Skip to content

Instantly share code, notes, and snippets.

💭
Mostly on gitlab.com/dweinstein these days...

David Weinstein dweinstein

💭
Mostly on gitlab.com/dweinstein these days...
View GitHub Profile
View AndroidManifestFuzzer
#!/bin/bash
#Basic set up for an Application AndroidManifest Fuzzer
#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8
#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2)
#NOTE: you should probably monitor $(adb logcat)||(/system/bin/gdbserver) for responsiveness to the issue
APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR
APP_PACKAGE_NAME="..." #<-- PACKAGE NAME
APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME
@Fuzion24
Fuzion24 / MainActivity.java
Last active Aug 29, 2015
Nexus 5 Local DOS - Reboots Phone with zero permissions
View MainActivity.java
package com.nexus5.dos;
import android.content.Intent;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
public class MainActivity extends ActionBarActivity {
View AddJavascript.md

Android 5.0

I/chromium( 6890): [INFO:CONSOLE(37)] "AddJavascriptInterface: top[Android]: com.WebAppInterface@3847a08c - 
error: Access to java.lang.Object.getClass is blocked", source: http://[REDACTED].com/ (37)

For applications targeting Android >= 5.0, you can enumerate the methods available from inside javascript. "Enumeration of methods will be enabled for applications targeting API levels newer than KitKat (to preserve compatibility with older apps)."

View gist:849eb63d28f7e7bb8c97
var test = require('tape');
var bytewise = require('bytewise');
var encode = bytewise.encode;
var MIN = bytewise.MIN;
var MAX = bytewise.MAX;
test('tuple queries', function (t) {
var yearly = tuples('reports', 'yearly');
// component keys of the tuple space query are available by index
@rongarret
rongarret / gist:d8987c9cd57bd768e1de
Last active Aug 29, 2015
Safari FILE: scheme security hole
View gist:d8987c9cd57bd768e1de
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
@Fuzion24
Fuzion24 / Patching-CVE-2015-1474.md
Last active Sep 25, 2015
Patching CVE-2015-1474 -- Remotely exploitable graphics buffer overflow on my Nexus device (N5 5.0.1)
View Patching-CVE-2015-1474.md

This is a brief guide on how I patched the CVE-2015-1474 for my Nexus 5 - 5.0.1. This involes downloading and building AOSP with the patch for the vuln applied. I have attached a pre-built patched version of libui.so for the Nexus5 5.0.1 in the case you are too lazy to build it yourself (and you trust me).

Building patched libui for your nexus device

repo init -u https://android.googlesource.com/platform/manifest -b android-5.0.1_r1
repo sync -j16

cd frameworks/native
# https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091%5E%21/#F0
git cherry-pick 2bc5e811a817a8c667bca4318ae98582b0ee6dc6
@dweinstein
dweinstein / cdr.c
Created Jun 7, 2011
seek's stream or file before outputting to stdout
View cdr.c
/* cdr.c
* David Weinstein (2011)
* offset bytes into a file and write to stdout
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@teqdruid
teqdruid / Console output -- no Sleep
Created Aug 7, 2012
An attempt at making an ARMv7 kernel module for performance counting
View Console output -- no Sleep
# depmod -a; modprobe pmu_sync_sample ; sleep 0; modprobe -r pmu_sync_sample
dmesg output
[91376.479217] Found 6 counters
[91376.479339] Hello, ARM from core 0
[91376.479492] PMNC registers dump:
[91376.479583] PMNC =0x41093001
[91376.479736] CNTENS=0x8000003f
[91376.479827] INTENS=0x00000000
[91376.479919] FLAGS =0x00000000
@dyoo
dyoo / ordered-to-bst.rkt
Created Nov 2, 2012
ordered list to binary tree
View ordered-to-bst.rkt
#lang racket
;; The code of SICP Exercise 2.64, but rewritten to use define-values instead of let.
;; http://mitpress.mit.edu/sicp/full-text/book/book-Z-H-16.html#%_thm_2.64
(struct tree (entry left right) #:transparent)
(define EMPTY-TREE '())
;; list->tree: (listof X) -> tree
;; Given an ordered list of elements, constructs the balanced binary tree.
@greghendershott
greghendershott / termsheet.rkt
Created Nov 9, 2012
A "term sheet" is a light-weight, more casual version of a contract. :)
View termsheet.rkt
#lang racket
;; A term sheet is a light-weight, casual version of a contract. :)
;;
;; Seriously, `define/termsheet' takes the same form as
;; `define/contract', but uses the contract predicates as simple
;; checks. As a result, this runs much faster -- e.g. ~200x faster --
;; than a normal, chaperoned wrapped procedure.
;;
;; In other words it gives the declarative convenience of
You can’t perform that action at this time.