Skip to content

Instantly share code, notes, and snippets.

View nstarke's full-sized avatar

Nicholas Starke nstarke

175 followers · 10 following
View GitHub Profile
@nstarke
nstarke / 0000-cve-2020-8597.md
Last active November 1, 2023 04:48
CVE-2020-8597 - Buffer Overflow in pppd

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs:

@nstarke
nstarke / building-and-running-ovmf-in-qemu.md
Created February 25, 2020 23:14
Building and Running OVMF in Qemu

Building and Running OVMF in Qemu

I built EDK2 and OVMF from source using the instructions here: https://github.com/tianocore/tianocore.github.io/wiki/How-to-run-OVMF

The instructions are helpful in getting the build tooling configured to build edk2, but I consistently ran into a problem when I built the DEBUG version of OVMF. I would run:

$ qemu-system-x86_64 -bios ../edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd
@nstarke
nstarke / ecusim-2000.md
Created February 23, 2020 04:20
Car hacking with ScanTool ECUSim 2000

Car hacking with ScanTool ECUSim 2000

An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by vcan. I decided I didn't want to test virtually because then I wouldn't know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle's ODB2 port.

I was looking for something between vcan and a real car. A little googling led me to the ScanTools ECUSim 2000: https://www.amazon.com/OBDLink-ScanTool-ECUsim-Simulator-Development/dp/B008NAH6WE

This board simulates a car. It has a ODB2 port for interfacing just like one would do with a

@nstarke
nstarke / netgear-private-key-disclosure.md
Last active October 8, 2025 20:07
Netgear TLS Private Key Disclosure through Device Firmware Images

Netgear Signed TLS Cert Private Key Disclosure

Overview

There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.

These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.

The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.

@nstarke
nstarke / 0000-thecus-firmware-decrypt.sh
Last active June 12, 2024 22:47
Thecus Firmware Decrypt Bash Script
#!/bin/bash
#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed
@nstarke
nstarke / mac-address-table-filler.py
Last active January 16, 2020 15:34
Mac Address Table Filler
#!/usr/bin/env python
#
# This script is meant to assist in filling up a MAC ADDRESS Table on a switch
# This script reuqires scapy to be installed, and most likely will need to be
# run as root. That means scapy will have to be installed for the root user
# in order for this script to work.
#
# Arguments:
# * Interface to send ARP packet on
@nstarke
nstarke / resize-ghidra-gui.md
Last active September 9, 2025 15:58
Resize Ghidra GUI for High DPI screens

Resize Ghidra for High DPI screens

If you run Ghidra on a high DPI screen, you will probably find the GUI to be scaled down so small to be almost of no use.

There is a setting that you can adjust to scale the Ghidra GUI:

in $GHIDRA_ROOT/support is a file named launch.properties. In this launch.properties file is the following configuration key:

VMARGS_LINUX=-Dsun.java2d.uiScale=1
@nstarke
nstarke / rsync-auth.py
Last active November 28, 2019 01:44
Rsync Protocol Authentication flow in Python
#!/usr/bin/env python
from Crypto.Hash import MD4
import socket
import base64
import os
import random
import time
import sys
@nstarke
nstarke / FindHTMLDocuments.java
Last active November 20, 2019 20:32
Ghidra Plugin for Finding Embedded HTML Documents and Fragments
// Search for HTML Documents / Fragments embedded in a binary and create a bookmark
// @author Nicholas Starke
import ghidra.app.script.GhidraScript;
import ghidra.program.model.address.Address;
import ghidra.program.model.mem.Memory;
import ghidra.program.model.mem.MemoryAccessException;
import ghidra.program.model.mem.MemoryBlock;
import java.nio.charset.StandardCharsets;
@nstarke
nstarke / papi.py
Created September 24, 2019 14:39 — forked from eriknl/papi.py
Reverse engineered partial Aruba PAPI implementation
import hashlib
from struct import *
"""
This implementation was reverse engineered using Wireshark (and source code), strace and two excelent articles:
- https://x-c3ll.github.io/posts/CVE-2018-7081-RCE-ArubaOS/
- https://packetstormsecurity.com/files/136997/Aruba-Authentication-Bypass-Insecure-Transport-Tons-Of-Issues.html
"""
def papi_encrypt(data):