouded-eas
                / keybase.md
            
            
              Created
              December 27, 2016 14:43
            
          
    Keybase proof

I hereby claim:

I am clouded-eas on github.
I am clouded (https://keybase.io/clouded) on keybase.
I have a public key whose fingerprint is A523 8FAD BCE2 6EC4 BF1A  C0E1 B075 B4A2 8613 6801

To claim this, I am signing this object:

  
## vegacert.crt
-----BEGIN CERTIFICATE-----
MIICwzCCAiygAwIBAgIGAVc8HyEMMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYDVQQG
EwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UE
ChMIU3ViZ3JhcGgxJzAlBgNVBAsTHlZlZ2EgV2ViIFZ1bG5lcmFiaWxpdHkgU2Nh
bm5lcjEpMCcGA1UEAxMgVmVnYSBQcm94eSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
HhcNMTYwOTE4MDcwNzM1WhcNMjEwOTE3MDcwNzM1WjCBmDELMAkGA1UEBhMCQ0Ex
DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxETAPBgNVBAoTCFN1
YmdyYXBoMScwJQYDVQQLEx5WZWdhIFdlYiBWdWxuZXJhYmlsaXR5IFNjYW5uZXIx
KTAnBgNVBAMTIFZlZ2EgUHJveHkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCStW2LhYsW1YqzrG1QDL1LLDocUyP5icKF

## keybase.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                clouded-eas
                / keybase.md
            
            
              Last active
              August 29, 2015 14:20
            
          
    Keybase proof

I hereby claim:

I am easeip on github.
I am eip (https://keybase.io/eip) on keybase.
I have a public key whose fingerprint is 4730 C434 DA25 9F59 93D4  E379 3D8B A419 16AC 3860

To claim this, I am signing this object:

  
## java-ohnoes.java
detection rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Java User Agent Flowbit Set"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; pcre:"/User\x2DAgent\x3A[^\r\n]*Java\x2F1\x2E/H"; flowbits:set,java.usergent; flowbits:noalert; classtype:misc-activity; sid:1399911; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java Nuclear Pack/Redkit Exploit Kit Java Exploit Obfuscated Binary Download - Setup.exe"; flowbits:isset,java.usergent; flow:established,to_client; content:"filename=setup.exe"; http_header; file_data; content:!"MZ"; within:2; reference:url,; reference:cve,2013-0422; sid:1239992; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java Blackhole Exploit Kit Java Exploit Obfuscated Binary Download - Calc.exe"; flowbits:isset,java.usergent; flow:established,to_client; content:"filename=calc.exe"; http_header; file_data; content:!"MZ"; within:2; reference:url; reference:cve,2013-0422; sid:1239993; rev:1;)
alert tcp $

## gist:3277379
def valid_credit_card?(number)
  number = number.to_s.gsub(/\D/, "")

  return false unless valid_association?(number)
  number.reverse!

  relative_number = {'0' => 0, '1' => 2, '2' => 4, '3' => 6, '4' => 8, '5' => 1, '6' => 3, '7' => 5, '8' => 7, '9' => 9}

  sum = 0

## lame
#lame luhn

    when /^3[47]d{13}$/ then return "AMEX"
    when /^4d{12}(d{3})?$/ then return "VISA"
    when /^5d{15}|36d{14}$/ then return "MC"
    when /^6011d{12}|650d{13}$/ then return "DISC"
    when /^3(0[0-5]|8[0-1])d{11}$/ then return "DINERS"
    when /^(39d{12})|(389d{11})$/ then return "CB"
    when /^3d{15}|1800d{11}|2131d{11}$/ then return

## 239shellc
findfdread:
	jmp startup			;skip over all the find stuff, we'll get to it
find_kernel32:				;abuses TEB to find kernel32.dll
	push esi 			;preserve ESI
	xor esi, esi			;zero it
	mov esi, fs:[esi + 0x18]	;grab the TEB and store it in ESI
	lodsd				;use it to ad 4 to esi, actual value doesn't matter, we're saving memory space here
					;to keep it down to 11 bytes to find kernel32.dll via the TEB abuse
	lodsd				;grab the top of the stack from the TEB and store it in eax
	mov eax, [eax - 0x1c]		;grab a pointer that's 0x1c bytes (28 bytes) into the stack and store it in eax

## wtfissue-tree.txt
[root@bh1339 mysqld]# ls
mysqld.pid  mysqld.pid3
[root@bh1339 mysqld]# whoami
root
[root@bh1339 mysqld]# ls -al mysqld.pid3
-rw-rw----  1 root root 6 Mar  9 04:41 mysqld.pid3
[root@bh1339 mysqld]# rm -rf mysqld.pid3
[root@bh1339 mysqld]# ls
mysqld.pid  mysqld.pid3
[root@bh1339 mysqld]# mv mysqld.pid3  hax
	-----BEGIN CERTIFICATE-----
	MIICwzCCAiygAwIBAgIGAVc8HyEMMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYDVQQG
	EwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UE
	ChMIU3ViZ3JhcGgxJzAlBgNVBAsTHlZlZ2EgV2ViIFZ1bG5lcmFiaWxpdHkgU2Nh
	bm5lcjEpMCcGA1UEAxMgVmVnYSBQcm94eSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
	HhcNMTYwOTE4MDcwNzM1WhcNMjEwOTE3MDcwNzM1WjCBmDELMAkGA1UEBhMCQ0Ex
	DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxETAPBgNVBAoTCFN1
	YmdyYXBoMScwJQYDVQQLEx5WZWdhIFdlYiBWdWxuZXJhYmlsaXR5IFNjYW5uZXIx
	KTAnBgNVBAMTIFZlZ2EgUHJveHkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0G
	CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCStW2LhYsW1YqzrG1QDL1LLDocUyP5icKF
	detection rules:

	alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Java User Agent Flowbit Set"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; pcre:"/User\x2DAgent\x3A[^\r\n]*Java\x2F1\x2E/H"; flowbits:set,java.usergent; flowbits:noalert; classtype:misc-activity; sid:1399911; rev:1;)
	alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java Nuclear Pack/Redkit Exploit Kit Java Exploit Obfuscated Binary Download - Setup.exe"; flowbits:isset,java.usergent; flow:established,to_client; content:"filename=setup.exe"; http_header; file_data; content:!"MZ"; within:2; reference:url,; reference:cve,2013-0422; sid:1239992; rev:1;)
	alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Java Blackhole Exploit Kit Java Exploit Obfuscated Binary Download - Calc.exe"; flowbits:isset,java.usergent; flow:established,to_client; content:"filename=calc.exe"; http_header; file_data; content:!"MZ"; within:2; reference:url; reference:cve,2013-0422; sid:1239993; rev:1;)
	alert tcp $
	def valid_credit_card?(number)
	number = number.to_s.gsub(/\D/, "")

	return false unless valid_association?(number)
	number.reverse!

	relative_number = {'0' => 0, '1' => 2, '2' => 4, '3' => 6, '4' => 8, '5' => 1, '6' => 3, '7' => 5, '8' => 7, '9' => 9}

	sum = 0
	#lame luhn

	when /^3[47]d{13}$/ then return "AMEX"
	when /^4d{12}(d{3})?$/ then return "VISA"
	when /^5d{15}\|36d{14}$/ then return "MC"
	when /^6011d{12}\|650d{13}$/ then return "DISC"
	when /^3(0[0-5]\|8[0-1])d{11}$/ then return "DINERS"
	when /^(39d{12})\|(389d{11})$/ then return "CB"
	when /^3d{15}\|1800d{11}\|2131d{11}$/ then return
	findfdread:
	jmp startup ;skip over all the find stuff, we'll get to it
	find_kernel32: ;abuses TEB to find kernel32.dll
	push esi ;preserve ESI
	xor esi, esi ;zero it
	mov esi, fs:[esi + 0x18] ;grab the TEB and store it in ESI
	lodsd ;use it to ad 4 to esi, actual value doesn't matter, we're saving memory space here
	;to keep it down to 11 bytes to find kernel32.dll via the TEB abuse
	lodsd ;grab the top of the stack from the TEB and store it in eax
	mov eax, [eax - 0x1c] ;grab a pointer that's 0x1c bytes (28 bytes) into the stack and store it in eax
	[root@bh1339 mysqld]# ls
	mysqld.pid mysqld.pid3
	[root@bh1339 mysqld]# whoami
	root
	[root@bh1339 mysqld]# ls -al mysqld.pid3
	-rw-rw---- 1 root root 6 Mar 9 04:41 mysqld.pid3
	[root@bh1339 mysqld]# rm -rf mysqld.pid3
	[root@bh1339 mysqld]# ls
	mysqld.pid mysqld.pid3
	[root@bh1339 mysqld]# mv mysqld.pid3 hax