Skip to content

Instantly share code, notes, and snippets.

View wmealing's full-sized avatar
💭
Take me home, country roads

Wade Mealing wmealing

💭
Take me home, country roads
  • Brisbane
View GitHub Profile
@wmealing
wmealing / ANSI.md
Created September 4, 2022 04:02 — forked from fnky/ANSI.md
ANSI Escape Codes

ANSI Escape Sequences

Standard escape codes are prefixed with Escape:

  • Ctrl-Key: ^[
  • Octal: \033
  • Unicode: \u001b
  • Hexadecimal: \x1B
  • Decimal: 27
var dbits, canary = 244837814094590, j_lm = 15715070 == (canary & 16777215);
function BigInteger(a, b, c) {
null != a && ("number" == typeof a ? this.fromNumber(a, b, c) : null == b && "string" != typeof a ? this.fromString(a, 256) : this.fromString(a, b));
}
function nbi() {
return new BigInteger(null);
}
function am1(a, b, c, d, e, f) {
for (; 0 <= --f;) {
var h = b * this[a++] + c[d] + e;

Sony Bravia HTTP API

The sony bravia has a HTTP API interacted with using a Pre-Shared key. There's a more complex auth flow but I've not described it here.

There wasn't any documentation, so I've written some. If you're a TV integrator don't read this, you'll laugh. I'm probably just getting confused by UPnP.

Disclaimer: I've only tested this on my TV, which is a KDL-50W829B. Your TV might not have all of the services; see Available services section for how to discover what your TV supports.

@wmealing
wmealing / gist:2a1a724b267cdde1a2727d8c7a5cb0f4
Created October 9, 2020 07:20
this should be crashing on tsx disabled systems.
#include <stdio.h>
int main()
{
int x = 0;
while (x < 100000) {
asm ("xbegin ABORT");
x++;
asm ("xend");
asm ("ABORT:");
Validating TPM PCRS on Red Hat Enterprise Linux.
Most modern systems have a TPM implemented in hardware of the system that is frequently used as a method to ensure platform integrity of system level components.
TPM status is communicated with the operating system through “Trusted Platform Configuration Register (PCR) settings. The TPM has several different PCR which are used for different, specific purposes. Some of these registers are intended to be used as hardware and software validation methods to ensure that an “Evil maid” attack has not taken place between boots.
Some attacks may modify the boot process to gain additional privileges while the system is running.
Option 1 : LUKS decryption on PCRS validation.
@wmealing
wmealing / dmesg out
Created May 27, 2020 14:11
the dmesg output when the debug is enabled and the A1 button is pressed.
[ 2019.252809] exresolv-0084 ex_resolve_to_value : Resolved object 00000000ee340dd7
[ 2019.252873] exresolv-0138 ex_resolve_object_to_v: [Arg/Local 0] ValueObj is 00000000ee340dd7
[ 2019.252891] exresolv-0084 ex_resolve_to_value : Resolved object 00000000ee340dd7
[ 2019.252937] exresop-0126 ex_resolve_operands : Opcode 70 [Store] RequiredOperandTypes=000002F2
[ 2019.252952] exresop-0210 ex_resolve_operands : Operand is a Reference, Class [Local] 00
[ 2019.252966] exresop-0210 ex_resolve_operands : Operand is a Reference, Class [Argument] 01
[ 2019.252980] exresolv-0138 ex_resolve_object_to_v: [Arg/Local 0] ValueObj is 00000000ee340dd7
[ 2019.252995] exresolv-0084 ex_resolve_to_value : Resolved object 00000000ee340dd7
[ 2019.253008] exdump-0880 ex_dump_operands : **** Start operand dump for opcode [Store], 2 operands
[ 2019.253021] exdump-0625 ex_dump_operand : 00000000ee340dd7 Refs=3 Integer 0000000000000085
| PIN | | Description |
|-----+---------+---------------------+
| 01 | Shield | |
| 02 | | |
| 03 | | |
| 04 | GRND | |
| 05 | 16V | Supply (for dock ?) |
| 06 | 16V | |
| 07 | 16V | |
| 08 | 5V | Supply for usb ? |
@wmealing
wmealing / Leveraging non important flaws in exploit chains.txt
Last active February 3, 2020 04:40
Prioritizing fix order of minor flaws.
Abstract
This paper intends to demonstrate how to score the importance of lower impact flaws can be chained together to allow
higher impacting vulnerabilities to be exploited correctly in a single package. A common vocabulary and scoring system
will be established and a few of the current high-profile exploit chains being used in pwn2win and chrome exploit
challenge will be explained and scored in this system to show where they lie.
1. Introduction
Software vendors analyse and score security flaws based on their existence without considering existing unfixed flaws
/* */
/* gcc drm_i915_ktsploit.c -o kt -ldrm -I/usr/include/libdrm */
/* exploit by oxagast */
/* */
//Jun 17 01:22:05 likon kernel: [ 1788.600973] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
//Jun 17 01:22:05 likon kernel: [ 1788.600982] IP: __sg_alloc_table_from_pages+0xe4/0x1f0
//Jun 17 01:22:05 likon kernel: [ 1788.600984] PGD 0 P4D 0
//Jun 17 01:22:05 likon kernel: [ 1788.600987] Oops: 0000 [#3] SMP PTI
//Jun 17 01:22:05 likon kernel: [ 1788.600988] Modules linked in: rfcomm appletalk ipx p8023 psnap p8022 llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) snd_hrtimer ccm cmac bnep binfmt_misc arc4 iwlmvm mac80211 hid_multitouch hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als ir_lirc_codec lirc_dev hid_sensor_gyro_3d rtl2832_sdr hid_sensor_trigger industrialio_t
@wmealing
wmealing / Priviledged-ebpf.md
Last active May 10, 2019 00:41
EBPF priviledged operations.

== Why eBPF filter operations are privileged in some distributions ?

eBPF is a mechanism in which local users can tell the Linux kernel to attach pseudocode to tracepoints, kprobes, and perf events in the kernel. This pseudocode is later translated into native instructions and executed. Because of this it is heavily used in performance tuning and benchmarking. As this instrumentation can be carried out without recompiling the kernel, eBPF is very attractive for systems where this could be prohibitive either due to cost, downtime, or complexity.

Using eBPF requires calling a syscall, bpf(2). This syscall is used for all eBPF operations like loading programs attaching them to specific events, creating eBPF maps, and access the map contents from tools. At this time, users with CAP_SYS_ADMIN capability in the initial namespace can use the bpf(2) syscall, which is effectively root level privileges.