Skip to content

Instantly share code, notes, and snippets.

View nstarke's full-sized avatar

Nicholas Starke nstarke

View GitHub Profile
@nstarke
nstarke / network-callout.sh
Created June 21, 2022 21:41
Network Callout
#!/bin/bash
# sudo apt install iw curl jq
ALIVE="$1"
check_public_ip() {
INTERFACE="$1"
PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin)
if ! [[ -z $PUBLIC_IP ]]; then
echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE"
fi
@nstarke
nstarke / generate-nested-json.js
Last active April 14, 2022 15:01
Generated Deeply Nested JSON
//
// Run this javascript file like so
//
// node generate-nested-json.js "a" 1024 64
// Where:
//
// "a" is the nested property to create
// 1024 is the initial max recursion
// 64 is the amount of times to multiple the initial max recursion.
//
@nstarke
nstarke / linux-firmare-cpu_rec.txt
Last active December 4, 2023 03:28
CPU_REC run against linux-firmware
linux-firmware-20231111/rtl_bt/rtl8851bu_fw.bin full(0xc260) None chunk(0x400;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8822cs_fw.bin full(0xf474) None chunk(0x200;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8852cu_fw_v2.bin full(0x1b939) None chunk(0x300;3) MIPS16
linux-firmware-20231111/rtl_bt/rtl8761bu_fw.bin full(0xadc4) None chunk(0x200;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8822cs_config.bin full(0x21) None chunk(0x0;0) None
linux-firmware-20231111/rtl_bt/rtl8761b_config.bin full(0x19) None chunk(0x0;0) None
linux-firmware-20231111/rtl_bt/rtl8723d_fw.bin
@nstarke
nstarke / aqn-cpu_rec-results.txt
Created July 8, 2021 17:02
Aquantia Firmware Update Files - CPU_REC Results
$ python3 ~/cpu_rec/cpu_rec.py *.clx
AQC100-Felicity-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC107-Nikki-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC111-Bermuda-B0-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x31000;98) Xtensa
$ binwalk *.clx
Scan Time: 2021-07-08 17:01:00
Target File: /home/nick/aqn/AQC100-Felicity-3.1.121_bdp_aqsign.clx
MD5 Checksum: 3dd8e40cd3e4aa183b13939190b86b05
Signatures: 404
@nstarke
nstarke / CountReferencedStrings.java
Last active January 20, 2021 21:31
Ghidra Script: Count Referenced Strings
/* ###
* IP: GHIDRA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@nstarke
nstarke / find-compressed-data.py
Last active July 10, 2024 10:16
Find Compressed Data without Compression Header
#!/usr/bin/env python3
#
# find-compressed-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create
@nstarke
nstarke / decrypting-dlink-proprietary-firmware-images.md
Last active July 19, 2024 02:47
Decrypting DLINK Proprietary Firmware Images
@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created March 18, 2020 03:09
Linksys EA4500 Device Firmware Decryption

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@nstarke
nstarke / linux-dialup-modems.md
Last active October 25, 2023 21:58
Connecting to Raspberry Pi's using 56k Modems

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

@nstarke
nstarke / 0000-cve-2020-8597.md
Last active November 1, 2023 04:48
CVE-2020-8597 - Buffer Overflow in pppd

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs: