Skip to content

Instantly share code, notes, and snippets.

View nstarke's full-sized avatar

Nicholas Starke nstarke

173 followers · 10 following
View GitHub Profile
@nstarke
nstarke / android-decompile.sh
Last active May 14, 2020 06:49
Android APK Decompile Script
#!/bin/bash
APK=$1
# Linux only right now.
if [ ! -d "$HOME/.android-decompile-tools" ]; then
mkdir "$HOME/.android-decompile-tools"
fi
@nstarke
nstarke / wemo-soap.md
Created September 12, 2016 04:05
SOAP Calls for UPnP Services on WeMo Devices

SOAP Calls for UPnP Services in WeMo Devices

Note: this write up doesn't contain any vulnerabilties or exploits!

I was recently taking a look at a few WeMo embedded devices. WeMo Devices are IoT contraptions like light switches, space heaters, and coffee machines that are network enabled. I examined the "Holmes Smart Heater". Both had port 41953 open, which is a common port for UPnP services. I decided to dig a little deeper and figure out a way to interact with the SOAP services which UPnP relies on in order to hunt for bugs. My goal was to retrieve sensitive information, such as the WiFi password, from the device.

Using Miranda's MSEARCH (which comes preinstalled on Kali Linux), I was able to discover the setup.xml file for the service I was examining. This file will always be XML, but the actual file name can change. Another way to discover this initial entry point is to examine the network traffic with WireShark. The MSEARCH HTTP requests are easy

@nstarke
nstarke / bacon-ipsum.html
Last active January 14, 2017 03:48
Browser Based DNS Exfil
<!DOCTYPE html>
<html style="width:100%;height:100%;">
<head>
<title>DNS-Exfil.js</title>
<script>
var targetId = Math.round(Math.random() * 1000000);
var sessionId = guid();
function doRequest(){
@nstarke
nstarke / slowloris.js
Last active December 15, 2017 21:01
Slowloris
var net = require('net');
var tls = require('tls');
var url = require('url');
var util = require('util');
var commander = require('commander');
commander.option('-u, --url [url]', 'Url to hit')
.option('-c, --connections [connections]', 'Connections to use simultaneously', 256, parseInt)
.option('-t, --timings [timings]', 'Which set of timings to use', 'default')
@nstarke
nstarke / armel-re-lab.md
Last active April 18, 2023 04:50
Setting up an ARMEL Reverse Engineering / Debug Lab in QEMU

Setting up an ARMEL Reverse Engineering / Debug Lab in QEMU

I recently came across a tutorial on ARM Reverse Engineering https://azeria-labs.com/writing-arm-assembly-part-1/.

However, this tutorial seems to recommend using a Raspberry Pi for following along with the tutorial. I decided I wanted to be able to work through the tutorial using a virtual machine, so I built a QEMU VM of the ARMEL architecture. This is the same architecture that the Raspberry Pi is based off of. I went with debian for ARMEL because its the OS I'm most familiar with. After the operating system is installed, I install tools like GDB and GEF for debugging / reverse engineering.

GEF is a plugin for GDB specifically built for reverse engineering and exploit development. From https://github.com/hugsy/gef.git:

@nstarke
nstarke / qemu-debian-powerpc32.md
Created May 31, 2017 23:58
Create Debian PowerPC32 VM Under QEMU

Create Debian PowerPC32 VM Under QEMU

I have a collection of QEMU VMs for different CPU Architectures. In an attempt to fill in some gaps on architectures I lacked VMs for, I decided to spin up a PowerPC32 VM under QEMU. I chose Debian-PowerPC as the OS.

Gathering Resources

Install the prerequisite PowerPC packages:

# apt-get install qemu-system-ppc openbios-ppc
@nstarke
nstarke / find-pipes.cpp
Created December 31, 2017 20:00
List Named Pipes in Windows
// Most of this taken from https://stackoverflow.com/a/19780129 with some edits.
#ifndef _WIN32_WINNT
// Windows XP
#define _WIN32_WINNT 0x0501
#endif
#define MAX_PATH 0xFF
#include <Windows.h>
#include <Psapi.h>
#include <iostream>
@nstarke
nstarke / process-token-ops.md
Created December 31, 2017 20:36
Windows Process Token Bitwise AND To get real value
@nstarke
nstarke / skip-long-boot.md
Last active January 1, 2018 00:56
Windows Kernel Debuggin In VirtualBox - Skip Long Boot

Windows Kernel Debugging In VirtualBox - Skip Long Boot

The following technique was tested on the following setup:

  • Ubuntu 17.10 Host
  • Windows 10 x64 Debugger VM
  • Windows 7 x86 Debuggee VM
  • VirtualBox 5.2.4
  • Debug interface is Serial COM1 via named pipe
@nstarke
nstarke / xen-connect-two-vms-via-virtual-serial-port.md
Created January 5, 2018 23:46
Xen - Connect two VMs via Virtual Serial Port

Xen - Connect two VMs via Virtual Serial Port

I have recently been working on debugging The Windows kernel.

For the version of Windows I am using (7 professional / 32-bit), the easiest way to debug the kernel is via serial port.

In VirtualBox this is easy, as VirtualBox provides robust serial port options that allow the user to specify a unix socket to use as a virtual serial cable. If the unix socket doesn't exist before the VM is booted VirtualBox, when booting the server VM, will create the unix socket on the filesystem. The client VM can then connect to the unix socket by specifying the same path in the VirtualBox serial port settings.

However, for my purposes it became necessary to use Xen as the hypervisor. I started by installing and configuring Xen on an Ubuntu server, then spinning up two Windows HVM guest VMs.