grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Changes

Browse Source
This commit is contained in:
Gregor Haas
2019-12-07 14:22:10 -05:00
parent 3e5974b9b5
commit 413de9fb6d
8 changed files with 147 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
.idea/workspace.xml generated
View File

@@ -12,8 +12,16 @@
</configurations> </configurations>
</component> </component>
<component name="ChangeListManager"> <component name="ChangeListManager">
<list default="true" id="b2f61e55-9467-486e-b84a-47b98c1101b5" name="Default Changelist" comment="" /> <list default="true" id="b2f61e55-9467-486e-b84a-47b98c1101b5" name="Default Changelist" comment="">
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" /> <change afterPath="$PROJECT_DIR$/conf.h" afterDir="false" />
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
<change beforePath="$PROJECT_DIR$/CMakeLists.txt" beforeDir="false" afterPath="$PROJECT_DIR$/CMakeLists.txt" afterDir="false" />
<change beforePath="$PROJECT_DIR$/exploit/commands.c" beforeDir="false" afterPath="$PROJECT_DIR$/exploit/commands.c" afterDir="false" />
<change beforePath="$PROJECT_DIR$/exploit/exploit.c" beforeDir="false" afterPath="$PROJECT_DIR$/exploit/exploit.c" afterDir="false" />
<change beforePath="$PROJECT_DIR$/exploit/libusb_helpers.c" beforeDir="false" afterPath="$PROJECT_DIR$/exploit/libusb_helpers.c" afterDir="false" />
<change beforePath="$PROJECT_DIR$/exploit/libusb_helpers.h" beforeDir="false" afterPath="$PROJECT_DIR$/exploit/libusb_helpers.h" afterDir="false" />
<change beforePath="$PROJECT_DIR$/main.c" beforeDir="false" afterPath="$PROJECT_DIR$/main.c" afterDir="false" />
</list>
<option name="SHOW_DIALOG" value="false" /> <option name="SHOW_DIALOG" value="false" />
<option name="HIGHLIGHT_CONFLICTS" value="true" /> <option name="HIGHLIGHT_CONFLICTS" value="true" />
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" /> <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
@@ -28,10 +36,15 @@
</component> </component>
<component name="OCFindUsagesOptions" text="true" ivars="false" properties="true" derivedClasses="false" /> <component name="OCFindUsagesOptions" text="true" ivars="false" properties="true" derivedClasses="false" />
<component name="OCResolveContextSettings"> <component name="OCResolveContextSettings">
<option name="configuration" value="0-libusb-1.0_custom" /> <option name="configuration" value="0-Debug-libusb_checkm8" />
</component> </component>
<component name="ProjectId" id="1ScgAvqtwFZJr4GXhAgilnvsGlR" /> <component name="ProjectId" id="1ScgAvqtwFZJr4GXhAgilnvsGlR" />
<component name="ProjectLevelVcsManager" settingsEditedManually="true" /> <component name="ProjectLevelVcsManager" settingsEditedManually="true" />
<component name="ProjectViewState">
<option name="hideEmptyMiddlePackages" value="true" />
<option name="showExcludedFiles" value="true" />
<option name="showLibraryContents" value="true" />
</component>
<component name="PropertiesComponent"> <component name="PropertiesComponent">
<property name="WebServerToolWindowFactoryState" value="false" /> <property name="WebServerToolWindowFactoryState" value="false" />
<property name="last_opened_file_path" value="$PROJECT_DIR$/launch_with_sudo.sh" /> <property name="last_opened_file_path" value="$PROJECT_DIR$/launch_with_sudo.sh" />
@@ -43,19 +56,7 @@
<recent name="$PROJECT_DIR$/exploit" /> <recent name="$PROJECT_DIR$/exploit" />
</key> </key>
</component> </component>
<component name="RunDashboard"> <component name="RunManager" selected="CMake Application.ipwndfu">
<option name="ruleStates">
<list>
<RuleState>
<option name="name" value="ConfigurationTypeDashboardGroupingRule" />
</RuleState>
<RuleState>
<option name="name" value="StatusDashboardGroupingRule" />
</RuleState>
</list>
</option>
</component>
<component name="RunManager" selected="CMake Application.libusb_checkm8">
<configuration name="ipwndfu_debug_sudo" type="CLion_Remote" toolchainName="Default" remoteCommand="localhost:2345" symbolFile="" sysroot=""> <configuration name="ipwndfu_debug_sudo" type="CLion_Remote" toolchainName="Default" remoteCommand="localhost:2345" symbolFile="" sysroot="">
<method v="2" /> <method v="2" />
</configuration> </configuration>
@@ -75,6 +76,18 @@
<item itemvalue="GDB Remote Debug.ipwndfu_debug_sudo" /> <item itemvalue="GDB Remote Debug.ipwndfu_debug_sudo" />
</list> </list>
</component> </component>
<component name="ServiceViewManager">
<option name="viewStates">
<list>
<serviceView>
<treeState>
<expand />
<select />
</treeState>
</serviceView>
</list>
</option>
</component>
<component name="Vcs.Log.Tabs.Properties"> <component name="Vcs.Log.Tabs.Properties">
<option name="TAB_STATES"> <option name="TAB_STATES">
<map> <map>
@@ -99,15 +112,70 @@
<MESSAGE value="Lotta changes" /> <MESSAGE value="Lotta changes" />
<option name="LAST_COMMIT_MESSAGE" value="Lotta changes" /> <option name="LAST_COMMIT_MESSAGE" value="Lotta changes" />
</component> </component>
<component name="WindowStateProjectService">
<state x="1378" y="377" key="#com.intellij.execution.impl.EditConfigurationsDialog" timestamp="1575247663503">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state x="1378" y="377" key="#com.intellij.execution.impl.EditConfigurationsDialog/0.0.2560.1440@0.0.2560.1440" timestamp="1575247663503" />
<state width="2514" height="659" key="GridCell.Tab.0.bottom" timestamp="1575746430598">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.0.bottom/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430598" />
<state width="1234" height="371" key="GridCell.Tab.0.bottom/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844020" />
<state width="2514" height="659" key="GridCell.Tab.0.center" timestamp="1575746430596">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.0.center/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430596" />
<state width="1234" height="371" key="GridCell.Tab.0.center/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844020" />
<state width="2514" height="659" key="GridCell.Tab.0.left" timestamp="1575746430595">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.0.left/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430595" />
<state width="1234" height="371" key="GridCell.Tab.0.left/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844019" />
<state width="2514" height="659" key="GridCell.Tab.0.right" timestamp="1575746430597">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.0.right/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430597" />
<state width="1234" height="371" key="GridCell.Tab.0.right/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844020" />
<state width="2514" height="659" key="GridCell.Tab.1.bottom" timestamp="1575746430602">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.1.bottom/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430602" />
<state width="1234" height="371" key="GridCell.Tab.1.bottom/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844393" />
<state width="2514" height="659" key="GridCell.Tab.1.center" timestamp="1575746430600">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.1.center/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430600" />
<state width="1234" height="371" key="GridCell.Tab.1.center/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844393" />
<state width="2514" height="659" key="GridCell.Tab.1.left" timestamp="1575746430599">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.1.left/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430599" />
<state width="1234" height="371" key="GridCell.Tab.1.left/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844392" />
<state width="2514" height="659" key="GridCell.Tab.1.right" timestamp="1575746430601">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="2514" height="659" key="GridCell.Tab.1.right/0.0.2560.1440@0.0.2560.1440" timestamp="1575746430601" />
<state width="1234" height="371" key="GridCell.Tab.1.right/0.0.3840.1440@0.0.3840.1440" timestamp="1575251844393" />
<state x="1801" y="457" key="com.intellij.tools.ToolSelectDialog.dimensionServiceKey" timestamp="1575247658369">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state x="1801" y="457" key="com.intellij.tools.ToolSelectDialog.dimensionServiceKey/0.0.2560.1440@0.0.2560.1440" timestamp="1575247658369" />
<state width="1666" height="818" key="javadoc.popup.new" timestamp="1575242155779">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state width="1666" height="818" key="javadoc.popup.new/0.0.2560.1440@0.0.2560.1440" timestamp="1575242155779" />
<state x="442" y="356" width="672" height="678" key="search.everywhere.popup" timestamp="1575744763657">
<screen x="0" y="0" width="2560" height="1440" />
</state>
<state x="442" y="356" width="672" height="678" key="search.everywhere.popup/0.0.2560.1440@0.0.2560.1440" timestamp="1575744763657" />
<state x="2863" y="327" width="672" height="678" key="search.everywhere.popup/0.0.3840.1440@0.0.3840.1440" timestamp="1575249469831" />
</component>
<component name="XDebuggerManager"> <component name="XDebuggerManager">
<breakpoint-manager> <watches-manager>
<breakpoints> <configuration name="CLion_Remote">
<line-breakpoint enabled="true" type="com.jetbrains.cidr.execution.debugger.OCBreakpointType"> <watch expression="target" language="ObjectiveC" />
<url>file://$PROJECT_DIR$/main.c</url> </configuration>
<line>19</line> </watches-manager>
<option name="timeStamp" value="5" />
</line-breakpoint>
</breakpoints>
</breakpoint-manager>
</component> </component>
</project> </project>

6
CMakeLists.txt
View File

@@ -4,12 +4,12 @@ project(ipwndfu_rewrite_c)
set(CMAKE_C_STANDARD 99) set(CMAKE_C_STANDARD 99)
set(CMAKE_C_FLAGS -g) set(CMAKE_C_FLAGS -g)
add_executable(ipwndfu main.c add_executable(ipwndfu main.c conf.h
exploit/libusb_helpers.c exploit/libusb_helpers.h exploit/libusb_helpers.c exploit/libusb_helpers.h
exploit/exploit.c exploit/checkm8.h exploit/commands.c) exploit/exploit.c exploit/checkm8.h exploit/commands.c)
add_library(libusb_checkm8 add_library(libusb_checkm8
libusb/config.h conf.h libusb/config.h
libusb/libusb/core.c libusb/libusb/descriptor.c libusb/libusb/hotplug.c libusb/libusb/core.c libusb/libusb/descriptor.c libusb/libusb/hotplug.c
libusb/libusb/io.c libusb/libusb/strerror.c libusb/libusb/sync.c libusb/libusb/io.c libusb/libusb/strerror.c libusb/libusb/sync.c
@@ -19,4 +19,4 @@ add_library(libusb_checkm8
libusb/libusb/os/threads_posix.c libusb/libusb/os/poll_posix.c libusb/libusb/os/threads_posix.c libusb/libusb/os/poll_posix.c
libusb/libusb/os/linux_usbfs.h libusb/libusb/os/threads_posix.h libusb/libusb/os/poll_posix.h) libusb/libusb/os/linux_usbfs.h libusb/libusb/os/threads_posix.h libusb/libusb/os/poll_posix.h)
target_link_libraries(ipwndfu usb-1.0 libusb_checkm8) target_link_libraries(ipwndfu libusb_checkm8 pthread udev)

6
conf.h Normal file
View File

@@ -0,0 +1,6 @@
#ifndef IPWNDFU_REWRITE_C_CONF_H
#define IPWNDFU_REWRITE_C_CONF_H
//#define LIBUSB_LOGGING
#endif //IPWNDFU_REWRITE_C_CONF_H

14
exploit/commands.c
View File

@@ -1,4 +1,5 @@
#include <string.h> #include <string.h>
#include <stdio.h>
#include "libusb_helpers.h" #include "libusb_helpers.h"
#include "checkm8.h" #include "checkm8.h"
@@ -40,11 +41,12 @@ int command(unsigned char *request_data, int request_len, unsigned char *respons
int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len) int execute(unsigned long *args, int nargs, unsigned char *response_buf, int response_len)
{ {
unsigned long cmd_buf[nargs + 1]; unsigned char cmd_buf[8 * (nargs + 1)];
cmd_buf[0] = EXEC_MAGIC; unsigned long exec = EXEC_MAGIC;
memcpy(&cmd_buf[1], args, 8 * nargs);
return command((unsigned char *) cmd_buf, 8 * (nargs + 1), response_buf, response_len); memcpy(cmd_buf, &exec, 8);
memcpy(&cmd_buf[8], args, 8 * nargs);
return command(cmd_buf, 8 * (nargs + 1), response_buf, response_len);
} }
@@ -65,5 +67,9 @@ int aes(unsigned char *source, unsigned char *target, int encrypt, int key)
int ret = execute(args, 10, response, 32); int ret = execute(args, 10, response, 32);
memcpy(target, &response[16], 16); memcpy(target, &response[16], 16);
for(int i = 0; i < 16; i++)
{
printf("%02x", target[i]);
}
return ret; return ret;
} }

46
exploit/exploit.c
View File

@@ -5,34 +5,14 @@
#include "checkm8.h" #include "checkm8.h"
#include "libusb_helpers.h" #include "libusb_helpers.h"
int complete_stage(int stage_function(struct libusb_device_bundle *bundle)) int complete_stage(struct libusb_device_bundle *bundle, int stage_function(struct libusb_device_bundle *bundle))
{ {
int ret; libusb_open(bundle->device, &bundle->handle);
libusb_set_auto_detach_kernel_driver(bundle->handle, 1);
libusb_context *usb_ctx = NULL; int ret = stage_function(bundle);
struct libusb_device_bundle usb_bundle; libusb_close(bundle->handle);
libusb_init(&usb_ctx);
get_test_device(usb_ctx, &usb_bundle);
if(usb_bundle.handle == NULL)
{
libusb_exit(usb_ctx);
printf("Could not find device\n");
return 1;
}
ret = libusb_set_auto_detach_kernel_driver(usb_bundle.handle, 1);
if(ret > 0)
{
printf("%s\n", libusb_error_name(ret));
return ret;
}
ret = stage_function(&usb_bundle);
libusb_close(usb_bundle.handle);
libusb_exit(usb_ctx);
return ret; return ret;
} }
@@ -115,22 +95,30 @@ int check_function(struct libusb_device_bundle *bundle)
int exploit_device() int exploit_device()
{ {
int ret = complete_stage(stage1_function); libusb_context *usb_ctx = NULL;
struct libusb_device_bundle usb_bundle;
libusb_init(&usb_ctx);
get_test_device(usb_ctx, &usb_bundle);
int ret = complete_stage(&usb_bundle, stage1_function);
if(ret == 0) if(ret == 0)
{ {
ret = complete_stage(stage2_function); ret = complete_stage(&usb_bundle, stage2_function);
usleep(500000); usleep(500000);
} }
if(ret == 0) if(ret == 0)
{ {
ret = complete_stage(stage3_function); ret = complete_stage(&usb_bundle, stage3_function);
usleep(500000); usleep(500000);
} }
if(ret == 0) if(ret == 0)
{ {
ret = complete_stage(check_function); ret = complete_stage(&usb_bundle, check_function);
} }
libusb_exit(usb_ctx);
return ret; return ret;
} }

21
exploit/libusb_helpers.c
View File

@@ -1,4 +1,5 @@
#include "libusb_helpers.h" #include "libusb_helpers.h"
#include "../libusb/libusb/libusb.h"
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
@@ -22,16 +23,25 @@ void get_test_device(libusb_context *usb_ctx, struct libusb_device_bundle *bundl
if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227) if(usb_desc.idVendor == 0x05AC && usb_desc.idProduct == 0x1227)
{ {
libusb_open(usb_device, &usb_handle);
break; break;
} }
} }
libusb_free_device_list(usb_device_list, usb_dev_count); libusb_free_device_list(usb_device_list, usb_dev_count);
bundle->ctx = usb_ctx;
bundle->device = usb_device;
bundle->handle = usb_handle; bundle->handle = usb_handle;
bundle->descriptor = usb_desc; bundle->descriptor = usb_desc;
} }
void LIBUSB_CALL async_ctrl_transfer_cb(struct libusb_transfer *transfer)
{
printf("transfer status: %s (%i / %i)\n",
libusb_error_name(transfer->status),
transfer->actual_length,
transfer->length);
}
void libusb1_async_ctrl_transfer(libusb_device_handle *handle, void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
unsigned char bmRequestType, unsigned char bRequest, unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex, unsigned short wValue, unsigned short wIndex,
@@ -47,7 +57,7 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0); struct libusb_transfer *usb_transfer = libusb_alloc_transfer(0);
libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len); libusb_fill_control_setup(usb_transfer_buf, bmRequestType, bRequest, wValue, wIndex, data_len);
memcpy(&usb_transfer_buf[8], data, data_len); memcpy(&usb_transfer_buf[8], data, data_len);
libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, NULL, NULL, 1); libusb_fill_control_transfer(usb_transfer, handle, usb_transfer_buf, async_ctrl_transfer_cb, NULL, 1);
ret = libusb_submit_transfer(usb_transfer); ret = libusb_submit_transfer(usb_transfer);
if(ret != 0) if(ret != 0)
@@ -70,6 +80,8 @@ void libusb1_async_ctrl_transfer(libusb_device_handle *handle,
} }
return; return;
} }
printf("%i / %i\n", usb_transfer->actual_length, usb_transfer->length);
} }
} }
@@ -94,10 +106,7 @@ void libusb1_no_error_ctrl_transfer(libusb_device_handle *handle,
} }
ret = libusb_control_transfer(handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout); ret = libusb_control_transfer(handle, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
if(ret > 0) printf("%s\n", libusb_error_name(ret));
{
printf("%s\n", libusb_error_name(ret));
}
} }
void stall(libusb_device_handle *handle) void stall(libusb_device_handle *handle)

4
exploit/libusb_helpers.h
View File

@@ -1,10 +1,12 @@
#ifndef IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H #ifndef IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
#define IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H #define IPWNDFU_REWRITE_C_LIBUSB_HELPERS_H
#include <libusb-1.0/libusb.h> #include "libusb-1.0/libusb.h"
struct libusb_device_bundle struct libusb_device_bundle
{ {
struct libusb_context *ctx;
struct libusb_device *device;
struct libusb_device_handle *handle; struct libusb_device_handle *handle;
struct libusb_device_descriptor descriptor; struct libusb_device_descriptor descriptor;
}; };

10
main.c
View File

@@ -9,15 +9,5 @@ int main()
printf("Failed to exploit device\n"); printf("Failed to exploit device\n");
return status; return status;
} }
else
{
unsigned char aes_in[16] = {0xDE, 0xAD, 0xBE, 0xEF,
0xDE, 0xAD, 0xBE, 0xEF,
0xDE, 0xAD, 0xBE, 0xEF,
0xDE, 0xAD, 0xBE, 0xEF};
unsigned char aes_out[16];
aes(aes_in, aes_out, AES_ENCRYPT, AES_UID_KEY);
printf("%s\n", aes_out);
}
} }