Skip to content

Instantly share code, notes, and snippets.

View nstarke's full-sized avatar

Nicholas Starke nstarke

View GitHub Profile
@nstarke
nstarke / network-callout.sh
Created June 21, 2022 21:41
Network Callout
View network-callout.sh
#!/bin/bash
# sudo apt install iw curl jq
ALIVE="$1"
check_public_ip() {
INTERFACE="$1"
PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin)
if ! [[ -z $PUBLIC_IP ]]; then
echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE"
fi
@nstarke
nstarke / generate-nested-json.js
Last active April 14, 2022 15:01
Generated Deeply Nested JSON
View generate-nested-json.js
//
// Run this javascript file like so
//
// node generate-nested-json.js "a" 1024 64
// Where:
//
// "a" is the nested property to create
// 1024 is the initial max recursion
// 64 is the amount of times to multiple the initial max recursion.
//
@nstarke
nstarke / linux-firmare-cpu_rec.txt
Last active December 4, 2023 03:28
CPU_REC run against linux-firmware
View linux-firmare-cpu_rec.txt
linux-firmware-20231111/rtl_bt/rtl8851bu_fw.bin full(0xc260) None chunk(0x400;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8822cs_fw.bin full(0xf474) None chunk(0x200;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8852cu_fw_v2.bin full(0x1b939) None chunk(0x300;3) MIPS16
linux-firmware-20231111/rtl_bt/rtl8761bu_fw.bin full(0xadc4) None chunk(0x200;2) MIPS16
linux-firmware-20231111/rtl_bt/rtl8822cs_config.bin full(0x21) None chunk(0x0;0) None
linux-firmware-20231111/rtl_bt/rtl8761b_config.bin full(0x19) None chunk(0x0;0) None
linux-firmware-20231111/rtl_bt/rtl8723d_fw.bin
@nstarke
nstarke / aqn-cpu_rec-results.txt
Created July 8, 2021 17:02
Aquantia Firmware Update Files - CPU_REC Results
View aqn-cpu_rec-results.txt
$ python3 ~/cpu_rec/cpu_rec.py *.clx
AQC100-Felicity-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC107-Nikki-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC111-Bermuda-B0-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x31000;98) Xtensa
$ binwalk *.clx
Scan Time: 2021-07-08 17:01:00
Target File: /home/nick/aqn/AQC100-Felicity-3.1.121_bdp_aqsign.clx
MD5 Checksum: 3dd8e40cd3e4aa183b13939190b86b05
Signatures: 404
@nstarke
nstarke / CountReferencedStrings.java
Last active January 20, 2021 21:31
Ghidra Script: Count Referenced Strings
View CountReferencedStrings.java
/* ###
* IP: GHIDRA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@nstarke
nstarke / find-compressed-data.py
Last active May 17, 2023 10:39
Find Compressed Data without Compression Header
View find-compressed-data.py
#!/usr/bin/env python3
#
# find-compressed-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create
@nstarke
nstarke / decrypting-dlink-proprietary-firmware-images.md
Last active January 17, 2023 17:10
Decrypting DLINK Proprietary Firmware Images
View decrypting-dlink-proprietary-firmware-images.md
@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created March 18, 2020 03:09
Linksys EA4500 Device Firmware Decryption
View linksys-ea4500-device-firmware-decryption.md

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@nstarke
nstarke / linux-dialup-modems.md
Last active October 25, 2023 21:58
Connecting to Raspberry Pi's using 56k Modems
View linux-dialup-modems.md

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

@nstarke
nstarke / 0000-cve-2020-8597.md
Last active November 1, 2023 04:48
CVE-2020-8597 - Buffer Overflow in pppd
View 0000-cve-2020-8597.md

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs: