Skip to content

Instantly share code, notes, and snippets.

Nicholas Starke nstarke

  • Bondurant, IA
Block or report user

Report or block nstarke

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@nstarke
nstarke / papi.py
Created Sep 24, 2019 — forked from eriknl/papi.py
Reverse engineered partial Aruba PAPI implementation
View papi.py
import hashlib
from struct import *
"""
This implementation was reverse engineered using Wireshark (and source code), strace and two excelent articles:
- https://x-c3ll.github.io/posts/CVE-2018-7081-RCE-ArubaOS/
- https://packetstormsecurity.com/files/136997/Aruba-Authentication-Bypass-Insecure-Transport-Tons-Of-Issues.html
"""
def papi_encrypt(data):
@nstarke
nstarke / binary-split-zero.py
Created Sep 24, 2019
Split Binary File on Zero'd Memory Regions
View binary-split-zero.py
#!/usr/bin/env python
# The idea behind this file is that many times firmware images are constructed with zero'd out address regions as the delimiter.
# This script will split files in a firmware image when the embedded files are $MAX zero'd bytes in distance from each other.
import sys
import copy
FILE=sys.argv[1]
MAX=512
@nstarke
nstarke / ghidra-address-iteration-bruteforce-disassemble.py
Created Sep 23, 2019
Ghidra Address Iteration Bruteforce Disasemble
View ghidra-address-iteration-bruteforce-disassemble.py
import ghidra.app.script.GhidraScript
# I noticed that on some microcontrollers the ghidra analyzer doesn't auto analyze the entire binary.
# This Ghidra Script will iterate over every address in a binary and attempt to disassemble it.
counter = 0
nextAddress = currentProgram.getMinAddress()
while nextAddress:
@nstarke
nstarke / microcontroller-find.sh
Last active Sep 24, 2019
Analyze Unknown Microcontroller Firmware Binary and Determine File Offset and Instruction Set Architecture
View microcontroller-find.sh
#!/bin/sh
#
# A Small Shell script to check a binary for different microcontroller cpu architectures.
#
# This works by importing the binary into a project in Ghidra
# And then iteratively attempting to analyze chunks of the binary firmare
# all while timing the analysis.
#
# The theory is Ghidra should take noticeably longer to analyze a valid
@nstarke
nstarke / change-mac-address-permanently.md
Created Sep 21, 2019
Change MAC Address Permanently
View change-mac-address-permanently.md

Change MAC Address Permanently

It is well know that through the ip and ifconfig commands it is possible to change a MAC address temporarily, meaning the change will not persist across host reboots.

But what if you would like to change your MAC address in a more permanent fashion? Is there a way to, through software, permanently change your network interface card's MAC address?

It turns out the answer is yes, and the tool to do so is called ethtool.

Ethtool

Ethtool comes pre-installed on many stock distributions of Linux, but can also be installed from your package manager of choice if necessary.

View yardstick-one-setup.md

Yardstick One Setup

A few years ago I bought a YardStick One from Great Scott Gadgets (https://greatscottgadgets.com/yardstickone/).

YardStick One works with a software suite called rfcat (https://github.com/atlas0fd00m/rfcat). I needed to update the bootloader firmware for my YardStick One to work with recent versions of rfcat.

Because of a compiler issue between sdcc 3.6.0.0 and 3.8.0.0 (latest as of this writing), when I attempted to flash the bootloader firmware, I received an Invalid IOCTL warning:

Could not configure port: (25, 'Inappropriate ioctl for device')
@nstarke
nstarke / cisco-ios-powerpc-gdb-rsp-debugger.py
Created Sep 2, 2019
Cisco IOS PowerPC GDB RSP Debugger
View cisco-ios-powerpc-gdb-rsp-debugger.py
#!/usr/bin/python
#
# Cisco IOS GDB RSP Wrapper
# PowerPC Version
#
# Authors:
#
# Artem Kondratenko (@artkond) - original mips version
# Nicholas Starke (@nstarke) - powerpc version
# Adapted from https://github.com/klsecservices/ios_mips_gdb
@nstarke
nstarke / find-data.py
Last active Aug 29, 2019
Python script to bruteforce gzip data
View find-data.py
#!/usr/bin/env python
#
# find-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create
@nstarke
nstarke / find-entropy.py
Created Aug 25, 2019
Find Entropy of Strings
View find-entropy.py
#!/usr/bin/env python
#
# find-entropy.py
#
# A simple Utility to measure entropy of strings.
# Usage should be something like this:
#
# $ strings file.txt | python find-entropy.py
#
@nstarke
nstarke / 01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md
Last active Oct 13, 2019
Reversing Cisco IOS Raw Binary Firmware Images with Ghidra
View 01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

You can’t perform that action at this time.