def startManage(sock_fd, logger):
logger.info('Starting to manage the embedded Scout')
logger.info('Allocating a remote memory buffer')
data = sendInstr(sock_fd, instrAlloc(0x100), logger)
memory_addr = struct.unpack("<L" if isBitness32() else "<Q", data)[0]
logger.info('The buffer was allocated at address: 0x%012x', memory_addr)
logger.info('Reading from the just allocated memory')
data = sendInstr(sock_fd, instrMemRead(memory_addr, 0x100), logger)
logger.info('The default content of the buffer is:')
logger.addIndent()
logger.info(hexDump(data))
logger.removeIndent()
logger.info("Writing to the allocated memory")
sendInstr(sock_fd, instrMemWrite(memory_addr + 0x70, b"Scout was here!"),
logger)
logger.info('Reading again from the same memory address')
data = sendInstr(sock_fd, instrMemRead(memory_addr, 0x100), logger)
logger.info('The updated content of the buffer is:')
logger.addIndent()
logger.info(hexDump(data))
logger.removeIndent()
def startManage(sock_fd, logger):
logger.info('Starting to manage the proxy')
logger.info('Sending the Leak instruction')
data = sendInstr(sock_fd, instrLeakAddr(), logger)
leaked_addr = struct.unpack("<Q", data)[0]
logger.info("The leaked kernel address is: %016x" % (leaked_addr))
logger.info('Sending the memory read instruction')
data = sendInstr(sock_fd, instrMemRead((leaked_addr - 0x1000) & (2 ** 64 - 1 - (0x1000 - 1)), 256), logger)
logger.info("The leaked data is:")
logger.addIndent()
logger.info(hexDump(data))
logger.removeIndent()
def startManage(sock_fd, logger):
logger.info('Starting to manage the proxy')
logger.info('Sending the Leak instruction')
data = sendInstr(sock_fd, instrLeakAddr(), logger)
v_leaked_addr, p_leaked_addr = struct.unpack('<QQ', data)
logger.info('The leaked kernel virtual address is: 0x%016x',
v_leaked_addr)
logger.info('The leaked kernel physical address is: 0x%016x',
p_leaked_addr)
logger.info('Sending the memory read instruction')
data = sendInstr(
sock_fd,
instrPhyRead((p_leaked_addr - 0x1000) & (2**64 - 1 - (0x1000 - 1)),
256), logger)
if data:
logger.info('The leaked data is:')
logger.addIndent()
logger.info(hexDump(data))
logger.removeIndent()
time.sleep(0.1)
s.finish()
prompt.warning("The tool only supports 32 bit")
prompt.info("Activating tool %s", TOOL_NAME)
p = ProgressBar('Leaked %3d / %3d bytes - %3d%% Completed',
250,
30,
True,
time_format="Elapsed %M:%S -")
p.start()
p.advance(1)
time.sleep(2)
p.advance(50)
time.sleep(1.5)
p.advance(100)
time.sleep(2)
p.advance(1)
time.sleep(0.5)
p.advance(200)
p.finish()
prompt.debug("The leaked data is:")
prompt.addIndent()
prompt.debug(hexDump("".join(map(chr, range(250)))))
prompt.removeIndent()
prompt.removeIndent()
prompt.info("Successful finish")