| // Most of this taken from https://stackoverflow.com/a/19780129 with some edits. | |
| #ifndef _WIN32_WINNT | |
| // Windows XP | |
| #define _WIN32_WINNT 0x0501 | |
| #endif | |
| #define MAX_PATH 0xFF | |
| #include <Windows.h> | |
| #include <Psapi.h> | |
| #include <iostream> |
I have a collection of QEMU VMs for different CPU Architectures. In an attempt to fill in some gaps on architectures I lacked VMs for, I decided to spin up a PowerPC32 VM under QEMU. I chose Debian-PowerPC as the OS.
Install the prerequisite PowerPC packages:
# apt-get install qemu-system-ppc openbios-ppc
I recently came across a tutorial on ARM Reverse Engineering https://azeria-labs.com/writing-arm-assembly-part-1/.
However, this tutorial seems to recommend using a Raspberry Pi for following along with the tutorial. I decided I wanted to be able to work through the tutorial using a virtual machine, so I built a QEMU VM of the ARMEL architecture. This is the same architecture that the Raspberry Pi is based off of. I went with debian for ARMEL because its the OS I'm most familiar with. After the operating system is installed, I install tools like GDB and GEF for debugging / reverse engineering.
GEF is a plugin for GDB specifically built for reverse engineering and exploit development. From https://github.com/hugsy/gef.git:
| var net = require('net'); | |
| var tls = require('tls'); | |
| var url = require('url'); | |
| var util = require('util'); | |
| var commander = require('commander'); | |
| commander.option('-u, --url [url]', 'Url to hit') | |
| .option('-c, --connections [connections]', 'Connections to use simultaneously', 256, parseInt) | |
| .option('-t, --timings [timings]', 'Which set of timings to use', 'default') |
| <!DOCTYPE html> | |
| <html style="width:100%;height:100%;"> | |
| <head> | |
| <title>DNS-Exfil.js</title> | |
| <script> | |
| var targetId = Math.round(Math.random() * 1000000); | |
| var sessionId = guid(); | |
| function doRequest(){ |
I was recently taking a look at a few WeMo embedded devices. WeMo Devices are IoT contraptions like light switches, space heaters, and coffee machines that are network enabled. I examined the "Holmes Smart Heater". Both had port 41953 open, which is a common port for UPnP services. I decided to dig a little deeper and figure out a way to interact with the SOAP services which UPnP relies on in order to hunt for bugs. My goal was to retrieve sensitive information, such as the WiFi password, from the device.
Using Miranda's MSEARCH (which comes preinstalled on Kali Linux), I was able to discover the setup.xml file for the service I was examining. This file will always be XML, but the actual file name can change. Another way to discover this initial entry point is to examine the network traffic with WireShark. The MSEARCH HTTP requests are easy
| #!/bin/bash | |
| APK=$1 | |
| # Linux only right now. | |
| if [ ! -d "$HOME/.android-decompile-tools" ]; then | |
| mkdir "$HOME/.android-decompile-tools" | |
| fi |
| // Original research publication: | |
| // https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ | |
| // | |
| // Depdency installation command: | |
| // npm i jsonwebtoken@0.2.0 | |
| // | |
| // Node security advisory: | |
| // https://nodesecurity.io/advisories/88 | |
| const jwt = require('jsonwebtoken'); |
In late 2015, I decided to start researching IP Cameras. I decided to try out the cheapest models available on Amazon.com, both because I thought those models would be more “fruitful” and because I was trying to do this research on a budget. It turns out that the security on these lower model IP Cameras is really bad.
I looked at five different IP Cameras and was able to gain root access on four of them within a few hours of starting to poke at them. All of the cameras I looked at cost between $30-$70, and can be purchased directly from Amazon.com.
My goals in completing this research were two-fold:
VirtualBox only officially supports OS X guests on an OS X host, but it is possible to create one on an OS X host and transfer it over to a Linux host. This tutorial will go over one possible way to accomplish this task.