Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smap guessing does not work: min Rss size is 8k #6

Open
mschaefers opened this issue Mar 9, 2020 · 1 comment
Open

smap guessing does not work: min Rss size is 8k #6

mschaefers opened this issue Mar 9, 2020 · 1 comment

Comments

@mschaefers
Copy link

when I run your exploit on my old Xiongmai cam, it can not guess the correct stack section base, because all my 8188 byte long entries have an Rss size of at least 8k:

Any idea on how to adapt the guessing algorithm to this model? (more model infos below)

[+] getting pidlist: found 41 processes
[+] searching for PID of '/usr/bin/Sofia': 812
[→] getting stack section base
(0, '0x622000', ((1996, 984, 984, 0, 0, 0, 984),))
(1, '0x818000', ((4, 4, 4, 0, 0, 0, 4),))
(2, '0x24a3000', ((5808, 5292, 5292, 0, 0, 0, 5292),))
(3, '0x4007f000', ((4, 4, 4, 0, 0, 0, 4),))
(4, '0x40080000', ((4, 4, 4, 0, 0, 0, 4),))
(5, '0x400c6000', ((4, 4, 4, 0, 0, 0, 4),))
(6, '0x400de000', ((4, 4, 4, 0, 0, 0, 4),))
(7, '0x40113000', ((4, 4, 4, 0, 0, 0, 4),))
(8, '0x40114000', ((8, 4, 4, 0, 0, 0, 4),))
(9, '0x4014d000', ((4, 4, 4, 0, 0, 0, 4),))
(10, '0x4014e000', ((40, 8, 8, 0, 0, 0, 8),))
(11, '0x4016a000', ((4, 4, 4, 0, 0, 0, 4),))
(12, '0x40247000', ((8, 8, 8, 0, 0, 0, 8),))
(13, '0x40249000', ((24, 12, 12, 0, 0, 0, 12),))
(14, '0x40266000', ((4, 4, 4, 0, 0, 0, 4),))
(15, '0x40279000', ((4, 4, 4, 0, 0, 0, 4),))
(16, '0x4030d000', ((8, 8, 8, 0, 0, 0, 8),))
(17, '0x4030f000', ((280, 280, 280, 0, 0, 0, 280),))
(18, '0x40356000', ((8188, 8, 8, 0, 0, 0, 8),))
(19, '0x40b92000', ((8188, 16, 16, 0, 0, 0, 16),))
(20, '0x413ae000', ((8188, 8, 8, 0, 0, 0, 8),))
(21, '0x41beb000', ((516, 516, 516, 0, 0, 0, 516),))
(22, '0x41c93000', ((8188, 12, 12, 0, 0, 0, 12),))
(23, '0x4249b000', ((10760, 3496, 3496, 0, 0, 0, 3496),))
(24, '0x42f65000', ((8188, 8, 8, 0, 0, 0, 8),))
(25, '0x437aa000', ((260, 4, 4, 0, 0, 0, 4),))
(26, '0x43839000', ((8188, 8, 8, 0, 0, 0, 8),))
(27, '0x4404c000', ((8188, 8, 8, 0, 0, 0, 8),))
(28, '0x4487d000', ((8704, 524, 524, 0, 0, 0, 524),))
(29, '0x45101000', ((8188, 20, 20, 0, 0, 0, 20),))
(30, '0x45943000', ((316, 56, 56, 0, 0, 0, 56),))
(31, '0x45a1c000', ((8188, 16, 16, 0, 0, 0, 16),))
(32, '0x4624c000', ((1000, 520, 520, 0, 0, 0, 520),))
(33, '0x465b6000', ((8188, 8, 8, 0, 0, 0, 8),))
(34, '0x46e56000', ((8188, 8, 8, 0, 0, 0, 8),))
(35, '0x47656000', ((8188, 8, 8, 0, 0, 0, 8),))
(36, '0x47e67000', ((8188, 8, 8, 0, 0, 0, 8),))
(37, '0x486bc000', ((8188, 12, 12, 0, 0, 0, 12),))
(38, '0x48ebc000', ((8188, 8, 8, 0, 0, 0, 8),))
(39, '0x497b4000', ((8860, 52, 52, 0, 0, 0, 52),))
(40, '0x4a06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(41, '0x4a86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(42, '0x4b06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(43, '0x4b86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(44, '0x4c0eb000', ((12288, 4108, 4108, 0, 0, 0, 4108),))
(45, '0x4ccec000', ((8188, 12, 12, 0, 0, 0, 12),))
(46, '0x4d520000', ((8188, 12, 12, 0, 0, 0, 12),))
(47, '0x4dd20000', ((8188, 8, 8, 0, 0, 0, 8),))
(48, '0x4e520000', ((8188, 8, 8, 0, 0, 0, 8),))
(49, '0x4ed25000', ((8188, 8, 8, 0, 0, 0, 8),))
(50, '0x4f525000', ((8188, 8, 8, 0, 0, 0, 8),))
(51, '0x4fd25000', ((8188, 8, 8, 0, 0, 0, 8),))
(52, '0x50525000', ((8188, 8, 8, 0, 0, 0, 8),))
(53, '0x50d25000', ((8188, 8, 8, 0, 0, 0, 8),))
(54, '0x515e3000', ((8188, 8, 8, 0, 0, 0, 8),))
(55, '0x51e89000', ((8188, 8, 8, 0, 0, 0, 8),))
(56, '0x52720000', ((8188, 8, 8, 0, 0, 0, 8),))
(57, '0x52f86000', ((8188, 8, 8, 0, 0, 0, 8),))
(58, '0x53786000', ((8188, 12, 12, 0, 0, 0, 12),))
(59, '0x54003000', ((8188, 16, 16, 0, 0, 0, 16),))
(60, '0x54868000', ((8188, 8, 8, 0, 0, 0, 8),))
(61, '0x550d4000', ((8188, 16, 16, 0, 0, 0, 16),))
(62, '0x558d4000', ((9196, 48, 48, 0, 0, 0, 48),))
(63, '0x56295000', ((8188, 12, 12, 0, 0, 0, 12),))
(64, '0x56acf000', ((8188, 8, 8, 0, 0, 0, 8),))
(65, '0x572cf000', ((8188, 32, 32, 0, 0, 0, 32),))
(66, '0x57b4a000', ((8188, 8, 8, 0, 0, 0, 8),))
(67, '0x5834a000', ((8188, 8, 8, 0, 0, 0, 8),))
(68, '0x58b9e000', ((8188, 8, 8, 0, 0, 0, 8),))
(69, '0x5940b000', ((8188, 8, 8, 0, 0, 0, 8),))
(70, '0x59c94000', ((8188, 8, 8, 0, 0, 0, 8),))
(71, '0x5a55e000', ((8188, 8, 8, 0, 0, 0, 8),))
(72, '0x5ad5e000', ((8188, 8, 8, 0, 0, 0, 8),))
(73, '0x5b5db000', ((8188, 8, 8, 0, 0, 0, 8),))
(74, '0x5be1a000', ((8188, 8, 8, 0, 0, 0, 8),))
(75, '0x5c6c4000', ((8188, 8, 8, 0, 0, 0, 8),))
(76, '0x5cf1e000', ((8188, 8, 8, 0, 0, 0, 8),))
(77, '0x5d71e000', ((8188, 8, 8, 0, 0, 0, 8),))
(78, '0x5df1e000', ((8188, 12, 12, 0, 0, 0, 12),))
(79, '0x5e71e000', ((8188, 12, 12, 0, 0, 0, 12),))
(80, '0xbed2c000', ((140, 136, 136, 0, 0, 0, 136),))
enter stack region id (guessed value = -1):

More Model Infos:

cat /proc/cpuinfo
Processor	: ARM926EJ-S rev 5 (v5l)
BogoMIPS	: 218.72
Features	: swp half thumb fastmult edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 5

Hardware	: hi3518
Revision	: 0000
Serial		: 0000000000000000

Hardware is detected as 50H10L
@tothi
Copy link
Owner

tothi commented Mar 26, 2020

first i would test the vulnerability itself and would try to exploit it without aslr. you can do it by telnetting to the device and attaching gdb to Sofia. if it works, you can identify the memory region, and you can try to implement the magical guess. look for the remote gdb section here if you need hints: https://github.com/tothi/pwn-hisilicon-dvr#remote-gdb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mschaefers @tothi