Skip to content

Instantly share code, notes, and snippets.

View dweinstein's full-sized avatar

David Weinstein dweinstein

706 followers · 1.2k following
View GitHub Profile
@Fuzion24
Fuzion24 / AndroidManifestFuzzer
Created April 8, 2014 00:59 — forked from k3170makan/AndroidManifestFuzzer
#!/bin/bash
#Basic set up for an Application AndroidManifest Fuzzer
#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8
#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2)
#NOTE: you should probably monitor $(adb logcat)||(/system/bin/gdbserver) for responsiveness to the issue
APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR
APP_PACKAGE_NAME="..." #<-- PACKAGE NAME
APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME
@Fuzion24
Fuzion24 / MainActivity.java
Last active August 29, 2015 14:01
Nexus 5 Local DOS - Reboots Phone with zero permissions
package com.nexus5.dos;
import android.content.Intent;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
public class MainActivity extends ActionBarActivity {
@Fuzion24
Fuzion24 / AddJavascript.md
Created November 14, 2014 05:20

Android 5.0

I/chromium( 6890): [INFO:CONSOLE(37)] "AddJavascriptInterface: top[Android]: com.WebAppInterface@3847a08c - 
error: Access to java.lang.Object.getClass is blocked", source: http://[REDACTED].com/ (37)

For applications targeting Android >= 5.0, you can enumerate the methods available from inside javascript. "Enumeration of methods will be enabled for applications targeting API levels newer than KitKat (to preserve compatibility with older apps)."

@deanlandolt
deanlandolt / gist:849eb63d28f7e7bb8c97
Created March 12, 2015 16:57
tuples/test
var test = require('tape');
var bytewise = require('bytewise');
var encode = bytewise.encode;
var MIN = bytewise.MIN;
var MAX = bytewise.MAX;
test('tuple queries', function (t) {
var yearly = tuples('reports', 'yearly');
// component keys of the tuple space query are available by index
@rongarret
rongarret / gist:d8987c9cd57bd768e1de
Last active August 29, 2015 14:17
Safari FILE: scheme security hole
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
@Fuzion24
Fuzion24 / Patching-CVE-2015-1474.md
Last active September 25, 2015 01:21
Patching CVE-2015-1474 -- Remotely exploitable graphics buffer overflow on my Nexus device (N5 5.0.1)

This is a brief guide on how I patched the CVE-2015-1474 for my Nexus 5 - 5.0.1. This involes downloading and building AOSP with the patch for the vuln applied. I have attached a pre-built patched version of libui.so for the Nexus5 5.0.1 in the case you are too lazy to build it yourself (and you trust me).

Building patched libui for your nexus device

repo init -u https://android.googlesource.com/platform/manifest -b android-5.0.1_r1
repo sync -j16

cd frameworks/native
# https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091%5E%21/#F0
git cherry-pick 2bc5e811a817a8c667bca4318ae98582b0ee6dc6
@dweinstein
dweinstein / cdr.c
Created June 7, 2011 22:04
seek's stream or file before outputting to stdout
/* cdr.c
* David Weinstein (2011)
* offset bytes into a file and write to stdout
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@teqdruid
teqdruid / Console output -- no Sleep
Created August 7, 2012 20:25
An attempt at making an ARMv7 kernel module for performance counting
# depmod -a; modprobe pmu_sync_sample ; sleep 0; modprobe -r pmu_sync_sample
dmesg output
[91376.479217] Found 6 counters
[91376.479339] Hello, ARM from core 0
[91376.479492] PMNC registers dump:
[91376.479583] PMNC =0x41093001
[91376.479736] CNTENS=0x8000003f
[91376.479827] INTENS=0x00000000
[91376.479919] FLAGS =0x00000000
@dyoo
dyoo / ordered-to-bst.rkt
Created November 2, 2012 20:49
ordered list to binary tree
#lang racket
;; The code of SICP Exercise 2.64, but rewritten to use define-values instead of let.
;; http://mitpress.mit.edu/sicp/full-text/book/book-Z-H-16.html#%_thm_2.64
(struct tree (entry left right) #:transparent)
(define EMPTY-TREE '())
;; list->tree: (listof X) -> tree
;; Given an ordered list of elements, constructs the balanced binary tree.
@greghendershott
greghendershott / termsheet.rkt
Created November 9, 2012 23:54
A "term sheet" is a light-weight, more casual version of a contract. :)
#lang racket
;; A term sheet is a light-weight, casual version of a contract. :)
;;
;; Seriously, `define/termsheet' takes the same form as
;; `define/contract', but uses the contract predicates as simple
;; checks. As a result, this runs much faster -- e.g. ~200x faster --
;; than a normal, chaperoned wrapped procedure.
;;
;; In other words it gives the declarative convenience of