search

tothi / pwn-hisilicon-dvr

353 stars 93 forks source link

smap guessing does not work: min Rss size is 8k #6

Open mschaefers opened 4 years ago

mschaefers commented 4 years ago

when I run your exploit on my old Xiongmai cam, it can not guess the correct stack section base, because all my 8188 byte long entries have an Rss size of at least 8k:

Any idea on how to adapt the guessing algorithm to this model? (more model infos below)

[+] getting pidlist: found 41 processes
[+] searching for PID of '/usr/bin/Sofia': 812
[→] getting stack section base
(0, '0x622000', ((1996, 984, 984, 0, 0, 0, 984),))
(1, '0x818000', ((4, 4, 4, 0, 0, 0, 4),))
(2, '0x24a3000', ((5808, 5292, 5292, 0, 0, 0, 5292),))
(3, '0x4007f000', ((4, 4, 4, 0, 0, 0, 4),))
(4, '0x40080000', ((4, 4, 4, 0, 0, 0, 4),))
(5, '0x400c6000', ((4, 4, 4, 0, 0, 0, 4),))
(6, '0x400de000', ((4, 4, 4, 0, 0, 0, 4),))
(7, '0x40113000', ((4, 4, 4, 0, 0, 0, 4),))
(8, '0x40114000', ((8, 4, 4, 0, 0, 0, 4),))
(9, '0x4014d000', ((4, 4, 4, 0, 0, 0, 4),))
(10, '0x4014e000', ((40, 8, 8, 0, 0, 0, 8),))
(11, '0x4016a000', ((4, 4, 4, 0, 0, 0, 4),))
(12, '0x40247000', ((8, 8, 8, 0, 0, 0, 8),))
(13, '0x40249000', ((24, 12, 12, 0, 0, 0, 12),))
(14, '0x40266000', ((4, 4, 4, 0, 0, 0, 4),))
(15, '0x40279000', ((4, 4, 4, 0, 0, 0, 4),))
(16, '0x4030d000', ((8, 8, 8, 0, 0, 0, 8),))
(17, '0x4030f000', ((280, 280, 280, 0, 0, 0, 280),))
(18, '0x40356000', ((8188, 8, 8, 0, 0, 0, 8),))
(19, '0x40b92000', ((8188, 16, 16, 0, 0, 0, 16),))
(20, '0x413ae000', ((8188, 8, 8, 0, 0, 0, 8),))
(21, '0x41beb000', ((516, 516, 516, 0, 0, 0, 516),))
(22, '0x41c93000', ((8188, 12, 12, 0, 0, 0, 12),))
(23, '0x4249b000', ((10760, 3496, 3496, 0, 0, 0, 3496),))
(24, '0x42f65000', ((8188, 8, 8, 0, 0, 0, 8),))
(25, '0x437aa000', ((260, 4, 4, 0, 0, 0, 4),))
(26, '0x43839000', ((8188, 8, 8, 0, 0, 0, 8),))
(27, '0x4404c000', ((8188, 8, 8, 0, 0, 0, 8),))
(28, '0x4487d000', ((8704, 524, 524, 0, 0, 0, 524),))
(29, '0x45101000', ((8188, 20, 20, 0, 0, 0, 20),))
(30, '0x45943000', ((316, 56, 56, 0, 0, 0, 56),))
(31, '0x45a1c000', ((8188, 16, 16, 0, 0, 0, 16),))
(32, '0x4624c000', ((1000, 520, 520, 0, 0, 0, 520),))
(33, '0x465b6000', ((8188, 8, 8, 0, 0, 0, 8),))
(34, '0x46e56000', ((8188, 8, 8, 0, 0, 0, 8),))
(35, '0x47656000', ((8188, 8, 8, 0, 0, 0, 8),))
(36, '0x47e67000', ((8188, 8, 8, 0, 0, 0, 8),))
(37, '0x486bc000', ((8188, 12, 12, 0, 0, 0, 12),))
(38, '0x48ebc000', ((8188, 8, 8, 0, 0, 0, 8),))
(39, '0x497b4000', ((8860, 52, 52, 0, 0, 0, 52),))
(40, '0x4a06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(41, '0x4a86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(42, '0x4b06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(43, '0x4b86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(44, '0x4c0eb000', ((12288, 4108, 4108, 0, 0, 0, 4108),))
(45, '0x4ccec000', ((8188, 12, 12, 0, 0, 0, 12),))
(46, '0x4d520000', ((8188, 12, 12, 0, 0, 0, 12),))
(47, '0x4dd20000', ((8188, 8, 8, 0, 0, 0, 8),))
(48, '0x4e520000', ((8188, 8, 8, 0, 0, 0, 8),))
(49, '0x4ed25000', ((8188, 8, 8, 0, 0, 0, 8),))
(50, '0x4f525000', ((8188, 8, 8, 0, 0, 0, 8),))
(51, '0x4fd25000', ((8188, 8, 8, 0, 0, 0, 8),))
(52, '0x50525000', ((8188, 8, 8, 0, 0, 0, 8),))
(53, '0x50d25000', ((8188, 8, 8, 0, 0, 0, 8),))
(54, '0x515e3000', ((8188, 8, 8, 0, 0, 0, 8),))
(55, '0x51e89000', ((8188, 8, 8, 0, 0, 0, 8),))
(56, '0x52720000', ((8188, 8, 8, 0, 0, 0, 8),))
(57, '0x52f86000', ((8188, 8, 8, 0, 0, 0, 8),))
(58, '0x53786000', ((8188, 12, 12, 0, 0, 0, 12),))
(59, '0x54003000', ((8188, 16, 16, 0, 0, 0, 16),))
(60, '0x54868000', ((8188, 8, 8, 0, 0, 0, 8),))
(61, '0x550d4000', ((8188, 16, 16, 0, 0, 0, 16),))
(62, '0x558d4000', ((9196, 48, 48, 0, 0, 0, 48),))
(63, '0x56295000', ((8188, 12, 12, 0, 0, 0, 12),))
(64, '0x56acf000', ((8188, 8, 8, 0, 0, 0, 8),))
(65, '0x572cf000', ((8188, 32, 32, 0, 0, 0, 32),))
(66, '0x57b4a000', ((8188, 8, 8, 0, 0, 0, 8),))
(67, '0x5834a000', ((8188, 8, 8, 0, 0, 0, 8),))
(68, '0x58b9e000', ((8188, 8, 8, 0, 0, 0, 8),))
(69, '0x5940b000', ((8188, 8, 8, 0, 0, 0, 8),))
(70, '0x59c94000', ((8188, 8, 8, 0, 0, 0, 8),))
(71, '0x5a55e000', ((8188, 8, 8, 0, 0, 0, 8),))
(72, '0x5ad5e000', ((8188, 8, 8, 0, 0, 0, 8),))
(73, '0x5b5db000', ((8188, 8, 8, 0, 0, 0, 8),))
(74, '0x5be1a000', ((8188, 8, 8, 0, 0, 0, 8),))
(75, '0x5c6c4000', ((8188, 8, 8, 0, 0, 0, 8),))
(76, '0x5cf1e000', ((8188, 8, 8, 0, 0, 0, 8),))
(77, '0x5d71e000', ((8188, 8, 8, 0, 0, 0, 8),))
(78, '0x5df1e000', ((8188, 12, 12, 0, 0, 0, 12),))
(79, '0x5e71e000', ((8188, 12, 12, 0, 0, 0, 12),))
(80, '0xbed2c000', ((140, 136, 136, 0, 0, 0, 136),))
enter stack region id (guessed value = -1):

More Model Infos:

cat /proc/cpuinfo
Processor   : ARM926EJ-S rev 5 (v5l)
BogoMIPS    : 218.72
Features    : swp half thumb fastmult edsp java 
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part    : 0x926
CPU revision    : 5

Hardware    : hi3518
Revision    : 0000
Serial      : 0000000000000000

Hardware is detected as 50H10L

tothi commented 4 years ago

first i would test the vulnerability itself and would try to exploit it without aslr. you can do it by telnetting to the device and attaching gdb to Sofia. if it works, you can identify the memory region, and you can try to implement the magical guess. look for the remote gdb section here if you need hints: https://github.com/tothi/pwn-hisilicon-dvr#remote-gdb