Skip to content

Instantly share code, notes, and snippets.

Avatar
🦄

Gareth Jones symm

🦄
View GitHub Profile
@nstarke
nstarke / netgear-private-key-disclosure.md
Last active Oct 21, 2020
Netgear TLS Private Key Disclosure through Device Firmware Images
View netgear-private-key-disclosure.md

Netgear Signed TLS Cert Private Key Disclosure

Overview

There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.

These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.

The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.

@hfiref0x
hfiref0x / akagi_58a.c
Created Oct 23, 2019
UAC bypass using EditionUpgradeManager COM interface
View akagi_58a.c
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@lizthegrey
lizthegrey / attributes.rb
Last active Jun 8, 2021
Hardening SSH with 2fa
View attributes.rb
default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam'
default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes'
default['sshd']['sshd_config']['PasswordAuthentication'] = 'no'
@mattifestation
mattifestation / LoadInMemoryModule.ps1
Created Mar 30, 2018
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
View LoadInMemoryModule.ps1
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
View README.md

Root OnePlus5 without unlocking the bootloader

Gain adb root.

$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"

Download Magisk-v14.0 and extract it somewhere. Download MagiskManager.

@NigelEarle
NigelEarle / Knex-Migrations-Seeding.md
Last active Jul 22, 2021
Migration and seeding instructions using Knex.js!
View Knex-Migrations-Seeding.md

Migrations & Seeding

What are migrations??

Migrations are a way to make database changes or updates, like creating or dropping tables, as well as updating a table with new columns with constraints via generated scripts. We can build these scripts via the command line using knex command line tool.

To learn more about migrations, check out this article on the different types of database migrations!

Creating/Dropping Tables

@sators
sators / connect.php
Last active May 17, 2021
PHP MySQLi Amazon Aurora RDS EC2 IAM Role Based Authentication
View connect.php
<?php
/********* CONFIG ********/
$clusterEndpoint = "";
$clusterPort = 3306;
$clusterRegion = "us-east-1";
$dbUsername = "";
$dbDatabase = "";
/*************************/
@konsumer
konsumer / radioreference2SDRTouchPresets.js
Last active Nov 6, 2019
Build SDRTouch Presets from radioreference site
View radioreference2SDRTouchPresets.js
// Put this into Developer console
// on a page like https://www.radioreference.com/apps/db/?inputs=2&ctid=2230
function tableToJs ($table) {
const headers = $('th', $table).map((i, th) => $(th).text().trim())
const out = []
$('tr', $table).each((i, tr) => {
const row = {}
$('td', tr).map((i, td) => {
row[ headers[i] ] = $(td).text()
View chat-frontend.js
"use strict";
// for better performance - to avoid searching in DOM
const inputElement = document.getElementById('input');
const contentElement = document.getElementById('content');
const statusElement = document.getElementById('status');
// my color assigned by the server
var myColor = false;
// my name sent to the server
@egirault
egirault / Syscan2015Badge.md
Last active May 14, 2021
Dumping the flash memory of the Syscan 2015 badge
View Syscan2015Badge.md

Dumping the flash of the Syscan 2015 badge

The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.

Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.

I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to