Skip to content

Instantly share code, notes, and snippets.

Avatar

Nicholas Starke nstarke

  • Bondurant, IA
View GitHub Profile
@nstarke
nstarke / decrypting-dlink-proprietary-firmware-images.md
Last active Jul 20, 2020
Decrypting DLINK Proprietary Firmware Images
View decrypting-dlink-proprietary-firmware-images.md
@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created Mar 18, 2020
Linksys EA4500 Device Firmware Decryption
View linksys-ea4500-device-firmware-decryption.md

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@nstarke
nstarke / linux-dialup-modems.md
Last active Mar 15, 2020
Connecting to Raspberry Pi's using 56k Modems
View linux-dialup-modems.md

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

@nstarke
nstarke / 0000-cve-2020-8597.md
Last active May 23, 2020
CVE-2020-8597 - Buffer Overflow in pppd
View 0000-cve-2020-8597.md

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs:

@nstarke
nstarke / building-and-running-ovmf-in-qemu.md
Created Feb 25, 2020
Building and Running OVMF in Qemu
View building-and-running-ovmf-in-qemu.md

Building and Running OVMF in Qemu

I built EDK2 and OVMF from source using the instructions here: https://github.com/tianocore/tianocore.github.io/wiki/How-to-run-OVMF

The instructions are helpful in getting the build tooling configured to build edk2, but I consistently ran into a problem when I built the DEBUG version of OVMF. I would run:

$ qemu-system-x86_64 -bios ../edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd
@nstarke
nstarke / ecusim-2000.md
Created Feb 23, 2020
Car hacking with ScanTool ECUSim 2000
View ecusim-2000.md

Car hacking with ScanTool ECUSim 2000

An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by vcan. I decided I didn't want to test virtually because then I wouldn't know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle's ODB2 port.

I was looking for something between vcan and a real car. A little googling led me to the ScanTools ECUSim 2000: https://www.amazon.com/OBDLink-ScanTool-ECUsim-Simulator-Development/dp/B008NAH6WE

This board simulates a car. It has a ODB2 port for interfacing just like one would do with a

@nstarke
nstarke / netgear-private-key-disclosure.md
Last active Jul 23, 2020
Netgear TLS Private Key Disclosure through Device Firmware Images
View netgear-private-key-disclosure.md

Netgear Signed TLS Cert Private Key Disclosure

Overview

There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.

These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.

The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.

@nstarke
nstarke / 0000-thecus-firmware-decrypt.sh
Last active Mar 18, 2020
Thecus Firmware Decrypt Bash Script
View 0000-thecus-firmware-decrypt.sh
#!/bin/bash
#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed
@nstarke
nstarke / mac-address-table-filler.py
Last active Jan 16, 2020
Mac Address Table Filler
View mac-address-table-filler.py
#!/usr/bin/env python
#
# This script is meant to assist in filling up a MAC ADDRESS Table on a switch
# This script reuqires scapy to be installed, and most likely will need to be
# run as root. That means scapy will have to be installed for the root user
# in order for this script to work.
#
# Arguments:
# * Interface to send ARP packet on
@nstarke
nstarke / resize-ghidra-gui.md
Last active Apr 23, 2020
Resize Ghidra GUI for High DPI screens
View resize-ghidra-gui.md

Resize Ghidra for High DPI screens

If you run Ghidra on a high DPI screen, you will probably find the GUI to be scaled down so small to be almost of no use.

There is a setting that you can adjust to scale the Ghidra GUI:

in $GHIDRA_ROOT/support is a file named launch.properties. In this launch.properties file is the following configuration key:

VMARGS_LINUX=-Dsun.java2d.uiScale=1
You can’t perform that action at this time.