Payloads are now linked into the final remote executable... much cleaner but still needs some work
This commit is contained in:
@@ -3,12 +3,8 @@ project(checkm8_remote C)
|
||||
set(CMAKE_C_STANDARD 99)
|
||||
set(CMAKE_C_FLAGS "-g -Wall")
|
||||
|
||||
|
||||
include_directories(include)
|
||||
add_executable(checkm8_remote main.c src/usb_helpers.c src/exploit.c src/payload.c src/command.c)
|
||||
add_custom_command(TARGET checkm8_remote POST_BUILD
|
||||
COMMAND ln
|
||||
ARGS -s -f -n
|
||||
${CMAKE_SOURCE_DIR}/c8_payloads/bin
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/bin/payloads)
|
||||
|
||||
target_link_libraries(checkm8_remote usb-1.0 pthread udev)
|
||||
target_link_libraries(checkm8_remote usb-1.0 pthread udev payload)
|
||||
@@ -3,13 +3,6 @@
|
||||
|
||||
#include "checkm8.h"
|
||||
|
||||
#define PAYLOAD_AES_BIN CHECKM8_BIN_BASE "payloads/payload_aes.bin"
|
||||
#define PAYLOAD_AES_BUSY_BIN CHECKM8_BIN_BASE "payloads/payload_aes_busy.bin"
|
||||
#define PAYLOAD_AES_SW_BIN CHECKM8_BIN_BASE "payloads/payload_aes_sw.bin"
|
||||
#define PAYLOAD_SYNC_BIN CHECKM8_BIN_BASE "payloads/payload_sync.bin"
|
||||
#define PAYLOAD_SYSREG_BIN CHECKM8_BIN_BASE "payloads/payload_sysreg.bin"
|
||||
#define PAYLOAD_TASK_SLEEP_TEST_BIN CHECKM8_BIN_BASE "payloads/payload_task_sleep_test.bin"
|
||||
|
||||
typedef enum
|
||||
{
|
||||
PAYLOAD_AES,
|
||||
@@ -26,8 +19,6 @@ typedef enum
|
||||
DRAM
|
||||
} LOCATION_T;
|
||||
|
||||
#define RESP_VALUE(buf, type, i) ((type *) buf)[i]
|
||||
|
||||
int install_payload(struct pwned_device *dev, PAYLOAD_T p, LOCATION_T loc);
|
||||
int uninstall_payload(struct pwned_device *dev, PAYLOAD_T p);
|
||||
struct dev_cmd_resp *execute_payload(struct pwned_device *dev, PAYLOAD_T p, int response_len, int nargs, ...);
|
||||
|
||||
@@ -231,13 +231,6 @@ int main()
|
||||
}
|
||||
printf("\n");
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
resp = execute_payload(dev, PAYLOAD_SYNC, 0, 0);
|
||||
if(IS_CHECKM8_FAIL(resp->ret))
|
||||
{
|
||||
printf("failed to execute sync\n");
|
||||
}
|
||||
|
||||
free_dev_cmd_resp(resp);
|
||||
usleep(1000000);
|
||||
}
|
||||
|
||||
@@ -167,7 +167,7 @@ struct dev_cmd_resp *dev_memset(struct pwned_device *dev, long long addr, unsign
|
||||
cmd_args[3] = (unsigned long long) c;
|
||||
cmd_args[4] = len;
|
||||
|
||||
return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
|
||||
return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long long src, int len)
|
||||
@@ -180,7 +180,7 @@ struct dev_cmd_resp *dev_memcpy(struct pwned_device *dev, long long dest, long l
|
||||
cmd_args[3] = src;
|
||||
cmd_args[4] = len;
|
||||
|
||||
return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 1 * sizeof(unsigned long long));
|
||||
return command(dev, (unsigned char *) &cmd_args, 5 * sizeof(unsigned long long), 8);
|
||||
}
|
||||
|
||||
struct dev_cmd_resp *dev_exec(struct pwned_device *dev, int response_len, int nargs, unsigned long long *args)
|
||||
@@ -266,5 +266,5 @@ struct dev_cmd_resp *dev_write_memory(struct pwned_device *dev, long long addr,
|
||||
((unsigned long long *) cmd_args)[4] = len;
|
||||
memcpy(&cmd_args[40], data, len);
|
||||
|
||||
return command(dev, cmd_args, 40 + len, 1 * sizeof(unsigned long long));
|
||||
return command(dev, cmd_args, 40 + len, 8);
|
||||
}
|
||||
@@ -7,6 +7,8 @@
|
||||
#include "command.h"
|
||||
#include "usb_helpers.h"
|
||||
|
||||
// TODO: this is so ugly ...
|
||||
#include "../../cmake-build-debug/c8_libpayload/lib/libpayload.h"
|
||||
|
||||
struct payload
|
||||
{
|
||||
@@ -21,68 +23,55 @@ struct payload
|
||||
|
||||
struct payload *get_payload(PAYLOAD_T p)
|
||||
{
|
||||
FILE *payload_file;
|
||||
struct payload *res;
|
||||
char *path;
|
||||
unsigned char *pl;
|
||||
|
||||
switch(p)
|
||||
{
|
||||
case PAYLOAD_AES:
|
||||
path = PAYLOAD_AES_BIN;
|
||||
pl = payload_aes;
|
||||
break;
|
||||
|
||||
case PAYLOAD_AES_BUSY:
|
||||
path = PAYLOAD_AES_BUSY_BIN;
|
||||
pl = payload_aes_busy;
|
||||
break;
|
||||
|
||||
case PAYLOAD_AES_SW:
|
||||
path = PAYLOAD_AES_SW_BIN;
|
||||
pl = payload_aes_sw;
|
||||
break;
|
||||
|
||||
case PAYLOAD_SYNC:
|
||||
path = PAYLOAD_SYNC_BIN;
|
||||
pl = payload_sync;
|
||||
break;
|
||||
|
||||
case PAYLOAD_SYSREG:
|
||||
path = PAYLOAD_SYSREG_BIN;
|
||||
pl = payload_sysreg;
|
||||
break;
|
||||
|
||||
case PAYLOAD_TASK_SLEEP_TEST:
|
||||
path = PAYLOAD_TASK_SLEEP_TEST_BIN;
|
||||
pl = payload_task_sleep_test;
|
||||
break;
|
||||
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
checkm8_debug_indent("get_payload(p = %i) -> %s\n", p, path);
|
||||
checkm8_debug_indent("get_payload(p = %i)\n", p);
|
||||
res = malloc(sizeof(struct payload));
|
||||
if(res == NULL) return NULL;
|
||||
|
||||
if((payload_file = fopen(path, "rb")) == NULL)
|
||||
{
|
||||
free(res);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
fseek(payload_file, 0, SEEK_END);
|
||||
res->type = p;
|
||||
res->len = ftell(payload_file);
|
||||
res->data = malloc(res->len);
|
||||
res->len = sizeof(pl);
|
||||
res->data = pl;
|
||||
res->install_base = -1;
|
||||
res->next = NULL;
|
||||
res->prev = NULL;
|
||||
|
||||
rewind(payload_file);
|
||||
fread(res->data, 1, res->len, payload_file);
|
||||
fclose(payload_file);
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
void free_payload(struct payload *p)
|
||||
{
|
||||
free(p->data);
|
||||
free(p);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user