I recently ran into a situation where binwalk -M -e $FIRMWARE failed me. This was for a Netgear firmware image that ended in a .chkextension.
The firmware file name was R7960P-V1.0.1.34_1.0.20.chk.
This is the output when I ran binwalk R7960P-V1.0.1.34_1.0.20.chk:
$ binwalk R7960P-V1.0.1.34_1.0.20.chk
VirtualBox only officially supports OS X guests on an OS X host, but it is possible to create one on an OS X host and transfer it over to a Linux host. This tutorial will go over one possible way to accomplish this task.
| #!/usr/bin/env python3 | |
| # | |
| # find-compressed-data.py | |
| # | |
| # A small script to bruteforce embedded compressed data that might not have a header | |
| # Useful for raw binary firmware images that do not contain a standard | |
| # binary header (ELF, PE, MACH-O). | |
| # | |
| # I included a limt on size at 16KB because this has a tendency to create |
I recently came across a tutorial on ARM Reverse Engineering https://azeria-labs.com/writing-arm-assembly-part-1/.
However, this tutorial seems to recommend using a Raspberry Pi for following along with the tutorial. I decided I wanted to be able to work through the tutorial using a virtual machine, so I built a QEMU VM of the ARMEL architecture. This is the same architecture that the Raspberry Pi is based off of. I went with debian for ARMEL because its the OS I'm most familiar with. After the operating system is installed, I install tools like GDB and GEF for debugging / reverse engineering.
GEF is a plugin for GDB specifically built for reverse engineering and exploit development. From https://github.com/hugsy/gef.git:
| # this command will return instances where the child_process module is loaded. | |
| # that module is generally a good signal that the application is shelling out | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "require(\s*)\((\s*)'child_process'(\s*))" . | |
| # this command will return instances where code is dynamically executed. | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "eval(\s*)\(" . | |
| # this command will check common dangerous functions and report when strings are arguments | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "(setInterval|setTimeout|new(\s*)Function)(\s*)\((\s*)\".*\"" . |
| #!/bin/bash | |
| # sudo apt install iw curl jq | |
| ALIVE="$1" | |
| check_public_ip() { | |
| INTERFACE="$1" | |
| PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin) | |
| if ! [[ -z $PUBLIC_IP ]]; then | |
| echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE" | |
| fi |
| // Original research publication: | |
| // https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ | |
| // | |
| // Depdency installation command: | |
| // npm i jsonwebtoken@0.2.0 | |
| // | |
| // Node security advisory: | |
| // https://nodesecurity.io/advisories/88 | |
| const jwt = require('jsonwebtoken'); |
| // | |
| // Run this javascript file like so | |
| // | |
| // node generate-nested-json.js "a" 1024 64 | |
| // Where: | |
| // | |
| // "a" is the nested property to create | |
| // 1024 is the initial max recursion | |
| // 64 is the amount of times to multiple the initial max recursion. | |
| // |
I built EDK2 and OVMF from source using the instructions here: https://github.com/tianocore/tianocore.github.io/wiki/How-to-run-OVMF
The instructions are helpful in getting the build tooling configured to build edk2, but I consistently ran into a problem when I built the DEBUG version of OVMF. I would run:
$ qemu-system-x86_64 -bios ../edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd
I was recently taking a look at a few WeMo embedded devices. WeMo Devices are IoT contraptions like light switches, space heaters, and coffee machines that are network enabled. I examined the "Holmes Smart Heater". Both had port 41953 open, which is a common port for UPnP services. I decided to dig a little deeper and figure out a way to interact with the SOAP services which UPnP relies on in order to hunt for bugs. My goal was to retrieve sensitive information, such as the WiFi password, from the device.
Using Miranda's MSEARCH (which comes preinstalled on Kali Linux), I was able to discover the setup.xml file for the service I was examining. This file will always be XML, but the actual file name can change. Another way to discover this initial entry point is to examine the network traffic with WireShark. The MSEARCH HTTP requests are easy