Closed Iocontrol closed 5 years ago
kakaroto
commented
5 years ago It just took me a few months (on and off working on it) to figure out.. but look at the bup_init_trace_hub function, the function that is called AFTER the bup_read_mfs_file is called. There's a small loop followed by a function before the bup_init_trace_hub returns. I'm not on my PC right now but that should help you figure it out easily enough.
Iocontrol
commented
5 years ago thank you @kakaroto,That's what it is.
kakaroto
commented
4 years ago Finally got the time to write the full explanation on how the systracer exploit works. You can read it here : https://kakaroto.homelinux.net/2019/11/exploiting-intels-management-engine-part-1-understanding-pts-txe-poc/
Hi @h0t,I have an issue in reading the poc,how to use the new "syslib_ctx_start" to Bypass Stack Guard. As @kakaroto said:“ you use syslib_tracer, not sys_shared_mem to achieve it on apollolake, it's technically a different method from what you showed at Blackhat,” how does syslib_tracer be used in detail , it's bothering me very much.