Payloads are now linked into the final remote executable... much cleaner but still needs some work

2020-01-12 13:03:52 -05:00
parent 4727861d37
commit 660ae546f8
27 changed files with 133 additions and 90 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -6,4 +6,4 @@ include_directories(include)

 #add_subdirectory(c8_arduino)
 add_subdirectory(c8_remote)
-add_subdirectory(c8_payloads)
+add_subdirectory(c8_libpayload)
--- a/c8_libpayload/CMakeLists.txt
+++ b/c8_libpayload/CMakeLists.txt
@@ -0,0 +1,32 @@
+project(checkm8_libpayload)
+
+set(PL_NAMES_SHORT
+        aes
+        aes_busy
+        aes_sw
+        sync
+        sysreg
+        task_sleep_test)
+
+foreach(NAME ${PL_NAMES_SHORT})
+    list(APPEND PL_TARGETS "payload_${NAME}")
+    list(APPEND PL_SRC_SHORT  "${CMAKE_CURRENT_LIST_DIR}/pl/src/${NAME}.c")
+endforeach(NAME)
+
+foreach(NAME ${PL_TARGETS})
+    list(APPEND PL_SRC_LONG "${CMAKE_CURRENT_BINARY_DIR}/lib/${NAME}.c")
+endforeach(NAME)
+
+add_subdirectory(pl)
+
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/lib)
+add_custom_target(libpayload_sources        # TODO: somehow only pass names that need to be udpated?
+                    DEPENDS ${PL_TARGETS}
+                    BYPRODUCTS ${PL_SRC_LONG}
+                    COMMENT "running librarizer"
+                    COMMAND python3 ${CMAKE_CURRENT_LIST_DIR}/scripts/librarize.py
+                                    ${CMAKE_CURRENT_BINARY_DIR}/pl/bin
+                                    ${CMAKE_CURRENT_BINARY_DIR}/lib)
+
+add_library(payload ${PL_SRC_LONG})
+add_dependencies(payload libpayload_sources)
--- a/c8_libpayload/pl/CMakeLists.txt
+++ b/c8_libpayload/pl/CMakeLists.txt
@@ -0,0 +1,23 @@
+project(checkm8_libpayload_sources C ASM)
+include_directories(include)
+
+set(CMAKE_SYSTEM_PROCESSOR arm)
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(CMAKE_C_COMPILER   /usr/bin/aarch64-linux-gnu-gcc)
+    set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
+    set(CMAKE_OBJCOPY      /usr/bin/aarch64-linux-gnu-objcopy)
+endif()
+
+set(CMAKE_C_FLAGS "-nostdlib -O")
+
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
+foreach(PL ${PL_NAMES_SHORT})
+    add_executable(payload_${PL} src/${PL}.c)
+    add_custom_command(TARGET payload_${PL} POST_BUILD
+                        BYPRODUCTS ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${PL}.bin
+                        COMMENT "objcopying ${PL}"
+                        COMMAND ${CMAKE_OBJCOPY}
+                        ARGS -O binary -j .text -j .payload_text -j .payload_data
+                            ${CMAKE_CURRENT_BINARY_DIR}/payload_${PL}
+                            ${CMAKE_CURRENT_BINARY_DIR}/bin/payload_${PL}.bin)
+endforeach(PL)
--- a/c8_libpayload/pl/include/brfunc_aes.h
+++ b/c8_libpayload/pl/include/brfunc_aes.h
--- a/c8_libpayload/pl/include/brfunc_common.h
+++ b/c8_libpayload/pl/include/brfunc_common.h
--- a/c8_libpayload/pl/include/brfunc_sep.h
+++ b/c8_libpayload/pl/include/brfunc_sep.h
--- a/c8_libpayload/pl/include/brfunc_timing.h
+++ b/c8_libpayload/pl/include/brfunc_timing.h
--- a/c8_libpayload/pl/include/util.h
+++ b/c8_libpayload/pl/include/util.h
--- a/c8_libpayload/pl/src/aes.c
+++ b/c8_libpayload/pl/src/aes.c
@@ -18,7 +18,7 @@ int aes_hw_crypto_command(unsigned int cmd,
    long start = 0, timeout = 0;

    __asm__("orr %0, xzr, #0x3c" : "=r" (cgvar));
-    CLOCK_GATE(cgvar, 1);
+    CLOCK_GATE(cgvar, 0);

 //    seeded = DPA_SEEDED();
 //    if(!(seeded & 1))
--- a/c8_libpayload/pl/src/aes_busy.c
+++ b/c8_libpayload/pl/src/aes_busy.c
@@ -13,12 +13,12 @@ int _start(void *src, void *dst, void *key, int rep)
        src_data[j] = ((unsigned char *) src)[j];
    }

-    task_sleep(100);
+//    task_sleep(100);
    for(i = 0; i < rep; i++)
    {
        if(i % 2 == 0) aes_hw_crypto_cmd(16, src_data, dst, 16, 0, key, 0);
        else aes_hw_crypto_cmd(16, dst, src_data, 16, 0, key, 0);
-        task_sleep(15);
+ //       task_sleep(15);
    }

    return 0;
--- a/c8_libpayload/pl/src/aes_sw.c
+++ b/c8_libpayload/pl/src/aes_sw.c
@@ -154,11 +154,9 @@ unsigned int _start(unsigned char *msg, unsigned int msg_len, unsigned char *key
                    unsigned char mul2[256], unsigned char mul3[256])
 {
    unsigned long long start, end;
-    unsigned char msg_copy[16];
-    for(int i = 0; i < 16; i++) msg_copy[i] = msg[i];

    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (start));
-    aes128_encrypt_ecb(msg_copy, msg_len, key, sbox, rc_lookup, mul2, mul3);
+    aes128_encrypt_ecb(msg, msg_len, key, sbox, rc_lookup, mul2, mul3);
    __asm__ volatile ("mrs %0, cntpct_el0" : "=r" (end));

 //    for(i = 0; i < 256; i++)
--- a/c8_libpayload/pl/src/sync.c
+++ b/c8_libpayload/pl/src/sync.c
--- a/c8_libpayload/pl/src/sysreg.c
+++ b/c8_libpayload/pl/src/sysreg.c
@@ -13,5 +13,5 @@ long long _start()
    __asm__("mrs %0, ttbr0_el1" : "=r" (res.pt_base));
    __asm__("mrs %0, vbar_el1"  : "=r" (res.evt_base));

-    return res.evt_base;
+    return res.pt_base;
 }
--- a/c8_libpayload/pl/src/task_sleep_test.c
+++ b/c8_libpayload/pl/src/task_sleep_test.c
--- a/c8_libpayload/scripts/librarize.py
+++ b/c8_libpayload/scripts/librarize.py
@@ -0,0 +1,55 @@
+import sys
+from collections import defaultdict
+import os
+
+if __name__ == '__main__':
+    print('ffffffffffffffffff')
+    if len(sys.argv) < 3:
+        print('Usage: librarize.py [bin names ...] [lib dir]')
+        exit(1)
+
+    bin_names = []
+    lib_dir = os.path.abspath(sys.argv[-1])
+
+    if os.path.isdir(sys.argv[1]):
+        bin_folder = os.path.abspath(sys.argv[1])
+        for bin_fname in os.listdir(bin_folder):
+            bin_names.append(bin_folder + '/' + bin_fname)
+    else:
+        for n in sys.argv[1:-1]:
+            bin_names.append(os.path.abspath(n))
+
+    source_lines = defaultdict(list)
+    header_lines = ['#ifndef CHECKM8_TOOL_LIBPAYLOAD_H\n',
+                    '#define CHECKM8_TOOL_LIBPAYLOAD_H\n',
+                    '\n']
+
+    for n in bin_names:
+        payload_name = os.path.basename(n).split('.')[0]
+        with open(n, 'rb') as fbin:
+                fbytes = fbin.read()
+
+        header_lines.append('extern const unsigned char %s[%i];\n' % (payload_name, len(fbytes)))
+
+        source_lines[payload_name].append('#include "libpayload.h"\n')
+        source_lines[payload_name].append('\n')
+        source_lines[payload_name].append('const unsigned char %s[%i] =\n' % (payload_name, len(fbytes)))
+        source_lines[payload_name].append('\t{')
+
+        for i, b in enumerate(fbytes):
+            if i % 16 == 0:
+                source_lines[payload_name].append('\n\t\t')
+
+            source_lines[payload_name][-1] += '0x%02x, ' % b
+
+        source_lines[payload_name].append('\n\t};\n')
+
+    header_lines.append('\n')
+    header_lines.append('#endif //CHECKM8_TOOL_LIBPAYLOAD_H\n')
+
+    with open(lib_dir + '/libpayload.h', 'w+') as f:
+        f.writelines(header_lines)
+
+    for sname, lines in source_lines.items():
+        with open(lib_dir + '/' + sname + '.c', 'w+') as f:
+            f.writelines(lines)
--- a/c8_payloads/CMakeLists.txt
+++ b/c8_payloads/CMakeLists.txt
@@ -1,33 +0,0 @@
-project(checkm8_payloads ASM)
-include_directories(include)
-
-set(CMAKE_SYSTEM_PROCESSOR arm)
-
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(CMAKE_C_COMPILER /usr/bin/aarch64-linux-gnu-gcc)
-    set(CMAKE_ASM_COMPILER /usr/bin/aarch64-linux-gnu-as)
-    set(CMAKE_OBJCOPY /usr/bin/aarch64-linux-gnu-objcopy)
-endif()
-
-set(CMAKE_C_FLAGS "-nostdlib -O")
-
-set(PAYLOADS
-        aes
-        aes_busy
-        aes_sw
-        sync
-        sysreg
-        task_sleep_test)
-
-file(MAKE_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/bin/)
-set_directory_properties(PROPERTY ADDITIONAL_CLEAN_FILES "${CMAKE_CURRENT_SOURCE_DIR}/bin/")
-
-foreach(BINARY ${PAYLOADS})
-    add_executable(payload_${BINARY} src/${BINARY}.c)
-    add_custom_command(TARGET payload_${BINARY} POST_BUILD
-                        BYPRODUCTS ${CMAKE_CURRENT_SOURCE_DIR}/bin/payload_${BINARY}.bin
-                        COMMAND ${CMAKE_OBJCOPY}
-                        ARGS -O binary -j .text -j .payload_text -j .payload_data
-                            ${CMAKE_CURRENT_BINARY_DIR}/payload_${BINARY}
-                            ${CMAKE_CURRENT_SOURCE_DIR}/bin/payload_${BINARY}.bin)
-endforeach(BINARY)
--- a/c8_payloads/bin/payload_aes.bin
+++ b/c8_payloads/bin/payload_aes.bin
--- a/c8_payloads/bin/payload_aes_busy.bin
+++ b/c8_payloads/bin/payload_aes_busy.bin
--- a/c8_payloads/bin/payload_aes_sw.bin
+++ b/c8_payloads/bin/payload_aes_sw.bin
--- a/c8_payloads/bin/payload_sync.bin
+++ b/c8_payloads/bin/payload_sync.bin
@@ -1 +0,0 @@
-<EFBFBD>?<03>u՟?<03><>?<03><>_<>
--- a/c8_payloads/bin/payload_sysreg.bin
+++ b/c8_payloads/bin/payload_sysreg.bin
--- a/c8_payloads/bin/payload_task_sleep_test.bin
+++ b/c8_payloads/bin/payload_task_sleep_test.bin
--- a/c8_remote/CMakeLists.txt
+++ b/c8_remote/CMakeLists.txt
@@ -3,12 +3,8 @@ project(checkm8_remote C)
 set(CMAKE_C_STANDARD 99)
 set(CMAKE_C_FLAGS "-g -Wall")

+
 include_directories(include)
 add_executable(checkm8_remote main.c src/usb_helpers.c src/exploit.c src/payload.c src/command.c)
-add_custom_command(TARGET checkm8_remote POST_BUILD
-                    COMMAND ln
-                    ARGS -s -f -n
-                        ${CMAKE_SOURCE_DIR}/c8_payloads/bin
-                        ${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads)

-target_link_libraries(checkm8_remote usb-1.0 pthread udev)
+target_link_libraries(checkm8_remote usb-1.0 pthread udev payload)
--- a/c8_remote/include/payload.h
+++ b/c8_remote/include/payload.h
@@ -3,13 +3,6 @@

 #include "checkm8.h"

-#define PAYLOAD_AES_BIN      CHECKM8_BIN_BASE "payloads/payload_aes.bin"
-#define PAYLOAD_AES_BUSY_BIN CHECKM8_BIN_BASE "payloads/payload_aes_busy.bin"
-#define PAYLOAD_AES_SW_BIN   CHECKM8_BIN_BASE "payloads/payload_aes_sw.bin"
-#define PAYLOAD_SYNC_BIN     CHECKM8_BIN_BASE "payloads/payload_sync.bin"
-#define PAYLOAD_SYSREG_BIN   CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
-#define PAYLOAD_TASK_SLEEP_TEST_BIN CHECKM8_BIN_BASE "payloads/payload_task_sleep_test.bin"
-
 typedef enum
 {
    PAYLOAD_AES,
@@ -26,8 +19,6 @@ typedef enum
    DRAM
 } LOCATION_T;

-#define RESP_VALUE(buf, type, i) ((type *) buf)[i]
-
 int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
 int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
 struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
--- a/c8_remote/main.c
+++ b/c8_remote/main.c
@@ -231,13 +231,6 @@ int main()
        }
        printf("\n");

-        free_dev_cmd_resp(resp);
-        resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
-        if(IS_CHECKM8_FAIL(resp->ret))
-        {
-            printf("failed to execute sync\n");
-        }
-
        free_dev_cmd_resp(resp);
        usleep(1000000);
    }
--- a/c8_remote/src/command.c
+++ b/c8_remote/src/command.c
@@ -167,7 +167,7 @@ struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsign
    cmd_args[3] = (unsigned long long) c;
    cmd_args[4] = len;

-    return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
+    return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8);
 }

 struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len)
@@ -180,7 +180,7 @@ struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long l
    cmd_args[3] = src;
    cmd_args[4] = len;

-    return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
+    return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8);
 }

 struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args)
@@ -266,5 +266,5 @@ struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr,
    ((unsigned long long *) cmd_args)[4] = len;
    memcpy(&cmd_args[40], data, len);

-    return command(dev, cmd_args, 40 + len, 1 * sizeof(unsigned long long));
+    return command(dev, cmd_args, 40 + len, 8);
 }
--- a/c8_remote/src/payload.c
+++ b/c8_remote/src/payload.c
@@ -7,6 +7,8 @@
 #include "command.h"
 #include "usb_helpers.h"

+// TODO: this is so ugly ...
+#include "../../cmake-build-debug/c8_libpayload/lib/libpayload.h"

 struct payload
 {
@@ -21,68 +23,55 @@ struct payload

 struct payload *get_payload(PAYLOAD_T p)
 {
-    FILE *payload_file;
    struct payload *res;
-    char *path;
+    unsigned char *pl;

    switch(p)
    {
        case PAYLOAD_AES:
-            path = PAYLOAD_AES_BIN;
+            pl = payload_aes;
            break;

        case PAYLOAD_AES_BUSY:
-            path = PAYLOAD_AES_BUSY_BIN;
+            pl = payload_aes_busy;
            break;

        case PAYLOAD_AES_SW:
-            path = PAYLOAD_AES_SW_BIN;
+            pl = payload_aes_sw;
            break;

        case PAYLOAD_SYNC:
-            path = PAYLOAD_SYNC_BIN;
+            pl = payload_sync;
            break;

        case PAYLOAD_SYSREG:
-            path = PAYLOAD_SYSREG_BIN;
+            pl = payload_sysreg;
            break;

        case PAYLOAD_TASK_SLEEP_TEST:
-            path = PAYLOAD_TASK_SLEEP_TEST_BIN;
+            pl = payload_task_sleep_test;
            break;

        default:
            return NULL;
    }

-    checkm8_debug_indent("get_payload(p = %i) -> %s\n", p, path);
+    checkm8_debug_indent("get_payload(p = %i)\n", p);
    res = malloc(sizeof(struct payload));
    if(res == NULL) return NULL;

-    if((payload_file = fopen(path, "rb")) == NULL)
-    {
-        free(res);
-        return NULL;
-    }
-
-    fseek(payload_file, 0, SEEK_END);
    res->type = p;
-    res->len = ftell(payload_file);
-    res->data = malloc(res->len);
+    res->len = sizeof(pl);
+    res->data = pl;
    res->install_base = -1;
    res->next = NULL;
    res->prev = NULL;

-    rewind(payload_file);
-    fread(res->data, 1, res->len, payload_file);
-    fclose(payload_file);
-
    return res;
 }

 void free_payload(struct payload *p)
 {
-    free(p->data);
    free(p);
 }