Hitechcomputergeek

## apollo.txt
This bug was also called moonshine in the beginning
Basically the following bug is present in all bootroms I have looked at:
1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
4. it then returns wLength which is the length it wants to recieve into the buffer
5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
7. if all the data was recieved th

## root_my_vm.py
#!/usr/bin/python3

import sys
import os
import signal


PATTERN = b"root:x:0:0:root"
REPLACE = b"root::00:0:root"

## rpi_cam_auth.py
import hmac, hashlib

# Data from I²C trace at https://hackaday.io/project/19480-raspberry-pi-camera-v21-reversed/log/52547-i2c-logic-analyzer-trace
# Secret key from VideoCore blob

# serial[8], serial[7:4], serial[3:0]
serial = bytes.fromhex("EE8C196D8301230B59")

# rPi -> camera random number
numIn = bytes.fromhex("5805F3C898C3133154498E082F2E703516F2DBD1")

## wiipointer.c
/*
 * Algorithm to process Wiimote IR tracking data into a usable pointer position
 * by tracking the sensor bar.
 *
 * Copyright (c) 2008-2011 Hector Martin "marcan" <marcan@marcan.st>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *

## Deobfuscator.html

<html>
<head>
<script type="text/javascript">
if (document.images) {
    img1 = new Image();
    img1.src = "https://gist.github.com/Zibri/c040a013548f3f5039fa75cafb98d9a8/raw/374b3ba2ca881eb0a39958dd724765eefd0703fe/gatto1.jpg";
    img2 = new Image();
    img2.src = "https://gist.github.com/Zibri/c040a013548f3f5039fa75cafb98d9a8/raw/374b3ba2ca881eb0a39958dd724765eefd0703fe/gatto2.jpg";
}

## spectre-meltdown.sh
git clone https://github.com/speed47/spectre-meltdown-checker.git
cd spectre-meltdown-checker/
sudo sh spectre-meltdown-checker.sh

## spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

## .htaccess
	#
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

## smbloris.c
/* SMBLoris attack proof-of-concept
 *
 * Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
 *
 * Licensed under the terms of the 2-clause BSD license.
 *
 * This is a proof of concept of a publicly disclosed vulnerability.
 * Please do not go around randomly DoSing people with it.
 *
 * Tips: do not use your local IP as source, or if you do, use iptables to block

## pk5001z00pin.c
/*  PK5001Z CenturyLink Router/Modem remote root exploit                  */
/*             oxagast / Marshall Whittaker                               */
/* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin                     */
/* PK5001Z CenturyLink Router remote root 0day                            */
/* Enjoy!                                                                 */
/*   --oxagast                                                            */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1         */
/*                                                                        */
/* # uname -a; id;                                                        */
	This bug was also called moonshine in the beginning
	Basically the following bug is present in all bootroms I have looked at:
	1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
	2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
	3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
	4. it then returns wLength which is the length it wants to recieve into the buffer
	5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
	6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
	7. if all the data was recieved th
	#!/usr/bin/python3

	import sys
	import os
	import signal


	PATTERN = b"root:x:0:0:root"
	REPLACE = b"root::00:0:root"
	import hmac, hashlib

	# Data from I²C trace at https://hackaday.io/project/19480-raspberry-pi-camera-v21-reversed/log/52547-i2c-logic-analyzer-trace
	# Secret key from VideoCore blob

	# serial[8], serial[7:4], serial[3:0]
	serial = bytes.fromhex("EE8C196D8301230B59")

	# rPi -> camera random number
	numIn = bytes.fromhex("5805F3C898C3133154498E082F2E703516F2DBD1")
	/*
	* Algorithm to process Wiimote IR tracking data into a usable pointer position
	* by tracking the sensor bar.
	*
	* Copyright (c) 2008-2011 Hector Martin "marcan" <marcan@marcan.st>
	* All rights reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions are met:
	*

	<html>
	<head>
	<script type="text/javascript">
	if (document.images) {
	img1 = new Image();
	img1.src = "https://gist.github.com/Zibri/c040a013548f3f5039fa75cafb98d9a8/raw/374b3ba2ca881eb0a39958dd724765eefd0703fe/gatto1.jpg";
	img2 = new Image();
	img2.src = "https://gist.github.com/Zibri/c040a013548f3f5039fa75cafb98d9a8/raw/374b3ba2ca881eb0a39958dd724765eefd0703fe/gatto2.jpg";
	}
	git clone https://github.com/speed47/spectre-meltdown-checker.git
	cd spectre-meltdown-checker/
	sudo sh spectre-meltdown-checker.sh
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#ifdef _MSC_VER
	#include <intrin.h> /* for rdtscp and clflush */
	#pragma optimize("gt",on)
	#else
	#include <x86intrin.h> /* for rdtscp and clflush */
	#endif
	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#
	/* SMBLoris attack proof-of-concept
	*
	* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
	*
	* Licensed under the terms of the 2-clause BSD license.
	*
	* This is a proof of concept of a publicly disclosed vulnerability.
	* Please do not go around randomly DoSing people with it.
	*
	* Tips: do not use your local IP as source, or if you do, use iptables to block
	/* PK5001Z CenturyLink Router/Modem remote root exploit */
	/* oxagast / Marshall Whittaker */
	/* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
	/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin */
	/* PK5001Z CenturyLink Router remote root 0day */
	/* Enjoy! */
	/* --oxagast */
	/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1 */
	/* */
	/* # uname -a; id; */