Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.

# A Python script using LIEF to search a specific exported function name in a directories | |
# This is useful when you don't know the DLL name but (somehow) knows the exported function name | |
import sys | |
import lief | |
import os | |
import logging | |
lief.logging.set_level(lief.logging.LOGGING_LEVEL.CRITICAL) | |
DLL_CHAR = 0x2000 |
# Clean PE files that have a lot of junk after its end to avoid AV scanners and slow down analysis tools | |
import pefile | |
import sys | |
import os | |
TRESHOLD = 100 | |
if __name__ == '__main__': | |
if len(sys.argv) < 2: |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
# Copyright © 2021 rusty-snake | |
# | |
# Permission is hereby granted, free of charge, to any person obtaining a copy | |
# of this software and associated documentation files (the "Software"), to deal | |
# in the Software without restriction, including without limitation the rights | |
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
# copies of the Software, and to permit persons to whom the Software is | |
# furnished to do so, subject to the following conditions: | |
# | |
# The above copyright notice and this permission notice shall be included in all |
# background: when you run python code with command mode (aka -c ), inspect module can't work well as it didn't | |
# serialize commands into .py file. instead we can leverage dill to handle marshal or unmarshal functions for us. | |
# in this example, we wrap it into a python declarator. | |
# pip install dill | |
def inspectMe(f): | |
import dill as pickle | |
import base64 | |
def wrapper(*arg, **kwargs): |
# prints a string letter-by-letter | |
def num_letter_test(x): | |
string_input = x | |
string_len = len(string_input) | |
counter = 0 | |
for i in range(string_len): | |
print(string_input[counter]) | |
counter += 1 |
[16Shop] 104.248.55.11 web.verify-acc.amz2020.app-lockedaccesverifed000.com [email protected], [email protected] | |
[16Shop] 104.31.64.248 appleupdates-verificationrequired.com [email protected], [email protected] | |
[16Shop] 134.122.1.92 web.amazon.aws.services-auth-follow.loginsupport.org [email protected], [email protected] | |
[16Shop] 157.230.126.157 billingsecure.amazon.com.dsabekogia.com [email protected], [email protected] | |
[16Shop] 161.117.250.188 auth-verify.paypal.idwebscr.webapps23687618.tempekjaran1.com [email protected], [email protected] | |
[16Shop] 162.144.98.230 manage-secure.information-paypal.gaspolinaja.com [email protected], [email protected] | |
[16Shop] 162.144.98.230 secure-paypal.bangetdivorce.com [email protected], [email protected] | |
[16Shop] 162.214.49.197 authorized2-signin-amazon.camdvr.org | |
[16Shop] 162.214.50.13 signin-webrecovery-br8eapple.serveuser.com [email protected], resultmrsukarelap |
def verify_sign(public_key_loc, signature, data): | |
''' | |
Verifies with a public key from whom the data came that it was indeed | |
signed by their private key | |
param: public_key_loc Path to public key | |
param: signature String signature to be verified | |
return: Boolean. True if the signature is valid; False otherwise. | |
''' | |
from Crypto.PublicKey import RSA | |
from Crypto.Signature import PKCS1_v1_5 |