nstarke

#!/bin/bash
# sudo apt install iw curl jq 
ALIVE="$1"

check_public_ip() {
   INTERFACE="$1"
   PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin)
   if ! [[ -z $PUBLIC_IP ]]; then
       echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE"
   fi

nstarke

//
// Run this javascript file like so
//
// node generate-nested-json.js "a" 1024 64
// Where:
//
// "a" is the nested property to create
// 1024 is the initial max recursion
// 64 is the amount of times to multiple the initial max recursion.
//

nstarke

# CPU_REC run against "linux-firmware"
# CPU_REC @ Git Commit: 9cc225db5e027658ad28c6886b6d6a9980cbe69f
# $ time find . -type f -not -name "LICENSE.*" -and -not -name "LICENCE.*" -and -not -name README -and -not -name GPL-3 -exec python3 ~/cpu_rec/cpu_rec.py {} \; > ../linux-firmware-cpu_rec.txt
# real    2572m26.253s
# user    2533m39.604s
# sys     38m23.537s

./cxgb3/ael2005_twx_edc.bin                                                     full(0x5bc)    None                               chunk(0x100;2)      MN10300   
./cxgb3/t3fw-7.0.0.bin                                                          full(0x757c)   None                               chunk(0xc0;3)       Cell-SPU  

nstarke

$ python3 ~/cpu_rec/cpu_rec.py *.clx
AQC100-Felicity-3.1.121_bdp_aqsign.clx                                          full(0x200000) None                               chunk(0x30800;97)   Xtensa
AQC107-Nikki-3.1.121_bdp_aqsign.clx                                             full(0x200000) None                               chunk(0x30800;97)   Xtensa
AQC111-Bermuda-B0-3.1.121_bdp_aqsign.clx                                        full(0x200000) None                               chunk(0x31000;98)   Xtensa
$ binwalk *.clx

Scan Time:     2021-07-08 17:01:00
Target File:   /home/nick/aqn/AQC100-Felicity-3.1.121_bdp_aqsign.clx
MD5 Checksum:  3dd8e40cd3e4aa183b13939190b86b05
Signatures:    404

nstarke

/* ###
 * IP: GHIDRA
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software

nstarke

#!/usr/bin/env python3

#
# find-compressed-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create

nstarke

Decrypting DLINK Proprietary Firmware Images

The DIR-3040 models of DLINK routers feature encrypted firmware images in the most recent versions of the firmware. https://support.dlink.com/ProductInfo.aspx?m=DIR-3040-US details the firmware images available for this product.

• 1.11B02 - ftp://ftp2.dlink.com/PRODUCTS/DIR-3040/REVA/DIR-3040_REVA_FIRMWARE_v1.11B02.zip
• 1.02B03 - ftp://ftp2.dlink.com/PRODUCTS/DIR-3040/REVA/DIR-3040_REVA_FIRMWARE_v1.02B03.zip

Unzipping the first reveals two files:

• DIR-3040_REVA_RELEASE_NOTES_v1.11B02.pdf

nstarke

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

nstarke

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

• Two Raspberry Pi's 4 ($35-$55 / each)
• Two Conexant 56k Modems ( https://www.amazon.com/gp/product/B008RZTJC0/ | $17-$20 / each)
• a RJ-11 splitter( https://www.amazon.com/Splitter-Duplex-line-Telephone-Adapter/dp/B07WNDZT6Y | $8-$12)
• A Linksys SPA-2102 ( search ebay for linksys SPA-2102 on ebay | $18-$25 )
• Two RJ-11 cables ( should come with the modems )

nstarke

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs: